Module depending on a stack

Hello there,
I’ve been looking in vain for a solution for the following use case:

  • I use LetsEncrypt certificates for many different services. Each private key+certificate is stored in an AWS SecretsManager secret
  • I have a certificate module that each service needing a certificate instantiate. This module is referenced in many different stacks.
  • I have an acme-core stack that creates an AWS lambda that can be set as rotation lambda on these secrets to do automated renewal.

What I’m looking for is some way of wiring a dependency of module certificate on stack acme-core, so that:

  • all instances of the certificate module can reference the (unique) lambda ARN from the acme-core stack output
  • any stack that instantiates the certificate module (one or more times) is built after the acme-core stack

The naïve solution I tried that did not work was to add a dependency on the acme-core stack output in app/module/certificate/tfvars – but that doesn’t seem to be picked up by layering.

The two workarounds I’ve found so far are:

  • make it so that each stack that directly or indirectly instantiates the certificate module has an explicit dependency on acme-core, and passes its output as a variable. Not great because this violates abstraction (the stacks and all intermediate modules need to carry an additional parameter)
  • use a data source in the certificate module to retrieve the lamba. This gives nice abstraction but loses the dependency information.

Is there a canonical way of implementing this pattern?