Handle manual deletion of resources

[mikkoc]

Currently we find that Terraform plan breaks very very badly when a resource is deleted manually from OneLogin, i.e. an app or a role_attachment.

It would be nice if the provider could handle this: detect that a resource in the tfstate is not there anymore, and re-create it.

[dcaponi]

@mikkoc I'm actually not a seasoned terraform user myself, so I may be wrong, but does terraform handle this scenario with other providers? My understanding is that once you go in on terraform, its not advised to manually manage resources outside of terraform.

I did however anticipate this being a thing, and I wrote up a CLI tool that might help.

If you install that, and run onelogin terraform-import onelogin_apps that should bring your terraform plan back in line with what's actually in your onelogin account.

Please give it a try on a copy of your terraform plan first as the terraform import tool is somewhat experimental in nature.

[mikkoc]

Terraform definitely handles this scenario in any provider I've used before, including AWS, postgresql, Azure.

The idea behind Terraform is to always "converge" to the same state: i.e. 2 different Terraform runs from the same code should always bring the same final result.

I do agree that it's not ideal when manual drift happens, but it's a fairly common (unfortunately) scenario.

[dcaponi]

Ah ok I see. Rather than the remote (AWS, Azure, OneLogin) being the source of truth, you want .tfstate to be the source of truth and to recreate stuff if it was manually removed; and you're saying this is a pattern with other providers you used in the past.

Sound about right?

[mikkoc]

that is absolutely correct, yes. If Terraform detects that a resource is in the state file, but not present in the origin, it will try to re-create it (unless, obviously, the code that created that resource in the first place is also deleted).