Introduction Terraform destroy fails when resources cannot be deleted because they are in use by other resources, have external dependencies, or are protected by deletion policies. Understanding the dependency graph is key to successful destruction.

Symptoms - `terraform destroy` fails with: "Error deleting resource: ResourceInUseException" - Error: "dependency graph has cycles" - Destroy succeeds for some resources but fails on specific ones - VPC cannot be deleted because subnets still exist - IAM role cannot be deleted because attached policies exist

Common Causes - Resources created outside Terraform referencing Terraform-managed resources - Implicit dependencies not tracked in Terraform state - Cloud provider refusing deletion (e.g., default VPC, built-in roles) - Cross-workspace dependencies - Resource has dependents that Terraform does not know about

Step-by-Step Fix 1. **Check the dependency graph**: ```bash terraform graph | dot -Tpng > graph.png # Or use: terraform state list | grep <resource-type> ```

  1. 1.Destroy in dependency order using targets:
  2. 2.```bash
  3. 3.terraform destroy -target=aws_instance.web -target=aws_security_group.web
  4. 4.`
  5. 5.Remove resource from state if already deleted externally:
  6. 6.```bash
  7. 7.terraform state rm aws_instance.web
  8. 8.`
  9. 9.For resources that cannot be destroyed, taint and re-plan:
  10. 10.```bash
  11. 11.terraform taint aws_instance.web
  12. 12.terraform plan
  13. 13.terraform apply
  14. 14.terraform destroy
  15. 15.`
  16. 16.Import externally-created resources before destroying:
  17. 17.```bash
  18. 18.terraform import aws_instance.web i-1234567890
  19. 19.terraform destroy
  20. 20.`

Prevention - Keep all resource creation within Terraform - Use modules to manage dependency groups - Document external dependencies - Use separate state files for independent resource groups - Test destroy in isolated environments first