diff --git a/aws/documentation/account-decommission/vpc.tf b/aws/documentation/account-decommission/vpc.tf
new file mode 100644
index 00000000..beb96756
--- /dev/null
+++ b/aws/documentation/account-decommission/vpc.tf
@@ -0,0 +1,59 @@
+# remove vpc-endpoints, if present
+
+```script
+cd vpc/REGION/vpcN/vpc-endpoints
+tf-init
+tf-destroy
+manage-remote-state.sh delete
+tf-run clean
+rm -rf .terraform*
+```
+
+# remove tgw setup
+
+```script
+cd vpc/REGION/vpcN/tgw
+tf-init
+tf-destroy
+manage-remote-state.sh delete
+tf-run clean
+rm -rf .terraform*
+```
+
+# remove vpc
+
+First, copy tf-run.delete.data. It is in the support repo:
+
+* terraform/support/local-app/tf-run/applications/vpc/tf-run.destroy.data
+
+```script
+cd vpc/REGION/vpcN
+cp REPOPATH/terraform/support/local-app/tf-run/applications/vpc/tf-run.destroy.data ./
+```
+
+change `versions.tf` aws provider to lock to no more than 5.x.
+
+```hcl
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+```
+
+Then, follow the destroy plan:
+
+```script
+tf-run destroy
+```
+
+This will fail at the end with some for_each stuff on nacls.  To resolve:
+
+```script
+mv nacls.tf nacls.tf.off
+tf-destroy
+mv nacls.tf.off nacls.tf
+manage-remote-state.sh delete
+tf-run clean
+rm -rf .terraform*
+```