Listing out the resources that are not managed via terraform

Question

I have a Resource Group where many of the resources are managed via terraform. However, in recent days, I have noticed there are some resources created manually by the users. Is there an easy way to figure out or make a list of resources that are not managed via terraform?

Answer 1

Terraform only tracks the objects that are connected to Terraform resources, so I think you would need to approach this analysis by asking the following questions:

1. What are all of the objects in the resource group? Call that set of resources A.
2. What are all of the objects tracked by Terraform? Call that set of resources B.
3. What is left if we subtract set B from set A? That's your result.

The main challenge here is that set of resources A is expressed only in Azure's terms and set of resources B is expressed in Terraform's terms, so it will likely take some custom analysis to get them both converted into a form where it's possible to decide question 3 above.

Fortunately, the hashicorp/azurerm provider is pretty consistent in putting the fully-qualified Azure resource ID in the id field of most resource types, and so if you use terraform show -json to get a JSON representation of what's saved in the state, and then use some scripting of your own to extract just the id attribute from any resource whose type name starts with azurerm_, that should hopefully give you a reasonable answer for set of resources B as a set of resource IDs.

Then you can hopefully use the Azure API to retrieve all of the objects belonging to your resource group and take the id of each result to get set of resources A.

There is no ready-to-run answer to this, because Terraform is intentionally designed not to interact with objects it isn't managing unless explicitly asked to using terraform import, but hopefully the above is enough building blocks to construct a solution which is sufficient for your needs.