我想通过添加变量create_kms_key来启用或禁用带有客户管理密钥的加密RDS,但是在未创建资源“ aws_kms_key”时始终会收到错误Resource 'aws_kms_key.ami-kms-key' not found for variable 'aws_kms_key.ami-kms-key.arn'。
create_kms_key =假
resource "aws_kms_key" "ami-kms-key" {
count = "${var.create_kms_key ? 1 : 0}"
description = "ami-kms-key"
enable_key_rotation = true
}
resource "aws_db_instance" "default" {
allocated_storage = 20
storage_type = "gp2"
engine = "mysql"
engine_version = "5.7.19"
instance_class = "db.t2.micro"
name = "encrypteddb"
username = "admin"
password = "admin"
storage_encrypted = true
kms_key_id = "${aws_kms_key.ami-kms-key.arn}"
}
我尝试了kms_key_id = "${var.create_kms_key ? aws_kms_key.ami-kms-key.arn : "" }",但没有帮助
我不想每次运行Terraform时都创建kms密钥。
我希望根据create_kms_key变量使用默认的kms /未加密的RDS或使用客户管理的密钥进行加密。
如何跳过资源中的kms_key_id?
谢谢!