在 Terraform 中使空资源等待 aws_route53_record
Make null resource to wait on aws_route53_record in Terraform
resource "aws_route53_record" "record" {
zone_id = data.aws_route53_zone.selected.zone_id
name = "${var.sfs_instance_name}.example.com"
type = "A"
ttl = "60"
records = ["${aws_eip.sfs.public_ip}"]
}
resource "null_resource" "sfs-ssl-certs" {
connection {
type = "ssh"
user = "centos"
host = aws_eip.sfs.public_ip
private_key = file("../keys/${var.sfs_instance_name}.pem")
}
provisioner "remote-exec" {
inline = [
"set -x",
"sudo certbot --nginx -d ${var.sfs_instance_name}.example.com --register-unsafely-without-email --agree-tos --force-renewal --non-interactive > /home/centos/get_cert.log"
]
}
动态创建域名"${var.sfs_instance_name}.example.com"的nginx ssl,在执行结束时添加条目,因此certbox ssl证书创建失败,我该如何克服它,我可以等待resource "aws_route53_record" 创建条目或有任何其他解决方法吗?
我认为解决方案是添加 depends_on:
resource "null_resource" "sfs-ssl-certs" {
depends_on = [aws_route53_record.record]
connection {
type = "ssh"
user = "centos"
host = aws_eip.sfs.public_ip
private_key = file("../keys/${var.sfs_instance_name}.pem")
}
provisioner "remote-exec" {
inline = [
"set -x",
"sudo certbot --nginx -d ${var.sfs_instance_name}.example.com --register-unsafely-without-email --agree-tos --force-renewal --non-interactive > /home/centos/get_cert.log"
]
}
您可以通过从资源中正确插入值来避免此处的 depends_on:
resource "aws_route53_record" "record" {
zone_id = data.aws_route53_zone.selected.zone_id
name = "${var.sfs_instance_name}.example.com"
type = "A"
ttl = "60"
records = [aws_eip.sfs.public_ip]
}
resource "null_resource" "sfs-ssl-certs" {
connection {
type = "ssh"
user = "centos"
host = aws_eip.sfs.public_ip
private_key = file("../keys/${var.sfs_instance_name}.pem")
}
provisioner "remote-exec" {
inline = [
"set -x",
"sudo certbot --nginx -d ${aws_route53_record.record.name} --register-unsafely-without-email --agree-tos --force-renewal --non-interactive > /home/centos/get_cert.log"
]
}
Terraform 仅在无法通过将资源的值插入其他资源来直接告知其他资源有关依赖链的信息时才需要 depends_on 参数。一般来说,如果你能避免使用它并坚持直接资源插值,那么它会让事情变得更好。作为另一个积极的方面,它避免了您必须在两个地方通过字符串连接来构建 DNS 记录名称。
Terraform documentation around resource dependencies 也建议避免 depends_on 除非绝对必要:
Most resources in a configuration don't have any particular
relationship, and Terraform can make changes to several unrelated
resources in parallel.
However, some resources must be processed after other specific
resources; sometimes this is because of how the resource works, and
sometimes the resource's configuration just requires information
generated by another resource.
Most resource dependencies are handled automatically. Terraform
analyses any expressions within a resource block to find references to
other objects, and treats those references as implicit ordering
requirements when creating, updating, or destroying resources. Since
most resources with behavioral dependencies on other resources also
refer to those resources' data, it's usually not necessary to manually
specify dependencies between resources.
However, some dependencies cannot be recognized implicitly in
configuration. For example, if Terraform must manage access control
policies and take actions that require those policies to be present,
there is a hidden dependency between the access policy and a resource
whose creation depends on it. In these rare cases, the depends_on
meta-argument can explicitly specify a dependency.
resource "aws_route53_record" "record" {
zone_id = data.aws_route53_zone.selected.zone_id
name = "${var.sfs_instance_name}.example.com"
type = "A"
ttl = "60"
records = ["${aws_eip.sfs.public_ip}"]
}
resource "null_resource" "sfs-ssl-certs" {
connection {
type = "ssh"
user = "centos"
host = aws_eip.sfs.public_ip
private_key = file("../keys/${var.sfs_instance_name}.pem")
}
provisioner "remote-exec" {
inline = [
"set -x",
"sudo certbot --nginx -d ${var.sfs_instance_name}.example.com --register-unsafely-without-email --agree-tos --force-renewal --non-interactive > /home/centos/get_cert.log"
]
}
动态创建域名"${var.sfs_instance_name}.example.com"的nginx ssl,在执行结束时添加条目,因此certbox ssl证书创建失败,我该如何克服它,我可以等待resource "aws_route53_record" 创建条目或有任何其他解决方法吗?
我认为解决方案是添加 depends_on:
resource "null_resource" "sfs-ssl-certs" {
depends_on = [aws_route53_record.record]
connection {
type = "ssh"
user = "centos"
host = aws_eip.sfs.public_ip
private_key = file("../keys/${var.sfs_instance_name}.pem")
}
provisioner "remote-exec" {
inline = [
"set -x",
"sudo certbot --nginx -d ${var.sfs_instance_name}.example.com --register-unsafely-without-email --agree-tos --force-renewal --non-interactive > /home/centos/get_cert.log"
]
}
您可以通过从资源中正确插入值来避免此处的 depends_on:
resource "aws_route53_record" "record" {
zone_id = data.aws_route53_zone.selected.zone_id
name = "${var.sfs_instance_name}.example.com"
type = "A"
ttl = "60"
records = [aws_eip.sfs.public_ip]
}
resource "null_resource" "sfs-ssl-certs" {
connection {
type = "ssh"
user = "centos"
host = aws_eip.sfs.public_ip
private_key = file("../keys/${var.sfs_instance_name}.pem")
}
provisioner "remote-exec" {
inline = [
"set -x",
"sudo certbot --nginx -d ${aws_route53_record.record.name} --register-unsafely-without-email --agree-tos --force-renewal --non-interactive > /home/centos/get_cert.log"
]
}
Terraform 仅在无法通过将资源的值插入其他资源来直接告知其他资源有关依赖链的信息时才需要 depends_on 参数。一般来说,如果你能避免使用它并坚持直接资源插值,那么它会让事情变得更好。作为另一个积极的方面,它避免了您必须在两个地方通过字符串连接来构建 DNS 记录名称。
Terraform documentation around resource dependencies 也建议避免 depends_on 除非绝对必要:
Most resources in a configuration don't have any particular relationship, and Terraform can make changes to several unrelated resources in parallel.
However, some resources must be processed after other specific resources; sometimes this is because of how the resource works, and sometimes the resource's configuration just requires information generated by another resource.
Most resource dependencies are handled automatically. Terraform analyses any expressions within a resource block to find references to other objects, and treats those references as implicit ordering requirements when creating, updating, or destroying resources. Since most resources with behavioral dependencies on other resources also refer to those resources' data, it's usually not necessary to manually specify dependencies between resources.
However, some dependencies cannot be recognized implicitly in configuration. For example, if Terraform must manage access control policies and take actions that require those policies to be present, there is a hidden dependency between the access policy and a resource whose creation depends on it. In these rare cases, the
depends_onmeta-argument can explicitly specify a dependency.