# Teardown runbook: Wiki.js on EKS

Exact destroy order and data retention steps. See [setup](setup.md) and [prerequisites](prerequisites.md) for deploy and pre-deployment resources.

## How to destroy

You can run destroy in one of two ways:

### Option A - One by one

Run each destroy workflow in **reverse** order of setup: **tf-50-app-wikijs-destroy** → **tf-45-argocd-destroy** → … → **tf-00-bootstrap-destroy**. Each workflow requires: **env**, **region**, **confirmation string** (see below), and **deployment_account_role_arn**. The **01-dns-main** destroy workflow also requires **domain_account_role_arn** (same as for provision).

### Option B - All in one

Run **tf-all-destroy** once. Inputs: **env**, **region**, **confirm** = `DESTROY-ALL-<env>-<region>` (e.g. `DESTROY-ALL-dev-us-east-1`), **deployment_account_role_arn**, **domain_account_role_arn**. The workflow runs layers 50 → 45 → … → 00 internally with the correct per-layer confirmation strings; you do not type each layer's confirmation.

## Destroy order

Execute destroy workflows in this order (reverse of setup). This order is enforced automatically when using **tf-all-destroy**.

1. **50-app-wikijs** - Removes Route 53 A record (domain account, using **dns_assume_role_arn**), ArgoCD Application (so ArgoCD can prune Wiki.js resources), SecretProviderClass resources, and its Parameter Store prefix (`<prefix>/<region>/<env>/50-app-wikijs/`). Use `tf-50-app-wikijs-destroy.yaml`; confirmation pattern: `DESTROY-50-app-wikijs-<env>-<region>` (e.g. `DESTROY-50-app-wikijs-sandbox-us-east-1`). Layer 50 retrieves `dns_role_arn` from Parameter Store (01-dns-main) during destroy; no workflow input required.
2. **45-argocd** (removes Argo CD Helm release, optional SecretProviderClass, optional Route 53 A record for `argocd_server_fqdn` when it was set, and when auto-created, the Argo CD admin credentials Secrets Manager secret; and its Parameter Store prefix under `<prefix>/<region>/<env>/45-argocd/`)
3. **40-platform** (removes EKS add-ons, Helm releases, namespaces, and its Parameter Store prefix under `<prefix>/<region>/<env>/40-platform/`)
4. **35-storage-s3-assets** (removes S3 bucket, IRSA role, KMS key, and its Parameter Store prefix under `<prefix>/<region>/<env>/35-storage-s3-assets/` on destroy)
5. **30-data-rds** (RDS PostgreSQL; disable deletion protection before destroy when enabled)
6. **20-eks** (ensure cluster is empty of workloads and add-ons; layers 50, 45, 40 must be destroyed first)
7. **10-network** (VPC, subnets, SGs, VPC endpoints; removes its Parameter Store prefix under `<prefix>/<region>/<env>/10-network/` on destroy)
8. **01-dns-main** (removes **dns_assume_role_arn** and its Parameter Store prefix under `<prefix>/<region>/<env>/01-dns-main/`; layer 50 must be destroyed first so it can remove the Route 53 record using the DNS role; layer 50 reads `dns_role_arn` from Parameter Store during destroy)
9. **00-bootstrap** (last)

## Destroy confirmation

Each per-layer destroy workflow is triggered via `workflow_dispatch` with **Select Environment** and **Select AWS Region** (choice inputs; region is shown as e.g. `eu-west-1: Ireland`). It also requires a typed confirmation input:

- **Per-layer pattern:** `DESTROY-<layer>-<env>-<region>`
- **Examples:** `DESTROY-50-app-wikijs-dev-eu-west-1`, `DESTROY-00-bootstrap-dev-eu-west-1`
- For **tf-all-destroy**, type **once:** `DESTROY-ALL-<env>-<region>` (e.g. `DESTROY-ALL-dev-us-east-1`); the workflow fills per-layer confirmations internally.

**Reminder:** Use the region **code** (e.g. `us-east-1`, `eu-west-1`), not the display name (e.g. "N. Virginia").

The workflow fails unless the confirmation string matches exactly.

Ensure GitHub Environment `tf-<env>-<layer>` (e.g. `tf-dev-50-app-wikijs`, `tf-dev-45-argocd`) exists if using required reviewers to gate destroy.

## RDS deletion protection

RDS has **deletion protection enabled by default** (see [terraform/30-data-rds](../../terraform/30-data-rds)). Destroy will fail until protection is disabled. A two-step teardown is required.

### Step 1: Disable deletion protection

**Option A - Terraform:** Set `deletion_protection = false` in `terraform/30-data-rds/terraform.tfvars` (or pass it via `ci.auto.tfvars.json` in CI). Run **tf-30-data-rds-provision** (apply) once so the change is applied; then run **tf-30-data-rds-destroy**.

**Option B - AWS CLI:** Disable protection on the instance, then run the destroy workflow:

```bash
# Get the RDS instance identifier from Parameter Store or the AWS Console (e.g. wikijs-us-east-1-rds-dev)
aws rds modify-db-instance \
  --db-instance-identifier "<instance-identifier>" \
  --no-deletion-protection \
  --apply-immediately
```

Wait for the modification to complete, then run **tf-30-data-rds-destroy**.

### Step 2: Run the 30-data-rds destroy workflow

Run **tf-30-data-rds-destroy** (Option A) or **tf-all-destroy** (Option B) after deletion protection is disabled.

## Data retention

- The state bucket and Parameter Store prefix are removed when **00-bootstrap** is destroyed.
- Ensure no other projects or layers depend on the same state bucket or Parameter Store prefix before destroying bootstrap.

## Troubleshooting

- If a destroy fails (e.g. dependency, deletion protection, or resource in use), fix the cause and re-run that layer's destroy; then continue in order.
- For **01-dns-main** destroy: ensure **50-app-wikijs** has already been destroyed so the Route 53 record was removed; otherwise the DNS role may still be in use or the layer may fail to clean up.