Hello there,
I’ve been looking in vain for a solution for the following use case:
- I use LetsEncrypt certificates for many different services. Each private key+certificate is stored in an AWS SecretsManager secret
- I have a
certificatemodule that each service needing a certificate instantiate. This module is referenced in many different stacks. - I have an
acme-corestack that creates an AWS lambda that can be set as rotation lambda on these secrets to do automated renewal.
What I’m looking for is some way of wiring a dependency of module certificate on stack acme-core, so that:
- all instances of the certificate module can reference the (unique) lambda ARN from the acme-core stack output
- any stack that instantiates the
certificatemodule (one or more times) is built after theacme-corestack
The naïve solution I tried that did not work was to add a dependency on the acme-core stack output in app/module/certificate/tfvars – but that doesn’t seem to be picked up by layering.
The two workarounds I’ve found so far are:
- make it so that each stack that directly or indirectly instantiates the
certificatemodule has an explicit dependency onacme-core, and passes its output as a variable. Not great because this violates abstraction (the stacks and all intermediate modules need to carry an additional parameter) - use a data source in the
certificatemodule to retrieve the lamba. This gives nice abstraction but loses the dependency information.
Is there a canonical way of implementing this pattern?