✦ ➜ terraform --version
Terraform v0.12.28
+ provider.aws v2.60.0
+ provider.kubernetes v1.11.3
+ provider.local v1.4.0
+ provider.null v2.1.2
+ provider.random v2.2.1
+ provider.template v2.1.2
只需放置2个用于SSL证书的新文件
# module.ssl-certificate.aws_iam_server_certificate.cert must be replaced
+/- resource "aws_iam_server_certificate" "cert" {
~ arn = "arn:aws:iam::XXX:server-certificate/xxx-ssl-certxxx" -> (known after apply)
~ certificate_body = "721e444119806928d19ef830740057c52580ba71" -> "cd6882dff1edb0223a20fe5f1c2b4b594f07526f" # forces replacement
- certificate_chain = "7e85cb3e40dff5a9f83ff75576d71fd98fdfdd89" -> null # forces replacement
~ id = "XXX" -> (known after apply)
~ name = "XXX-ssl-cert20200716210119477600000001" -> (known after apply)
name_prefix = "XXX-ssl-cert"
path = "/"
private_key = (sensitive value)
}
每次我运行terraform apply时,我总是要求“替换”证书。每次创建一个新的。
文件(crt,密钥)没有变化
/main.tf
module "ssl-certificate" {
source = "./modules/certificates"
certificate = {
name = "xxx-ssl-cert"
body = file("assets/ssl/_.xxx.com/xxx.crt")
private_key = file("assets/ssl/_.xxx.com/xxx.key")
}
team = var.team
project = var.project
component = ""
environment = var.environment
tags = module.project_config.tags
}
/modules/certificates/main.tf
resource "aws_iam_server_certificate" "cert" {
name_prefix = var.certificate.name
certificate_body = var.certificate.body
private_key = var.certificate.private_key
lifecycle {
create_before_destroy = true
}
}
怎么了?在此之前,我具有自签名证书,并且从来没有这种行为。添加了新证书-并开始在应用中获得这些“重新创建”必需的计划。
答案 0 :(得分:1)
我建议使用生命周期进行ignore_changes。
Example: lifecycle {
ignore_changes = [certificate_body]
}
答案 1 :(得分:0)
为了防止 terraform 在证书内容不变时重新创建证书,
将证书链内容从“certificate_body”移动到“aws_iam_server_certificate”资源内的“certificate_chain”terraform 参数 &
确保 certificate_body 和 certificate_contents 中的行尾与实际相同(对于我的用例,cert 中的行尾是 LF)