Terraform中的条件TLS证书管理

时间:2017-07-25 23:59:24

标签: amazon-web-services devops terraform

我试图在Terraform中创建一个解决方案,我可以使用let加密或在S3存储桶中提供我自己的TLS证书。我面临的问题是我无法有条件地运行Let的加密证书生成和上传步骤。

如何使最后两个步骤成为条件?我在考虑将它们包装在null_resource中,如何根据外部数据创建触发器?

任何提示都非常感谢!谢谢你们。

<磷>氮

resource "null_resource" "sync_certs" {
  provisioner "local-exec" {
    command = "mkdir -p ./tmp/certs"
  }
  provisioner "local-exec" {
    command =  "aws s3 sync s3://xxxxxx/${var.root_domain_name}/${var.env_name} ./tmp/certs/ && ls -l ./tmp/certs/"
  }
}

resource "tls_private_key" "cert_private_key" {
  count     = "${var.bank_count}"
  algorithm = "RSA"
}

resource "acme_registration" "reg" {
  server_url = "${var.acme_url}"

  account_key_pem = "${tls_private_key.generated_key.private_key_pem}"

  email_address = "xxxxx"
}

resource "acme_certificate" "certificate" {
  count           = "${var.bank_count}"
  server_url      = "${var.acme_url}"
  account_key_pem = "${tls_private_key.generated_key.private_key_pem}"
  common_name     = "${var.bank_names[count.index]}.${var.env_name}.${var.root_domain_name}"

  dns_challenge {
    provider = "route53"
  }

  registration_url = "${acme_registration.reg.id}"
}

resource "local_file" "privkey" {
  count       = "${var.bank_count}"
  content     = "${tls_private_key.generated_key.private_key_pem}"
  filename = "./tmp/certs/${var.bank_names[count.index]}.privkey.pem"
}


resource "aws_s3_bucket_object" "tls_private_key_file" {
  count       = "${var.bank_count}"
  bucket      = "xxxx"
  key         = "${var.root_domain_name}/${var.env_name}/${var.bank_names[count.index]}.privkey.pem"
  source      = "./tmp/certs/${var.bank_names[count.index]}.privkey.pem"
  content_type = "text/plain"
  depends_on  = ["local_file.privkey"]
}

}

2 个答案:

答案 0 :(得分:0)

不确定我的理解是否正确,你在找这样的东西吗?

首先定义开关开/关变量enable=true|false

将计数代码放在您要控制的任何资源中。

count = "${var.enable ? var.bank_count : 0}"

答案 1 :(得分:0)

我最终通过在脚本中包装terraform来解决这个问题。在这里,我可以检查是否要在s3中使用证书,并从覆盖目录中移入terraform的相应文件。不漂亮,但它有效!