1

So when you create in AWS the global accelerator, although you didn’t specify to create a security group explicitly, one was still created automatically because it’s a dependency for global accelerators. And when we run terraform destroy, the security group is still there. It's a known issue and HashiCorp suggest removing the GA manually. To avoid this I thought about running something like that:

resource "aws_vpc" "vpc" {
    provisioner "local-exec" {
      when    = destroy
      command = "aws ec2 delete-security-group --group-id $(aws ec2 describe-security-groups --filter Name=group-name,Values='GlobalAccelerator' Name=vpc-id,Values=${self.id} --region ${var.region} --output text | awk '{print $5}') --region ${var.region}"
    }
  cidr_block           = local.cidr_block
.
.
.
}

The aws cli command works. I've tested it. I'm not sure how to pass the region variable. var.region fails since it's not a self argument. I'm also unable to to add region block as follow: region = var.region since region is not a supported argument. How can I pass the region var in order to run the cli command?

Thanks

JimmiJazz
  • 11
  • 1
  • What you wan't to do is not that simple. There is entire github [issue](https://github.com/hashicorp/terraform/issues/23679) dedicated to this topic. My earlier answer was thus incorrect. – Marcin Feb 01 '21 at 11:35
  • Might be an idea to create a shell script wrapper for the ec2 delete-security-group command where you can set the region manually? A little bit hacky but should work if the region remains constant? – Terry Sposato Feb 02 '21 at 01:37

1 Answers1

0

I'd recommend creating the security group explicitly for global accelerator & avoid the overhead of a wrapper script or trying to delete the automatically created security group, unless there's a specific reason not to? This way terraform will destroy the security group with it.

paulg
  • 619
  • 6
  • 8