I had a new colleague ask a question which boiled down to "Why does destroying resource via TF suck?”
Destroying resources is just generally harder than creating them because the cloud can have lots of gotchas when determining "Is this resource okay to delete?".
is protected from deletion. AWS S3 buckets, databases, EC2 instances, and other types of resources can all have deletion protection configured.
is attached to other resources. Do you delete them, leave them dangling or ask the user?
is actively processing something that needs confirmation to stop.
Plenty of situations can block a destroy action.
Typically, unless you need to destroy that resource as a regular part of your workflow for some subset of infrastructure, which is not a common action, it's best to treat these painful interactions with the cloud and IaC as a one-off operation.
Accept the pain and handle it the best you can. That usually means doing some level of manual ClickOps delete action in the console or something similar.
That said, if you find yourself running into this problem over and over, then it can be useful to investigate that specific destroy operation and try to automate and optimize that process.
Maybe you need to have a process that empties your bucket before you attempt to destroy it. Maybe you need to stop adding items to a workstream, then wait for the processing to finish. Maybe you need to turn off deletion protection for your dev database instances. But don't do the same for your prod ones! Trust me, you want to avoid FRD.
Since this is not a common Day 2 operation I wouldn't worry too much about optimizing resource deletion. Only put effort into it if you're hitting your head against it again and again.
May your resource deletion be both seldom and fast,
PS Are you interested in being on a devops-focused podcast? Reply to me with the topic you want to discuss and I’m happy to intro you to the right podcast. Or, if you want to chat about S3 buckets, ClickOps or FRD, grab some time on my calendar here.