Terraform does not destroy Edge Hostnames

[fkieling]

Hi there,

Terraform Version

Terraform v1.5.7
on darwin_arm64

• provider registry.terraform.io/akamai/akamai v5.4.0

Affected Resource(s)

• akamai_edge_hostname

Terraform Configuration Files

resource "akamai_edge_hostname" "akamaitest-edgekey-net" {
  product_id    = "prd_Fresca"
  contract_id   = data.akamai_contract.contract.id
  group_id      = data.akamai_group.group.id
  ip_behavior   = "IPV4"
  edge_hostname = local.edge_hostname
  certificate   = local.certificate_id
}

Problem

Terraform doesn't destroy the Edge Hostname when running 'terraform destroy'.

Expected Behavior

When I run terraform destroy it will destroy the local terraform resource and the Edge Hostname in Akamai.

Actual Behavior

If I run 'terraform destroy' it will destroy the local terraform resource but not the Akamai Edge Hostname.

Steps to Reproduce

1. Create a akamai_edge_hostname with the code above (terraform apply).
2. Check the Edge Hostnames in the Akamai Control Center (Edge Hostname was created successfully).
3. Run terraform destroy

data.akamai_group.group: Reading...
data.akamai_group.group: Read complete after 2s [id=grp_XXXX]
data.akamai_contract.contract: Reading...
data.akamai_contract.contract: Read complete after 0s [id=ctr_XXXX]
akamai_edge_hostname.akamaitest-edgekey-net: Refreshing state... [id=ehn_XXXX]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # akamai_edge_hostname.akamaitest-edgekey-net will be destroyed
  - resource "akamai_edge_hostname" "akamaitest-edgekey-net" {
      - certificate   = XXXX -> null
      - contract_id   = "ctr_XXXX" -> null
      - edge_hostname = "XXXX.edgekey.net" -> null
      - group_id      = "grp_XXXX" -> null
      - id            = "ehn_XXXX" -> null
      - ip_behavior   = "IPV4" -> null
      - product_id    = "prd_Fresca" -> null
    }

Plan: 0 to add, 0 to change, 1 to destroy.

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

akamai_edge_hostname.akamaitest-edgekey-net: Destroying... [id=ehn_akamaitest]
akamai_edge_hostname.akamaitest-edgekey-net: Destruction complete after 0s

Destroy complete! Resources: 1 destroyed.

4. Check the Edge Hostnames in the Akamai Control Center (Edge Hostname still exists!).

[lkowalsk-akamai-com]

Thank you for letting us know you've got interest in this functionality. We've looked into this in the past, but because of the risk potential, we erred on the side of safety. However, your request does resurface its need, so we'll revisit its potential and get back to you when we know more.

[david-raine]

In enhanced TLS, the edgehostname "certificate" field must point to a certificate enrollment id. Is that a dependency for deletion?

[RemcoAA]

We are running into the same issue and is mainly causing issue with testing our automation flows. Since we cannot redeploy a configuration because of the already existing edge-hostname.

But also for PRD deployments I can already see there are edge-hostname left which should have been deleted.

It would really help us this destroy feature is working as expected.

[RemcoAA]

Can this issue be changed to a bug instead on an enhancement request, since the behavior is not matching with the output?

[lkowalsk-akamai-com]

Just to let you know, we are considering adding this functionality. We need to do it in a way, that would be safe to our users not to harm themselves by accident. I cannot confirm any dates yet, but topic is high on the list of pottential new features.

[eddgrant]

Glad to hear this is getting some attention.

We need to do it in a way, that would be safe to our users not to harm themselves by accident.

Isn't this the case for pretty much any resource managed by Terraform? As a Terraform user I expect that if I ask Terraform to destroy a resource, it will do exactly that: delete the resource, utilising the dependency graph to determine ordering and respecting any usage of resource lifecycle flags, such as prevent_destroy.

When providers, such as Akamai, decide to opt out of this well understood behaviour it makes their products and services very difficult to manage using Terraform. Furthermore, not documenting the behaviour anywhere makes debugging frustrating and time consuming for users.