diff --git a/.changelog/6669.txt b/.changelog/6669.txt
new file mode 100644
index 00000000000..1c793ca75cc
--- /dev/null
+++ b/.changelog/6669.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+kms: fixed apply failure when `google_kms_crypto_key` is removed after its versions were destroyed earlier
+```
diff --git a/google/kms_utils.go b/google/kms_utils.go
index 135f8bb7f7b..5bf53094159 100644
--- a/google/kms_utils.go
+++ b/google/kms_utils.go
@@ -188,15 +188,18 @@ func clearCryptoKeyVersions(cryptoKeyId *kmsCryptoKeyId, userAgent string, confi
 	}
 
 	for _, version := range versionsResponse.CryptoKeyVersions {
-		request := &cloudkms.DestroyCryptoKeyVersionRequest{}
-		destroyCall := versionsClient.Destroy(version.Name, request)
-		if config.UserProjectOverride {
-			destroyCall.Header().Set("X-Goog-User-Project", cryptoKeyId.KeyRingId.Project)
-		}
-		_, err = destroyCall.Do()
-
-		if err != nil {
-			return err
+		// skip the versions that have been destroyed earlier
+		if version.State == "ENABLED" {
+			request := &cloudkms.DestroyCryptoKeyVersionRequest{}
+			destroyCall := versionsClient.Destroy(version.Name, request)
+			if config.UserProjectOverride {
+				destroyCall.Header().Set("X-Goog-User-Project", cryptoKeyId.KeyRingId.Project)
+			}
+			_, err = destroyCall.Do()
+
+			if err != nil {
+				return err
+			}
 		}
 	}