Using terraform to download zip file from aws s3

amazon s3amazon-web-servicesterraform

I can't seem to find a documentation that will help me download a zip file from aws s3 to an instance using terraform, can someone help me find a solution to this ?

Thank you.

Best Answer

There are various ways to download file from S3 depending on your needs.

Option 1.1. You can use remote-exec provisioner. This one is MIME agnostic.

resource "aws_instance" "web" {
  ## [...]

  provisioner "remote-exec" {
    command = "curl -XGET [...]"
  }
}

Option 1.2. You can use null_resource with proper trigger.

resource "null_resource" "cluster" {
  # Changes to any instance of the cluster requires re-provisioning
  triggers = {
    cluster_instance_ids = "${join(",", aws_instance.cluster.*.id)}"
  }

  # Bootstrap script can run on any instance of the cluster
  # So we just choose the first in this case
  connection {
    host = "${element(aws_instance.cluster.*.public_ip, 0)}"
  }

  provisioner "remote-exec" {
    # Bootstrap script called with private_ip of each node in the cluster
    inline = [
      "bootstrap-cluster.sh ${join(" ", aws_instance.cluster.*.private_ip)}",
    ]
  }
}

Option 2.1. You can use file and aws_s3_bucket_object data resource.

It will work perfectly with text files.

data "aws_s3_bucket_object" "secret_key" {
    bucket = "awesomecorp-secret-keys"
    key    = "awesomeapp-secret-key"
}

resource "aws_instance" "web" {
  ## [...]
  provisioner "file" {
    content     = data.aws_s3_bucket_object.secret_key.body
    destination = /tmp/file
  }
}

Option 2.2. You can use http provider as well.

Option 3.1. Use user_data_scripts from cloud-init. There are set of problems and similar threads on the Internet. (AWS Developers Forum; an example of authenticated downloading with Cloudformation)

resource "aws_instance" "web" {
  ami           = "${data.aws_ami.ubuntu.id}"
  instance_type = "t2.micro"
  user_data     = [...]

  tags = {
    Name = "HelloWorld"
  }
}

Remember to give an instance an IAM role with proper permissions, if you execute command from the instance, or give proper permissions to role, that executes Terraform.

Note: Said that, I doubt Terraform is best choice for instance provisioning. Take a look at SaltStack, Ansible or Chef. These are the tools designed to work with instance provisioning.

Related Solutions

Amazon S3 – How to Get the Size of an Amazon S3 Bucket

The AWS CLI now supports the --query parameter which takes a JMESPath expressions.

This means you can sum the size values given by list-objects using sum(Contents[].Size) and count like length(Contents[]).

This can be be run using the official AWS CLI as below and was introduced in Feb 2014

 aws s3api list-objects --bucket BUCKETNAME --output json --query "[sum(Contents[].Size), length(Contents[])]"

Causing Access Denied when using the aws cli to download from Amazon S3

I was struggling with this, too, but I found an answer over here https://stackoverflow.com/a/17162973/1750869 that helped resolve this issue for me. Reposting answer below.

You don't have to open permissions to everyone. Use the below Bucket policies on source and destination for copying from a bucket in one account to another using an IAM user

Bucket to Copy from – SourceBucket

Bucket to Copy to – DestinationBucket

Source AWS Account ID - XXXX–XXXX-XXXX

Source IAM User - src–iam-user

The below policy means – the IAM user - XXXX–XXXX-XXXX:src–iam-user has s3:ListBucket and s3:GetObject privileges on SourceBucket/* and s3:ListBucket and s3:PutObject privileges on DestinationBucket/*

On the SourceBucket the policy should be like:

{
"Id": "Policy1357935677554",
"Statement": [
    {
        "Sid": "Stmt1357935647218",
        "Action": [
            "s3:ListBucket"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::SourceBucket",
        "Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
    },
    {
        "Sid": "Stmt1357935676138",
        "Action": ["s3:GetObject"],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: SourceBucket/*",
        "Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
   }
]
}

On the DestinationBucket the policy should be:

{
"Id": "Policy1357935677554",
"Statement": [
    {
        "Sid": "Stmt1357935647218",
        "Action": [
            "s3:ListBucket"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: DestinationBucket",
        "Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
    },
    {
        "Sid": "Stmt1357935676138",
        "Action": ["s3:PutObject"],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: DestinationBucket/*",
        "Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
   }
]
}

command to be run is s3cmd cp s3://SourceBucket/File1 s3://DestinationBucket/File1

Best Answer

Related Solutions

Amazon S3 – How to Get the Size of an Amazon S3 Bucket

Causing Access Denied when using the aws cli to download from Amazon S3

Related Topic