Terraform download local file from remote URL on apply and delete file on destroy

Question

I need to download a lambda archive file from an URL before actual lambda resource is created and this file needs to be deleted when I run terraform destroy. Basically a local file resource created from a remote URL. I have it currently done using a null_resource and local-exec provisioner like below. But this doesn't delete the file when i run terraform destroy. Is there a better way?

resource "null_resource" "lambda_jar" {
  triggers = {
    on_version_change = "${var.lambda_archive_version}"
  }

  provisioner "local-exec" {
    command = "curl -o lambda.jar ${var.server_url}/${var.lambda_archive_version}.jar"
  }
}

Answer 1

Interesting use case... I haven't tried this myself, but I'm pretty sure one of the two options below will allow you to accomplish this.

1. Preferred option. Use another local-exec provisioner with when = destroy:

resource "null_resource" "lambda_jar" {
  triggers = {
    on_version_change = "${var.lambda_archive_version}"
  }

  provisioner "local-exec" {
    command = "curl -o lambda.jar ${var.server_url}/${var.lambda_archive_version}.jar"
  }

  provisioner "local-exec" {
    when    = destroy
    command = "$YOUR_CURL_DELETE_COMMAND"
  }
}

2. Use terraform-provider-shell. This allows you to script the various terraform lifecycle commands directly in a "custom" resource. It's not great to add custom providers in v0.12 because it requires manual installation across your team, but this provider is a swiss army knife and can definitely do what you're asking for here if the above doesn't work out.

Answer 2

You can download a file from a URL using the http data source

My use case is similar to yours:

1. Download IAM policy for AWS load balancer controller
2. Use this file to create a policy
3. Use the policy as an attachment for a role

All these operations happen on terraform apply and rolled-back on terraform destroy

1. Get Policy File from URL

data "http" "aws-lb-controller-policy" {
  url = "https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.0/docs/install/iam_policy.json"

  request_headers = {
    Accept = "application/json"
  }
}

2. Create a policy using the response body

resource "aws_iam_policy" "load-balancer-controller" {
  name = "AWSLoadBalancerControllerIAMPolicy"
  policy = tostring(data.http.aws-lb-controller-policy.body)
  description = "Load Balancer Controller add-on for EKS"
}

3. Use the policy as an attachment for a role

resource "aws_iam_role_policy_attachment" "inline-AWSLoadBalancerControllerIAMPolicy" {
  role       = aws_iam_role.dev-oidc-role.name
  policy_arn = aws_iam_policy.load-balancer-controller.arn
}