Amazon web services 如何在为EC2实例创建签名证书时防止循环依赖?
我正在使用创建一个EC2实例,该实例将用作docker主机。这意味着我需要创建加密密钥,以便通过internet安全地连接到它。创建密钥时,需要指定要连接的IP地址和主机名。在terraform中,这些值可以动态分配,但这很容易导致循环依赖情况。让我们举一个例子:Amazon web services 如何在为EC2实例创建签名证书时防止循环依赖?,amazon-web-services,amazon-ec2,terraform,Amazon Web Services,Amazon Ec2,Terraform,我正在使用创建一个EC2实例,该实例将用作docker主机。这意味着我需要创建加密密钥,以便通过internet安全地连接到它。创建密钥时,需要指定要连接的IP地址和主机名。在terraform中,这些值可以动态分配,但这很容易导致循环依赖情况。让我们举一个例子: resource "tls_private_key" "example" { algorithm = "ECDSA" } resource "tls_self_signed_cert" "docker_host_key" {
resource "tls_private_key" "example" {
algorithm = "ECDSA"
}
resource "tls_self_signed_cert" "docker_host_key" {
key_algorithm = "${tls_private_key.example.algorithm}"
private_key_pem = "${tls_private_key.example.private_key_pem}"
validity_period_hours = 12
early_renewal_hours = 3
allowed_uses = ["server_auth"]
dns_names = [ "${aws_instance.example.public_dns}" ]
ip_addresses = [ "${aws_instance.example.public_ip}" ]
subject {
common_name = "example.com"
organization = "example"
}
}
resource "aws_instance" "example" {
count = 1
ami = "ami-d05e75b8"
instance_type = "t2.micro"
subnet_id = "subnet-24h4fos9"
associate_public_ip_address = true
provisioner "remote-exec" {
inline = [
"echo \"${tls_self_signed_cert.docker_host_key.private_key_pem}\" > private_key_pem",
"echo \"${tls_self_signed_cert.docker_host_key.cert_pem}\" > cert_pem",
"echo \"${tls_private_key.docker_host_key.private_key_pem}\" > private_key_pem2",
]
}
}
在remoteexec
供应器中,我们需要从tls\u self\u signed\u cert
资源中写入值,这反过来又需要来自aws\u实例的值
如何克服这种情况?您可以使用资源创建弹性IP,并使用aws\u eip\u关联将其附加到实例上
resource "aws_eip" "eip" {
...
}
resource "aws_eip_association" "eip" {
allocation_id = "${aws_eip.eip.id}"
instance_id = "${aws_instance.example.id}"
}
resource "tls_self_signed_cert" "docker_host_key" {
# set something here from Route53 instead: dns_names = [ "${aws_instance.example.public_dns}" ]
ip_addresses = [ "${aws_eip.eip.public_ip}" ]
...
}
您可以使用资源创建弹性IP,并使用aws\u eip\u关联将其附加到实例上
resource "aws_eip" "eip" {
...
}
resource "aws_eip_association" "eip" {
allocation_id = "${aws_eip.eip.id}"
instance_id = "${aws_instance.example.id}"
}
resource "tls_self_signed_cert" "docker_host_key" {
# set something here from Route53 instead: dns_names = [ "${aws_instance.example.public_dns}" ]
ip_addresses = [ "${aws_eip.eip.public_ip}" ]
...
}