Hello. I have the following template for which I’m using a conditional (%{ if vault_role == "transit" ~}
):
#cloud-config
${yamlencode({
users = [
{
name = "root"
groups = "users"
ssh_authorized_keys = [
root_ssh_key,
provision_node_ssh_key,
]
shell = "/bin/bash"
},
]
write_files = [
{
content = bashrc
path = "/root/.bashrc"
},
{
content = consul_config
path = "/etc/consul.d/consul.hcl"
},
{
content = consul_acl
path = "/etc/consul.d/consul-acl.hcl"
},
{
content = ssh_template
path = "/etc/consul-template.d/ssh-template.json"
},
{
content = consul_ca
path = "/etc/consul.d/certs/ca.crt"
},
{
content = consul_server_crt
path = "/etc/consul.d/certs/host.crt"
},
{
content = consul_server_key
path = "/etc/consul.d/certs/host.key"
},
{
content = vault_config
path = "/etc/vault.d/vault.hcl"
},
{
content = vault_ca
path = "/opt/vault/tls/ca.crt"
},
{
content = vault_crt
path = "/opt/vault/tls/tls.crt"
},
{
content = vault_key
path = "/opt/vault/tls/tls.key"
},
%{ if vault_role == "transit" ~}
{
content = vault_bootstrap_transit
path = "/tmp/bootstrap_transit.py"
},
%{ endif ~}
]
})}
And this is the cloud init config in main.tf:
data "template_cloudinit_config" "vault_transit" {
# split in parts - 1st is cloud-init cfg as such; from 2nd onwards, shell scripts.
# default gzip is true + base64 encoded (for proxmox don't encode or zip the cloud-init)
gzip = false
base64_encode = false
part {
filename = "cloud-init.cfg"
content_type = "text/cloud-config"
content = templatefile("${path.module}/files/vault/vault-userdata.tpl", {
vault_role = "transit"
consul_ca = file("${path.module}/files/ssl-certs-consul/ca/ca.crt")
consul_server_crt = file("${path.module}/files/ssl-certs-consul/certs/host.crt")
consul_server_key = file("${path.module}/files/ssl-certs-consul/certs/host.key")
root_ssh_key = file("${path.module}/files/id_ed25519.pub")
provision_node_ssh_key = file("${path.module}/files/provision_node_ssh_key.pub")
# we are using the same certificate for all consul instances at this point
consul_config = templatefile("${path.module}/files/consul/consul-client-config.tftpl", {
consul_datacenter = var.consul_datacenter
ui_config = "false"
server_role = "false"
retry_join = var.retry_join
consul_domain = var.consul_domain
consul_keygen = var.consul_keygen
})
ssh_template = templatefile("${path.module}/files/consul/ssh-template.tftpl", {
tf_hostname = each.key
})
consul_acl = templatefile("${path.module}/files/consul/consul-client-acl.tftpl", {
consul_bootstrap_token = data.external.bootstrap_consul.result.token
})
bashrc = templatefile("${path.module}/files/common/bashrc", {
role = "true"
})
vault_ca = file("${path.module}/files/ssl-certs-vault/ca/ca.crt")
vault_crt = file("${path.module}/files/ssl-certs-vault/certs/host.crt")
vault_key = file("${path.module}/files/ssl-certs-vault/certs/host.key")
vault_config = templatefile("${path.module}/files/vault/vault-config.tftpl", {
vault_hostname = "${each.key}"
})
})
}
part {
filename = "initialise.sh"
content_type = "text/x-shellscript"
content = templatefile("${path.module}/files/vault-transit/initialise.sh", {
tf_hostname = "vault-transit"
root_ssh_key = file("${path.module}/files/id_ed25519.pub")
})
}
}
So when I try to run it, I get the following error:
Call to function “templatefile” failed: ./files/vault-transit/vault-userdata.tpl:59,2-3: Invalid expression; Expected the start of an expression, but found an invalid expression token…
Maybe I cannot use conditionals within the yamlencode directive?