Triggering local-exec Provisioners During terragrunt destroy

[Saibhargav2118]

Hello Terragrunt team,

I'm currently using Terragrunt to manage my infrastructure with Terraform, and I have encountered a challenge that I hope to get some clarity on. I am trying to trigger a local-exec provisioner (or any cleanup process) during the terragrunt destroy phase, similar to how provisioners work during terraform apply.

However, based on my testing and documentation review, it seems that provisioners, particularly local-exec, are not triggered during the destroy phase with Terragrunt. This limitation makes it difficult for me to run cleanup tasks, such as logging or removing certain temporary files, when the resources are being destroyed.

Here are a few things I’ve tried:

Using the when = destroy option within a local-exec provisioner.
Utilizing null_resource with lifecycle and triggers to force execution during destroy.
Running terraform destroy manually with an external script to handle post-destroy actions.
While some of these methods have worked in isolated Terraform configurations, they don't seem to trigger properly with Terragrunt, or they don’t address my full use case.

My question is:
Is there a recommended way to trigger a local-exec or any cleanup provisioner during the terragrunt destroy operation? Or, alternatively, is there a way to reliably trigger post-destroy actions in a Terragrunt-managed environment?

Any insights or workarounds would be greatly appreciated!

Thank you!

[yhakbar]

Hey @Saibhargav2118 ,

Nothing Terragrunt does interacts with how OpenTofu/Terraform run their providers. If you configure OpenTofu/Terraform to use any of those features, they should do the same thing when being called by Terragrunt.

That being said, if you're encountering a bug, I would need logs and a fixture (some code that I can run) to reproduce your issue. In general, if Terragrunt maintainers can't reproduce an issue you're facing our odds of resolving them are much lower.

As a matter of general practice, most Terragrunt users don't have to rely on local-exec or anything to do logic outside of the normal lifecycle of resources. Most use the hooks feature to get similar results.

If you haven't had a chance, I recommend reading through the Getting Started guide.

[Saibhargav2118]

@yhakbar Here is the code that I want to execute ECS command during terragrunt destroy.

resource "null_resource" "ontap_unpeer" {
provisioner "local-exec" {
when = destroy # Trigger only during destroy phase
command = <<EOT
aws ecs run-task --cluster ${var.ecs_cluster_arn}
--launch-type FARGATE
--task-definition ${local.task_definition_arn}
--network-configuration "awsvpcConfiguration={subnets=[${join(",", var.private_subnet_ids)}],securityGroups=[${join(",", var.ecs_service_security_group_ids)}],assignPublicIp=DISABLED}"
EOT
}

lifecycle {
ignore_changes = [triggers]
}

triggers = {
task_definition_arn = local.task_definition_arn
cluster_arn = var.ecs_cluster_arn
peer_flags = local.peer_flags
fsx_mgmt_ips = local.fsx_mgmt_ips
fsx_intercluster_ips = local.fsx_intercluster_ips
customer_fsxids = local.customer_fsxids
customer_vserver_names = local.customer_vserver_names
}

depends_on = [module.ontap-cluster-peering]
}

[yhakbar]

@Saibhargav2118 did you get a chance to read these docs?
https://terragrunt.gruntwork.io/docs/features/hooks/