Why use 'terraform destroy'?

kpfleming · April 17, 2020, 3:55pm

This is a really basic question, but I’m trying to understand why the ‘destroy’ subcommand exists

In my usage of Terraform, I’ve only found a few cases where resources need to be destroyed, all of which can be done without this subcommand:

If I no longer need a resource, I can remove it from the configuration and run plan/apply.
If a resource is damaged in some way and needs to be recreated, I can use the ‘taint’ subcommand and then run plan/apply.

What sorts of situations do people have where ‘destroy’ is useful on its own?

apparentlymart · April 17, 2020, 4:23pm

Hi @kpfleming,

You’re right that terraform destroy is not often used in the typical situation where Terraform is being used to manage infrastructure objects that have an indefinite life: in those cases, you generally want to apply changes in-place rather than destroying everything and starting over.

There are some other use-cases for Terraform, though:

Some folks use Terraform to bring up temporary infrastructure for various purposes. For example, someone working on an application built around AWS Lambda + DynamoDB + SQS might use Terraform to spin up temporary DynamoDB + SQS objects to use during development, separately for each developer working on the project. In that case, they might use terraform destroy when they are finished at task and no longer need those objects.

Another situation is testing reusable modules by including in them a test configuration, so that during development of the module you can terraform apply and terraform destroy as needed to exercise the module for testing.

ksatirli · April 17, 2020, 5:28pm

Echoing @apparentlymart here: when I work on (new) modules, I use terraform destroy to make sure I have a clean slate to work.

For module development, terraform destroy is useful in ensuring that your code doesn’t have any hidden resource dependencies (an IAM role you added manually, a checkbox you ticked somewhere) and is well-encapsulated.

If you are running your terraform apply and terraform destroy steps in a testing account, be it through manual invocation or through CI / CD, I find that -auto-approve can be very useful, as it skips the interactive check.

kpfleming · April 17, 2020, 10:14pm

Interesting, thanks for the answers! I haven’t had a need to use ‘destroy’ yet, although I did recently have a need to use ‘state rm’ as some resources I was managing (an entire module in fact) are now being managed elsewhere, so I needed to remove them from the configuration and also tell Terraform to forget they have ever existed

ksatirli · April 18, 2020, 11:24am

Good to hear this is informative, @kpfleming!

I’m with you: in my normal “flow”, terraform destroy doesn’t see a lot of usage, usually apply takes care of removing the resources that are no longer needed.

terraform state rm, on the other hand, does see a fair bit of usage - usually when modules are moved or when Terraform repositories are split from a single State file into multiple files.

dsantanu · April 19, 2020, 7:41am

destroy is actually very useful command for DevOps / platform-guys during the development phase and especially useful when you want to start over after a series of messing ups. We use that in our sandpit a/c everyday, which is an on-demand a/c and destroy everything when done in there. I’m surprised you haven’t found not a single use-case of using destroy if using terraform daily basis.

kpfleming · April 20, 2020, 3:36pm

I don’t build and destroy things on a daily basis, I’m using Terraform to manage long-term resources, so I expect that’s why.