So when you create in AWS the global accelerator, although you didn’t specify to create a security group explicitly, one was still created automatically because it’s a dependency for global accelerators. And when we run terraform destroy, the security group is still there. It's a known issue and HashiCorp suggest removing the GA manually. To avoid this I thought about running something like that:
resource "aws_vpc" "vpc" {
provisioner "local-exec" {
when = destroy
command = "aws ec2 delete-security-group --group-id $(aws ec2 describe-security-groups --filter Name=group-name,Values='GlobalAccelerator' Name=vpc-id,Values=${self.id} --region ${var.region} --output text | awk '{print $5}') --region ${var.region}"
}
cidr_block = local.cidr_block
.
.
.
}
The aws cli command works. I've tested it. I'm not sure how to pass the region variable. var.region fails since it's not a self argument. I'm also unable to to add region block as follow:
region = var.region since region is not a supported argument.
How can I pass the region var in order to run the cli command?
Thanks
I'd recommend creating the security group explicitly for global accelerator & avoid the overhead of a wrapper script or trying to delete the automatically created security group, unless there's a specific reason not to? This way terraform will destroy the security group with it.