我试图在Terraform中创建一个解决方案,我可以使用let加密或在S3存储桶中提供我自己的TLS证书。我面临的问题是我无法有条件地运行Let的加密证书生成和上传步骤。
如何使最后两个步骤成为条件?我在考虑将它们包装在null_resource中,如何根据外部数据创建触发器?
任何提示都非常感谢!谢谢你们。
<磷>氮resource "null_resource" "sync_certs" {
provisioner "local-exec" {
command = "mkdir -p ./tmp/certs"
}
provisioner "local-exec" {
command = "aws s3 sync s3://xxxxxx/${var.root_domain_name}/${var.env_name} ./tmp/certs/ && ls -l ./tmp/certs/"
}
}
resource "tls_private_key" "cert_private_key" {
count = "${var.bank_count}"
algorithm = "RSA"
}
resource "acme_registration" "reg" {
server_url = "${var.acme_url}"
account_key_pem = "${tls_private_key.generated_key.private_key_pem}"
email_address = "xxxxx"
}
resource "acme_certificate" "certificate" {
count = "${var.bank_count}"
server_url = "${var.acme_url}"
account_key_pem = "${tls_private_key.generated_key.private_key_pem}"
common_name = "${var.bank_names[count.index]}.${var.env_name}.${var.root_domain_name}"
dns_challenge {
provider = "route53"
}
registration_url = "${acme_registration.reg.id}"
}
resource "local_file" "privkey" {
count = "${var.bank_count}"
content = "${tls_private_key.generated_key.private_key_pem}"
filename = "./tmp/certs/${var.bank_names[count.index]}.privkey.pem"
}
resource "aws_s3_bucket_object" "tls_private_key_file" {
count = "${var.bank_count}"
bucket = "xxxx"
key = "${var.root_domain_name}/${var.env_name}/${var.bank_names[count.index]}.privkey.pem"
source = "./tmp/certs/${var.bank_names[count.index]}.privkey.pem"
content_type = "text/plain"
depends_on = ["local_file.privkey"]
}
}
答案 0 :(得分:0)
不确定我的理解是否正确,你在找这样的东西吗?
首先定义开关开/关变量enable=true|false
。
将计数代码放在您要控制的任何资源中。
count = "${var.enable ? var.bank_count : 0}"
答案 1 :(得分:0)
我最终通过在脚本中包装terraform来解决这个问题。在这里,我可以检查是否要在s3中使用证书,并从覆盖目录中移入terraform的相应文件。不漂亮,但它有效!