Terraform Destroy: Why, When, Where, and How to Use It

Terraform lets you manage cloud infrastructure through code instead of clicking around in web consoles. Define what you want, apply it, and Terraform figures out how to make it happen. But what happens when you no longer need those resources? That’s where terraform destroy comes in.

Why use the Terraform Destroy Command?

Left alone, cloud resources sit there racking up charges whether you use them or not. I’ve seen forgotten EC2 instances run up hundreds of dollars in monthly bills. The destroy command cleans up anything Terraform is managing so you don’t end up with zombie infrastructure eating your budget.

Beyond cost, there’s security. An unused RDS instance with a public endpoint is still a potential entry point. If you no longer need a resource, the safest move is usually to delete it.

You might also need to run destroy after a failed deployment. If something breaks mid-apply, Terraform often leaves partial resources behind. Running destroy cleans up the mess so you can start fresh.

When to Use the Terraform Destroy Command?

I reach for destroy in a few situations:

After testing - Spin up resources for a proof-of-concept, verify it works, then tear it all down. Running test infrastructure in production AWS accounts is common, but forgetting to clean up is even more common.

Before recreating - Sometimes the easiest fix is to destroy and reapply. If your configuration drifted from reality, nuke it and start over rather than trying to reconcile the difference.

When decommissioning - Shutting down a service? Run destroy against your configuration to remove everything instead of manually deleting each resource.

After failed applies - When an apply fails partway through, you often have orphaned resources. terraform destroy cleans these up.

One warning: be careful with destroy in shared environments. If someone else is depending on a resource your configuration manages, destroy will happily delete it. Know what you’re targeting before you run it.

Where to Use the Terraform Destroy Command?

Anywhere you have Terraform installed and configured. The command runs from your local machine, a CI/CD pipeline, or a Terraform Cloud workspace - it doesn’t matter. Terraform connects to your cloud provider, reads the state file, and deletes resources.

Make sure your credentials have permission to delete what you’re targeting. If you’re using AWS, that means appropriate IAM permissions. Azure requires Microsoft.Authorization permissions. GCP needs roles with compute.delete or similar for the resources involved.

How to Use the Terraform Destroy Command?

The basic syntax:

terraform destroy

This deletes everything your current configuration manages. Terraform will show you a plan first, asking you to type yes before proceeding. Always review the plan - you don’t want to accidentally delete production resources.

To target specific resources:

terraform destroy -target=aws_instance.web

Note: the -target flag is powerful but comes with caveats. Terraform warns against routine use because it can leave your state inconsistent with reality. It’s meant for recovery situations, not regular workflow.

For CI/CD pipelines where no one can type yes, use:

terraform destroy -auto-approve

This skips the confirmation prompt. I only recommend this in automation where you’ve already reviewed what will be destroyed.

Other useful options:

• -var-file - Pass a .tfvars file with variable values
• -var - Set a variable directly on the command line
• -state - Use a different state file path
• -refresh - Control whether Terraform updates state before planning (defaults to true)

Behind the Scenes

When you run destroy, Terraform works in stages:

1. Reads state - Terraform looks at your state file to see what resources it’s managing
2. Generates a plan - Compares desired state (empty, since you’re destroying) against actual state
3. Shows you what will happen - You get a chance to review before confirming
4. Executes - Deletes resources in the correct order (handling dependencies automatically)

The ordering matters. If resource B depends on resource A, Terraform deletes B first, then A. This prevents orphaned dependencies.

Cloud providers vary in how long deletions take. Destroying an S3 bucket can be instant. Terminating an EC2 instance might take a few minutes if the provider waits for the hypervisor to finish.

Conclusion

terraform destroy is straightforward but powerful. Use it to clean up test environments, remove unused resources, and recover from failed deployments. The key is knowing what you’re destroying before you run it.

In automation, always pair destroy with -auto-approve but build in safeguards - review plans in a CI step before the destructive run, or use Terraform Cloud’s policy controls to require approval for destroy operations.

When done right, destroy is just as important as apply in your infrastructure lifecycle. Don’t forget about the cleanup phase.