diff --git a/ci-operator/step-registry/ipi/conf/vsphere/dns/ipi-conf-vsphere-dns-commands.sh b/ci-operator/step-registry/ipi/conf/vsphere/dns/ipi-conf-vsphere-dns-commands.sh
index 326ec0982fe11..08512de8d469d 100644
--- a/ci-operator/step-registry/ipi/conf/vsphere/dns/ipi-conf-vsphere-dns-commands.sh
+++ b/ci-operator/step-registry/ipi/conf/vsphere/dns/ipi-conf-vsphere-dns-commands.sh
@@ -24,7 +24,7 @@ hosted_zone_id="$(aws route53 list-hosted-zones-by-name \
             --dns-name "${base_domain}" \
             --query "HostedZones[? Config.PrivateZone != \`true\` && Name == \`${base_domain}.\`].Id" \
             --output text)"
-
+echo "${hosted_zone_id}" > "${SHARED_DIR}/hosted-zone.txt"
 
 echo "Creating DNS records..."
 cat > "${SHARED_DIR}"/dns-create.json <<EOF
diff --git a/ci-operator/step-registry/ipi/conf/vsphere/dns/ipi-conf-vsphere-dns-ref.yaml b/ci-operator/step-registry/ipi/conf/vsphere/dns/ipi-conf-vsphere-dns-ref.yaml
index c9bae8f57bfcb..d5aa09b601365 100644
--- a/ci-operator/step-registry/ipi/conf/vsphere/dns/ipi-conf-vsphere-dns-ref.yaml
+++ b/ci-operator/step-registry/ipi/conf/vsphere/dns/ipi-conf-vsphere-dns-ref.yaml
@@ -10,4 +10,5 @@ ref:
     Uses VIPs in ${SHARED_DIR}/vips.txt to create route53 dns records. Outputs
     ${SHARED_DIR}/basedomain.txt to ensure consistent basedomain in conf and
     deprovision steps. Saves batch job to delete DNS records to
-    ${SHARED_DIR}/dns-delete.json for use in deprovisioning.
+    ${SHARED_DIR}/dns-delete.json for use in deprovisioning, with the hosted
+    zone ID in ${SHARED_DIR}/hosted-zone.txt.
diff --git a/ci-operator/step-registry/ipi/conf/vsphere/vips/ipi-conf-vsphere-vips-ref.yaml b/ci-operator/step-registry/ipi/conf/vsphere/vips/ipi-conf-vsphere-vips-ref.yaml
index 05ce7d4b9e892..d431e7ef29612 100644
--- a/ci-operator/step-registry/ipi/conf/vsphere/vips/ipi-conf-vsphere-vips-ref.yaml
+++ b/ci-operator/step-registry/ipi/conf/vsphere/vips/ipi-conf-vsphere-vips-ref.yaml
@@ -10,4 +10,5 @@ ref:
     Using secrets from the vSphere cluster profile, the vSphere VIP setup step
     reserves IP addresses through IPAM and saves them to $SHARED_DIR/vips.txt
     for later use in creating DNS records and the install config. They are also
-    needed in deprovisioning to release the reserved VIPs.
+    needed in deprovisioning to release the reserved VIPs (via the
+    ipi-deprovision-vsphere-vips step).
diff --git a/ci-operator/step-registry/ipi/deprovision/vsphere/dns/OWNERS b/ci-operator/step-registry/ipi/deprovision/vsphere/dns/OWNERS
new file mode 100644
index 0000000000000..f63e8872d2713
--- /dev/null
+++ b/ci-operator/step-registry/ipi/deprovision/vsphere/dns/OWNERS
@@ -0,0 +1,4 @@
+approvers:
+- abhinavdahiya
+- jcpowermac
+- patrickdillon
diff --git a/ci-operator/step-registry/ipi/deprovision/vsphere/dns/ipi-deprovision-vsphere-dns-commands.sh b/ci-operator/step-registry/ipi/deprovision/vsphere/dns/ipi-deprovision-vsphere-dns-commands.sh
new file mode 100755
index 0000000000000..44d0924760afc
--- /dev/null
+++ b/ci-operator/step-registry/ipi/deprovision/vsphere/dns/ipi-deprovision-vsphere-dns-commands.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+cluster_profile=/var/run/secrets/ci.openshift.io/cluster-profile
+export AWS_SHARED_CREDENTIALS_FILE=${cluster_profile}/.awscred 
+
+HOSTED_ZONE_ID="$(cat "${SHARED_DIR}/hosted-zone.txt")"
+
+echo "Deleting Route53 DNS records..."
+aws route53 change-resource-record-sets --hosted-zone-id "${HOSTED_ZONE_ID}" --change-batch "file:///${SHARED_DIR}/dns-delete.json"
diff --git a/ci-operator/step-registry/ipi/deprovision/vsphere/dns/ipi-deprovision-vsphere-dns-ref.yaml b/ci-operator/step-registry/ipi/deprovision/vsphere/dns/ipi-deprovision-vsphere-dns-ref.yaml
new file mode 100644
index 0000000000000..e65ef6bf9010b
--- /dev/null
+++ b/ci-operator/step-registry/ipi/deprovision/vsphere/dns/ipi-deprovision-vsphere-dns-ref.yaml
@@ -0,0 +1,10 @@
+ref:
+  as: ipi-deprovision-vsphere-dns
+  from: upi-installer
+  commands: ipi-deprovision-vsphere-dns-commands.sh
+  resources:
+    requests:
+      cpu: 1000m
+      memory: 100Mi
+  documentation: >-
+    Releases DNS records via `${SHARED_DIR}/hosted-zone.txt` and `${SHARED_DIR}/dns-delete.json`.  The IP addresses were allocated with the ipi-conf-vsphere-dns step.
diff --git a/ci-operator/step-registry/ipi/deprovision/vsphere/ipi-deprovision-vsphere-chain.yaml b/ci-operator/step-registry/ipi/deprovision/vsphere/ipi-deprovision-vsphere-chain.yaml
deleted file mode 100644
index 2f2017e07513a..0000000000000
--- a/ci-operator/step-registry/ipi/deprovision/vsphere/ipi-deprovision-vsphere-chain.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-chain:
-  as: ipi-deprovision-vsphere
-  steps:
-  - chain: gather
-  - ref: ipi-deprovision-vsphere
-  documentation: |-
-    The IPI deprovision step chain contains all the individual steps necessary to deprovision an OpenShift cluster.
diff --git a/ci-operator/step-registry/ipi/deprovision/vsphere/ipi-deprovision-vsphere-commands.sh b/ci-operator/step-registry/ipi/deprovision/vsphere/ipi-deprovision-vsphere-commands.sh
deleted file mode 100644
index 4d2618953ca85..0000000000000
--- a/ci-operator/step-registry/ipi/deprovision/vsphere/ipi-deprovision-vsphere-commands.sh
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/bin/bash
-
-cluster_profile=/var/run/secrets/ci.openshift.io/cluster-profile
-tfvars_path=/var/run/secrets/ci.openshift.io/cluster-profile/secret.auto.tfvars
-base_domain=$(<"${SHARED_DIR}"/basedomain.txt)
-cluster_name=${NAMESPACE}-${JOB_NAME_HASH}
-ipam_token=$(grep -oP 'ipam_token="\K[^"]+' ${tfvars_path})
-
-export AWS_SHARED_CREDENTIALS_FILE=${cluster_profile}/.awscred 
-
-echo "Deprovisioning cluster ..."
-cp -ar "${SHARED_DIR}" /tmp/installer
-openshift-install --dir /tmp/installer destroy cluster
-cp /tmp/installer/.openshift_install.log "${ARTIFACT_DIR}/"
-
-hosted_zone_id="$(aws route53 list-hosted-zones-by-name \
-            --dns-name "${base_domain}" \
-            --query "HostedZones[? Config.PrivateZone != \`true\` && Name == \`${base_domain}.\`].Id" \
-            --output text)"
-
-echo "Releasing IP addresses from IPAM server..."
-for i in {0..2}
-do
-    curl -s "http://139.178.89.254/api/removeHost.php?apiapp=address&apitoken=${ipam_token}&host=${cluster_name}-$i"
-done
-
-echo "Deleting Route53 DNS records..."
-aws route53 change-resource-record-sets --hosted-zone-id "$hosted_zone_id" --change-batch file:///"${SHARED_DIR}"/dns-delete.json
diff --git a/ci-operator/step-registry/ipi/deprovision/vsphere/ipi-deprovision-vsphere-commands.sh b/ci-operator/step-registry/ipi/deprovision/vsphere/ipi-deprovision-vsphere-commands.sh
new file mode 120000
index 0000000000000..1456fc593e684
--- /dev/null
+++ b/ci-operator/step-registry/ipi/deprovision/vsphere/ipi-deprovision-vsphere-commands.sh
@@ -0,0 +1 @@
+../deprovision/ipi-deprovision-deprovision-commands.sh
\ No newline at end of file
diff --git a/ci-operator/step-registry/ipi/deprovision/vsphere/ipi-deprovision-vsphere-ref.yaml b/ci-operator/step-registry/ipi/deprovision/vsphere/ipi-deprovision-vsphere-ref.yaml
index 1d3d5b797ba38..f7e70a34de395 100644
--- a/ci-operator/step-registry/ipi/deprovision/vsphere/ipi-deprovision-vsphere-ref.yaml
+++ b/ci-operator/step-registry/ipi/deprovision/vsphere/ipi-deprovision-vsphere-ref.yaml
@@ -7,6 +7,6 @@ ref:
       cpu: 1000m
       memory: 100Mi
   documentation: >-
-    Reads the VIP and DNS records created in the setup phases from $SHARED_DIR
-    and delete them. Also uses $SHARED_DIR/basedomain.txt to ensure consistent
-    basedomain as setup steps.
+    The IPI deprovision step tears down the cluster.  Unlike the other
+    IPI deprovisioning, the installer image must include vCenter CA
+    certs.
diff --git a/ci-operator/step-registry/ipi/deprovision/vsphere/vips/OWNERS b/ci-operator/step-registry/ipi/deprovision/vsphere/vips/OWNERS
new file mode 100644
index 0000000000000..f63e8872d2713
--- /dev/null
+++ b/ci-operator/step-registry/ipi/deprovision/vsphere/vips/OWNERS
@@ -0,0 +1,4 @@
+approvers:
+- abhinavdahiya
+- jcpowermac
+- patrickdillon
diff --git a/ci-operator/step-registry/ipi/deprovision/vsphere/vips/ipi-deprovision-vsphere-vips-commands.sh b/ci-operator/step-registry/ipi/deprovision/vsphere/vips/ipi-deprovision-vsphere-vips-commands.sh
new file mode 100755
index 0000000000000..13476015b1d89
--- /dev/null
+++ b/ci-operator/step-registry/ipi/deprovision/vsphere/vips/ipi-deprovision-vsphere-vips-commands.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+cluster_profile=/var/run/secrets/ci.openshift.io/cluster-profile
+tfvars_path="${cluster_profile}/secret.auto.tfvars"
+cluster_name="${NAMESPACE}-${JOB_NAME_HASH}"
+ipam_token=$(grep -oP 'ipam_token="\K[^"]+' "${tfvars_path}")
+
+export AWS_SHARED_CREDENTIALS_FILE="${cluster_profile}/.awscred"
+
+# FIXME: should this be using ${SHARED_DIR}/vips.txt ?
+echo "Releasing IP addresses from IPAM server..."
+for i in {0..2}
+do
+    curl "http://139.178.89.254/api/removeHost.php?apiapp=address&apitoken=${ipam_token}&host=${cluster_name}-$i"
+done
diff --git a/ci-operator/step-registry/ipi/deprovision/vsphere/vips/ipi-deprovision-vsphere-vips-ref.yaml b/ci-operator/step-registry/ipi/deprovision/vsphere/vips/ipi-deprovision-vsphere-vips-ref.yaml
new file mode 100644
index 0000000000000..ac2595e8e2b80
--- /dev/null
+++ b/ci-operator/step-registry/ipi/deprovision/vsphere/vips/ipi-deprovision-vsphere-vips-ref.yaml
@@ -0,0 +1,10 @@
+ref:
+  as: ipi-deprovision-vsphere-vips
+  from: upi-installer
+  commands: ipi-deprovision-vsphere-vips-commands.sh
+  resources:
+    requests:
+      cpu: 1000m
+      memory: 100Mi
+  documentation: >-
+    Releases IP addresses from the IPAM server.  The IP addresses were allocated with the ipi-conf-vsphere-vips step.
diff --git a/ci-operator/step-registry/ipi/vsphere/post/ipi-vsphere-post-chain.yaml b/ci-operator/step-registry/ipi/vsphere/post/ipi-vsphere-post-chain.yaml
index c582491fa4663..80ce638a96019 100644
--- a/ci-operator/step-registry/ipi/vsphere/post/ipi-vsphere-post-chain.yaml
+++ b/ci-operator/step-registry/ipi/vsphere/post/ipi-vsphere-post-chain.yaml
@@ -1,7 +1,10 @@
 chain:
   as: ipi-vsphere-post
   steps:
-  - chain: ipi-deprovision
+  - chain: gather
+  - ref: ipi-deprovision-vsphere
+  - ref: ipi-deprovision-vsphere-vips
+  - ref: ipi-deprovision-vsphere-dns
   documentation: |-
     The IPI cleanup step contains all steps that deprovision an OpenShift
     cluster on vSphere, provisioned by the `ipi-vsphere-pre` chain.