✦ ➜ terraform --version
Terraform v0.12.28
+ provider.aws v2.60.0
+ provider.kubernetes v1.11.3
+ provider.local v1.4.0
+ provider.null v2.1.2
+ provider.random v2.2.1
+ provider.template v2.1.2
只需为SSL证书放入2个新文件
# module.ssl-certificate.aws_iam_server_certificate.cert must be replaced
+/- resource "aws_iam_server_certificate" "cert" {
~ arn = "arn:aws:iam::XXX:server-certificate/xxx-ssl-certxxx" -> (known after apply)
~ certificate_body = "721e444119806928d19ef830740057c52580ba71" -> "cd6882dff1edb0223a20fe5f1c2b4b594f07526f" # forces replacement
- certificate_chain = "7e85cb3e40dff5a9f83ff75576d71fd98fdfdd89" -> null # forces replacement
~ id = "XXX" -> (known after apply)
~ name = "XXX-ssl-cert20200716210119477600000001" -> (known after apply)
name_prefix = "XXX-ssl-cert"
path = "/"
private_key = (sensitive value)
}
每次我运行CCD_ 1时,我总是要求";替换";证书。每次创建一个新的。
文件(crt,key(没有改变
/main.tf
module "ssl-certificate" {
source = "./modules/certificates"
certificate = {
name = "xxx-ssl-cert"
body = file("assets/ssl/_.xxx.com/xxx.crt")
private_key = file("assets/ssl/_.xxx.com/xxx.key")
}
team = var.team
project = var.project
component = ""
environment = var.environment
tags = module.project_config.tags
}
/modules/certificates/main.tf
resource "aws_iam_server_certificate" "cert" {
name_prefix = var.certificate.name
certificate_body = var.certificate.body
private_key = var.certificate.private_key
lifecycle {
create_before_destroy = true
}
}
怎么了?在此之前,我有过自签名证书,从未有过这种行为。添加了新的证书,并开始获得这些"证书";重新创建";中的必需计划适用。
有什么想法吗
我建议使用ignore_changes的生命周期。
Example: lifecycle {
ignore_changes = [certificate_body]
}
为了防止terraform在证书内容不变时重新创建证书,
-
将证书链内容从";certificate_body";至";certificate_chain";"内部地形参数";aws_iam_server_certificate"资源&
-
确保certificate_body&certificate_contents与实际内容相同(对于我的用例,cert中的行尾是LF(
如@beta所述,解决方案是在cert文件上运行dos2unix命令,以便将其从DOS格式转换为UNIX格式,尤其是行尾字符。