Terraform taint and untaint explained with example programs and tutorials

What is meaning of taint?

a trace of a bad or undesirable substance or quality.

What is tainted?

spoiled; damaged in quality, taste, or value:

What is Terraform taint?

The terraform taint command manually marks a Terraform-managed resource as tainted, forcing it to be destroyed and recreated on the next apply.

Use case of Terraform taint?

  • It could use it to something like re-creating an EC2 instance if someone logged in and made some manual changes.
  • Use taint mostly to force rolling deploys of ASGs for webservices when tf wouldn’t normally require it.
  • Can use it to force a rebuild of certain resources without doing a full destroy – though usually only during development phase. A full build might take 20-30 mins where we want to test a single update.

Behaviours of terraform taint

  • This command will not modify infrastructure, but does modify the state file in order to mark a resource as tainted.
  • Once a resource is marked as tainted, the next plan will show that the resource will be destroyed and recreated and the next apply will implement this change.
  • Forcing the recreation of a resource is useful when you want a certain side effect of recreation that is not visible in the attributes of a resource. For example: re-running provisioners will cause the node to be different or rebooting the machine from a base image will cause new startup scripts to run.

Failed Provisioners and Tainted Resources

  • If a resource successfully creates but fails during provisioning, Terraform will error and mark the resource as “tainted”. A resource that is tainted has been physically created, but can’t be considered safe to use since provisioning failed.
  • When you generate your next execution plan, Terraform will not attempt to restart provisioning on the same resource because it isn’t guaranteed to be safe. Instead, Terraform will remove any tainted resources and create new resources, attempting to provision them again after creation.
  • Terraform also does not automatically roll back and destroy the resource during the apply when the failure happens, because that would go against the execution plan: the execution plan would’ve said a resource will be created, but does not say it will ever be deleted. If you create an execution plan with a tainted resource, however, the plan will clearly state that the resource will be destroyed because it is tainted.

Manually Tainting Resources

In cases where you want to manually destroy and recreate a resource, Terraform has a built in taint function in the CLI. This command will not modify infrastructure, but does modify the state file in order to mark a resource as tainted. Once a resource is marked as tainted, the next plan will show that the resource will be destroyed and recreated and the next apply will implement this change.

To taint a resource, use the following command:

Rajesh Kumar
Total Page Visits: 352 - Today Page Visits: 2