Prevent creating new local_file resource in terraform

Question

I'm creating a service account key on google cloud platform in pkcs12 format, saving it to a file and converting it to pem format.

When applying the plan on the second time, the p12 and pem files are recreated even though the service account key didn't change. How can I avoid recreating the files?

resource "google_service_account_key" "test_key_v1" {
  service_account_id = "${google_service_account.test.id}"
  private_key_type = "TYPE_PKCS12_FILE"
}

resource "local_file" "test_key_v1_file" {
  content     = "${base64decode(google_service_account_key.test_key_v1.private_key)}"
  filename = "./keys/test-key-v1.p12"

  provisioner "local-exec" {
    command = "cat ./keys/test-key-v1.p12 | openssl pkcs12 -nodes -nocerts -passin pass:notasecret | openssl rsa > ./keys/test-key-v1.pem"
  }
}

terraform aply on the second time gives me this message:

-/+ local_file.test_key_v1_file (new resource required)
      id:       "13a5202a06ef07569caa544efe2c21cd2b534d11" => <computed> (forces new resource)

Bruno Adelé Bruno Adelé · Accepted Answer · 2018-10-15T21:41:35

You can use the null_resource provisioner, it execute other section if trigger variable has changed

I have updated your example (I didn't test, but the idea is here :) )

The resource test_key_v1_file rerun only if contenthash variable has changed

resource "google_service_account_key" "test_key_v1" {
  service_account_id = "${google_service_account.test.id}"
  private_key_type = "TYPE_PKCS12_FILE"
}


resource "null_resource" "test_key_v1_file" {
  triggers {
  contenthash="${base64decode(google_service_account_key.test_key_v1.private_key)}"
  }

  provisioner "local-exec" {
  command = "echo \"${base64decode(google_service_account_key.test_key_v1.private_key)}\" | openssl pkcs12 -nodes -nocerts -passin pass:notasecret | openssl rsa > ./keys/test-key-v1.pem"

  }
}

Prevent creating new local_file resource in terraform

1 Answers