a

    able-honey-93860

    8 months ago
    Anyone experience issues where pulumi destroy doesn't delete all resources? I'm using the okta provider and consistently resources are being left behind causing issues where I have to manually remove them from the okta console
    m

    miniature-musician-31262

    8 months ago
    I've never seen this myself, but I also haven't used the Okta provider. Have you seen it with others? Do the resource types left behind vary? Any details or patterns you can share?
    f

    fast-arm-63150

    8 months ago
    perhaps the resources are 'protected'?
    a

    able-honey-93860

    8 months ago
    I only use okta right now, I think it's due to Okta API rate limits. Not sure how to get around this, seems like all these actions in one swoop is triggering okta to throttle or limit further actions. None of the resources are protected and it is unique on which get deleted and which get left behind.
    So what I'm doing is pulling data from a csv and then looping through that csv and building a network zone, SignOn policy, and SignOn rule. I have stepped through the csv and removed a handful of the items then re-tan pulumi up to delete the items from okta so that it's happening in smaller batches rather than one big destroy. This still left resources behind while pulumi gives no errors.
    m

    miniature-musician-31262

    8 months ago
    Definitely curious. Are you using the Pulumi Service backend? Is it possible you’re running these “smaller batches” in parallel?
    a

    able-honey-93860

    8 months ago
    My backend is local, I've purged my stack files locally, recreated the projects, and manually cleaned up the resources in okta to start from a clean slate. Each smaller batch was ran independently one after another waiting for completion
    This okta provider seems broken, there are discrepancies in the documentation that I previously came across and now this destroy issue. I know it's not due to a rate limit because I brought down the csv to 5 lines and it's still failing to clean up all the resources. 5 network zones 5 SignOn policies 5 SignOn Rules More often than not it cleans up all the SignOn policies(there are some cases where it leaves one or two behind), but every single time it leaves behind some network zones- even tho it says it deletes everything in the console output! I continuously run it in smaller batches and it randomly mixes up what it leaves behind and what it actually deletes, but every single run outputs successfully….. I tried running verbose output and it all seems to look the same - by that I mean the resources that get deleted have the same log entries as the ones that don't. Which makes sense since the console output gives no error. I also reference the okta logs and see that it only deletes some resources and not others. Anyone have ideas on what best to do next to troubleshoot? I'd done multiple iterations of refresh, export/import, destroy, but no luck.
    I've make the SignOn policies and Rules depend on the zones and now it seems to be a bit more successful in smaller batches 5> but when running my normal run of ~50 it still fails to destroy everything. Rate limit is not being hit so still unsure what the underlying issue is since I have no errors to work off of. Any help is appreciated