Forcing a dependancy between local_file and null_resource resources


I’ll explain my use case first so that my problem is understood (and perhaps others can suggest a better way to solve it than what I’ve come up with!).

I need to upload a base64 encoded PKCS12 file to an Azure application gateway. I have a terraform provider that generates my private key/CSR and obtains a certificate for me such that when the provider executes, I have a private key file and a certificate file saved to my system that I’m executing Terraform on. What I need to do is construct a PKCS12 file from these separate files, then base64 encode it into a new file that I can reference from another Terraform plan.

To achieve this goal, I am using the following:

resource "null_resource" "create-p12" {
provisioner "local-exec" {
    command = "openssl pkcs12 -export -in '${local_file.chain.filename}' -inkey '${local_file.privatekey.filename}' -passin pass:\"${var.passphrase}\" -password pass:\"${var.passphrase}\" -out ${path.module}/tcert.p12"

This command works as expected and outputs my PKCS12 file to disk as I would expect. Later in my plan file I have another resource that creates the base64 encoded file that looks like this:

resource "local_file" "b64p12"{
    depends_on = ["null_resource.create-p12"]
    content = filebase64("${path.module}/tcert.p12")
    filename = "${path.module}/tcertp12.b64"

What I am running into a problem with is that my local_file.b64p12 resource creation fails because it is executing before the provisioner in my null_resource.create-p12 executes. I put the depends_on clause because I expected that to force the null_resource.create-p12 resource & provisioner to execute first so that the file needed by local_file.b64p12 would exist before that resource was created.

Hopefully it is clear what I am trying to accomplish and what my problem is. All I want is to force the local_file.b64p12 to not be created until the file created by null_resource.create-p12 exists.