Planning a terraform destroy

The terraform destroy command impliciltiy performs a plan before applying the changes (like terraform apply). However, unlike the apply command, it does not accept a plan as a parameter, which would allow the plan and apply phases to be separated.

This separation can be useful, for example by allowing a manual intervention step to review the changes, or in scenarios where the information to create a plan for destruction might not be available when the destroy needs to happen.

A workaround is to use a combination of the plan and apply commands. The plan command has a -destroy flag that can be used to generate the destroy plan, which the apply command will happily accept.

For example, with the following simple terraform:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "2.56.0"
    }
  }
}

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "this" {
  name     = "my-rg"
  location = "West Europe"
}

And the following commands:

1
2
3
4
5
6
7
8
9
# Create the infrastructure
terraform init
terraform apply -auto-approve

# Plan the destruction
terraform plan -destroy -out destroyplan

# Destroy (note that approval doesn't happen when a plan is specified)
terraform apply destroyplan

If you are going to store the destroy plan for a later date, be mindful that it may contain sensitive values. There is also a risk that the plan might not succeed if the infrastructure has changed since the plan was created.