I’ve been looking in vain for a solution for the following use case:
- I use LetsEncrypt certificates for many different services. Each private key+certificate is stored in an AWS SecretsManager secret
- I have a
certificatemodule that each service needing a certificate instantiate. This module is referenced in many different stacks.
- I have an
acme-corestack that creates an AWS lambda that can be set as rotation lambda on these secrets to do automated renewal.
What I’m looking for is some way of wiring a dependency of module
certificate on stack
acme-core, so that:
- all instances of the certificate module can reference the (unique) lambda ARN from the acme-core stack output
- any stack that instantiates the
certificatemodule (one or more times) is built after the
The naïve solution I tried that did not work was to add a dependency on the
acme-core stack output in
app/module/certificate/tfvars – but that doesn’t seem to be picked up by layering.
The two workarounds I’ve found so far are:
- make it so that each stack that directly or indirectly instantiates the
certificatemodule has an explicit dependency on
acme-core, and passes its output as a variable. Not great because this violates abstraction (the stacks and all intermediate modules need to carry an additional parameter)
- use a data source in the
certificatemodule to retrieve the lamba. This gives nice abstraction but loses the dependency information.
Is there a canonical way of implementing this pattern?