Terraform Destroy is a powerful command when it comes to infrastructure as code. One Wrong Move and you could accidentally erase the whole production environment.
It’s extremely important to use Terraform destroy safely and prevent irreversible damage or panic for your team.
This guide walks you through everything, what the command is, and how it works, and prepares your infrastructure, to best practices and best recovery options.
Let’s Learn Along!
Quick Definition Of Terraform Destroy
Terraform Destroy command tears down every resource defined in your .tf file. And that includes your compute instances, databases and load balancers – basically everything.
This command is used to delete the infrastructure set up with Terraform Infrastructure-as-Code (IaC). When you run terraform destroy, Terraform checks the state file to find and remove the managed infrastructure from your cloud platform (like AWS, Azure, GCP, etc.).
Get exclusive access to all things tech-savvy, and be the first to receive
the latest updates directly in your inbox.
While the other Terraform commands (terraform init, terraform plan, terraform apply) help create new infrastructure, terraform destroy is specifically for deleting all or selected infrastructure defined in your Terraform IaC.
Unlike terraform apply, which updates resources to match the desired state, terraform destroy ensures that all or some of the resources managed by Terraform are removed.
Now, in a production setting, you usually don’t want to delete long-lasting objects, but Terraform can be convenient for managing temporary infrastructure during development. When you’re done, just run terraform destroy to easily wipe out all those temporary resources.
Why Terraform Destroy Can Be Dangerous (But Necessary)
The command terraform destroy is rarely used when managing long-term infrastructure with Terraform, as changes are usually applied directly instead of starting from scratch.
However, there are other scenarios for using Terraform. Some people create temporary infrastructure for specific tasks.
For instance, a developer working with AWS Lambda, DynamoDB, and SQS might set up temporary DynamoDB and SQS resources for development, using terraform destroy when they finish their work. Another case is testing reusable modules by adding a test configuration, allowing developers to use terraform apply and terraform destroy as needed during module testing.
But if you’re not careful, you might:
- Delete shared production infrastructure
- Lose critical data without backups
- Break dependencies across modules.
What Terraform Destroy Does
Here’s what happens behind the scenes!
- Effectively deletes by analyzing resource linkages intelligently.
- Lowers expenses by getting rid of “ghost” resources.
- Through the process of automatically removing resources following testing or deployments, it increases productivity and organization.
- Automates the procedure according to a specified setup, lowering the possibility of human error.
Pre-Destroy Checklist: What to Do Before Running the Command
Before using the Terraform Destroy command, consider these prerequisites to avoid unnecessary issues:
- Make sure your state is up-to-date.
- Backup your .tfstate and .tfvars files.
- Inform your team via Slack or ticketing tools.
- Run terraform plan -destroy to see changes.
- Look for prevent_destroy = true in important resources.
Here’s how to Backup Terraform state file:
$ cp terraform.tfstate terraform.tfstate.backupInitialize The Terraform Directory
:<code>$ terraform init</code>This command initializes the Terraform working directory, ensuring all necessary plugins are downloaded and configured correctly.
Run the terraform apply command to create the resources
terraform apply
When you run terraform apply, a terraform plan is created automatically with a prompt at the end to approve the plan and apply the configuration changes
Review Terraform plan:
$ terraform planExecute the terraform plan command to view the execution plan and determine which resources will be created and how they will be configured. This shows what will be destroyed without making any changes.
It’s Optional, but I recommend:
- Use Terraform workspaces to separate environments.
- Tag resources for easier rollback through the console.
How to Use Terraform Destroy (Step-by-Step)
Ok, Now comes the main part and the reason why you’re here, to learn how to use a Terraform Destroy command? Let’s break it down for you in the easiest steps:
1. Here’s the basic command:
terraform destroyAfter executing terraform destroy, we see that our state updates and Terraform lists the resources set for deletion from our cloud environment.
Terraform destroy -auto-approve
terraform destroy -auto-approveThe -auto-approve flag always skips the interactive approval for confirming the changes for your infrastructure. In the case of terraform destroy, it overlooks the approval step, and Terraform proceeds to destroy your infrastructure.
In automated environments such as CI/CD pipelines, where human interaction is not possible, the -auto-approve flag ensures that the destroy operation can proceed without manual intervention.
Similar to Terraform apply, we need to confirm these changes to our infrastructure by typing ‘yes’ to proceed with the destruction of the resources.
Once the resources are removed, Terraform modifies our state file (terraform.tfstate) to show that these resources have been deleted.
Terraform Destroy Specific Resource
To delete a specific EC2 instance (demo_vm_1), use the –target option with the destroy command, providing the resource path to identify it, like this:
terraform destroy --target aws_instance.demo_vm_1. Terraform checks the state and confirms its existence in the AWS EC2 console before deleting the specified instance.
Terraform destroy -refresh=false
The -refresh option in the terraform destroy command lets you decide if Terraform should update the state before it does the destroy action.
For example, if you’re dealing with a big setup, using -refresh=false can save time since Terraform checks the status of every resource in the cloud.
This option skips the state file update and makes the destroy process quicker.
Terraform destroy -refresh=falseTerraform destroy -lock and -lock-timeout
The terraform destroy -lock option helps manage Terraform’s state-locking during the destroy process.
Using -lock=true is handy when you’re in a team setting and multiple operations might be happening on the same state at the same time.
This way, it makes sure that nothing else messes with the destroy process, keeping everything consistent and avoiding any conflicts.
The -lock-timeout option lets you set how long to wait for a state lock. For instance, terraform destroy -lock-timeout=20s will lock the state file for 20 seconds.
Note: The -destroy option to terraform apply exists only in Terraform v0.15.2 and later. For earlier versions, you must use terraform destroy to get the effect of terraform apply -destroy.
Best Practices to Safely Use Terraform Destroy
- Terraform respects resource dependencies while destroying, making an effort to eliminate dependent resources first; failures to destroy can result from dependencies.
- Verify that Terraform configurations accurately reflect resource dependencies, and when needed, make use of the depends_on meta-argument.
- Resource deletion may be impeded by permission errors; look for particular error messages in Terraform logs and confirm that the delete operation has the necessary rights.
- Errors may result from corrupted or missing state files; if necessary, restore from a backup and employ state locking techniques to recover.
- Run terraform refresh to keep up with manual infrastructure changes, and use the -target option with terraform destroy for increased control over resource eradication.
Conclusion: Master Terraform Destroy Without Regrets
Terraform Destroy command is extremely powerful, but only if used responsibly. This guide explains everything in detail and how to use it with multiple examples and commands. Just follow the checklist and you’ll be able to reset, clean up unused infrastructure, or test disaster recovery.
Although it’s not required, it’s a good idea to run terraform plan before destroy. This command shows what Terraform will do during the destroy process. Checking the plan helps ensure that Terraform recognizes the right resources to delete and helps spot any problems before the deletion happens.
Tip: NEVER DESTROY PRODUCTION UNLESS YOU’RE 100% SURE!
If you’re looking to learn more, about Terraform, Do Check out some of our latest blogs!
FAQ’s
1. Will it wipe out remote backends?
Nope, but it will get rid of the resources listed in the state file.
2. Can I skip certain modules?
Just use -target to only destroy specific resources.
3. What if it messes up halfway?
Some resources might still be around. You can run the destroy command again or clean things up yourself.
4. Is there a way to reverse it?
Not really! your best chance is to rebuild using backups or Git.
5. How does “terraform apply” differ from “terraform destroy”?
While Terraform destroy removes everything specified in your configuration files, Terraform apply creates or modifies infrastructure to meet your configuration.
6. How can I test Terraform Destroy securely before executing it?
To see what will be erased without actually carrying out the destroy procedure, use Terraform plan -destroy.
