Optional: offline verification with the release-attached bundle for this artifact

May 4, 2026 ยท View on GitHub

terradozer

terradozer

Terraform destroy using the state only - no *.tf files needed

Release Software License CI Codecov branch Go Doc

Terradozer takes a Terraform state file as input and destroys all resources it finds in it - without needing any *.tf files. This works currently only for resources of the Terraform AWS Provider. If you need support for any other provider, let me know, and I will try to help.

Happy (terra)dozing!

Example

Features

  • Nothing will be deleted without your confirmation. Terradozer always lists all resources first and then waits for your approval
  • Using the -force flag (dangerous!), terradozer can run in an automated fashion without human interaction and approval, for example, as part of your CI pipeline
  • Read Terraform state from a local file or S3 path, i.e., terradozer s3://bucket/path/to/terraform.tfstate
  • Use the -recursive flag to delete resources from all .tfstate files found under a local directory or S3 prefix, i.e., terradozer -recursive ./path/to/states or terradozer -recursive s3://bucket-with-states/. This is especially helpful if you orchestrate Terraform modules with Terragrunt and store all states under the same directory or in the same S3 bucket. This way, a complete Terragrunt project could be cleaned up in an automated fashion.

Installation

brew install chenrui333/tap/terradozer

Verify Release Provenance

GoReleaser publishes release assets with these names:

  • terradozer_<version>_<os>_<arch>.tar.gz
  • terradozer_<version>_checksums.txt

Supported release targets:

  • os: darwin, linux
  • arch: amd64, arm64

Release assets are published with GitHub Artifact Attestations, and matching attestation bundles (sha256*.jsonl) are attached to each release. To verify a downloaded asset and checksums file (example: v0.3.0):

VERSION=v0.3.0
ASSET="terradozer_${VERSION}_linux_amd64.tar.gz"
CHECKSUMS="terradozer_${VERSION}_checksums.txt"

gh release download "$VERSION" --repo chenrui333/terradozer --pattern "$ASSET" --pattern "$CHECKSUMS"

gh attestation verify "$ASSET" --repo chenrui333/terradozer
gh attestation verify "$CHECKSUMS" --repo chenrui333/terradozer

grep " $ASSET$" "$CHECKSUMS" | shasum -a 256 -c -

# Optional: offline verification with the release-attached bundle for this artifact
gh release download "$VERSION" --repo chenrui333/terradozer --pattern "sha256*.jsonl"
DIGEST="$(shasum -a 256 "$ASSET" | awk '{print \$1}')"
BUNDLE="sha256-${DIGEST}.jsonl"
if [ ! -f "$BUNDLE" ]; then
  BUNDLE="sha256:${DIGEST}.jsonl"
fi
gh attestation verify "$ASSET" --repo chenrui333/terradozer --bundle "$BUNDLE"

Usage

To delete all resources in a Terraform state file:

terradozer [flags] <path/to/terraform.tfstate|s3://bucket/key>

To delete all resources in every .tfstate file under a local directory or S3 prefix:

terradozer -recursive [flags] <directory|s3://bucket/prefix/>

Remote state reads and recursive S3 discovery use -state-timeout (default 30s). Increase it for large S3 prefixes or slow networks without changing the per-resource destroy -timeout.

To see all options, run terradozer --help. Provide credentials for the AWS account you want to read state from and destroy resources in via the usual environment variables, e.g., AWS_PROFILE=<myaccount> and either AWS_REGION=<myregion> or AWS_DEFAULT_REGION=<myregion>. If AWS_PROFILE is unset, terradozer uses the default profile.

The region information is needed as it is not stored as part of the state. Having multiple providers with different regions in one state file is not yet supported.

State file format

Terradozer expects a valid Terraform state JSON document (the same content format as terraform.tfstate).

  • The file extension is not used for detection; parsing is content-based.
  • Common names like terraform.tfstate, *.json, and *.tfstate.json are all supported.
  • Recursive discovery intentionally includes only files or S3 objects ending in .tfstate.
  • The file must contain Terraform-managed resources in state format (unsupported or malformed JSON will fail to parse).

How it works

Terradozer first scans a given Terraform state file (read-only) to find all resources (excluding data sources), then downloads the necessary Terraform Provider Plugins to call the destroy function for each resource on the respective CRUD API via GRPC (e.g., calling the Terraform AWS Provider to destroy a aws_instance resource).

Dependency updates

This repository uses Renovate with config at .github/renovate.json.

  • Go modules (go.mod/go.sum) and GitHub Actions dependencies are monitored.
  • Minor/patch updates are grouped by manager and configured for auto-merge.
  • Major updates are isolated and require manual dashboard approval/review.
  • Renovate uses semantic commit messages (chore(deps): ...) and applies dependency labels.

Tests

This section is only relevant if you want to contribute to Terradozer and therefore run the tests. Terradozer has acceptance tests, integration tests checking against changes of behaviour in the Terraform Provider API, and of course unit tests.

Run unit tests

make test

Run acceptance and integration tests

AWS_PROFILE=<myaccount> AWS_REGION=<myregion> make test-all