GCP Key rotation recreates NetApp connector and CVO

[bryanheo]

Hello

The Key rotation of the GCP service account has been recently suggested by our security team and we trying to use the key rotation as below but it recreates NetApp connector and CVO. Are there any way to rotate the service account without replacing the existing Connector and CVO?

Code Change:

Terraform Plan:

Regards Moon

[chuyich]

Using lifecycle with ignore_changes may help your case. Terraform will ignore the key change and it won't recreate the resoruce. Here is an example (assume you are using service_account_key:

resource "netapp-cloudmanager_connector_gcp" "cl-occm-gcp" {
  provider = netapp-cloudmanager  
  :
  service_account_key = "xxxx"
  :
  lifecycle {
    ignore_changes = [
      service_account_key,
    ]
  }
}

[bryanheo]

@chuyich Thank you for your comment. If we ignore the change and the key is rotated, does connector works ok with Cloud Manager (BlueXP)? I am worried of that the connector does not work with Cloud Manager due to the key rotation. ( (eg changing instance type, creating aggregate, adding disks and so on?) Could you confirm whether it works ok or not?

[chuyich]

@bryanheo With this way, it will be a risk that the state file is out of sync since it records the key in the state file. Although it is set to be ignored the change, we will propose a better solution with the adjustment on the key parameter on our side. Will keep updating you if the change is available.

[chuyich]

@bryanheo We just release a new version 23.5. With this, you don't need to set the lifecycle. Please give it a try and let us know if that helps. Thanks.

[chuyich]

@bryanheo Did you have a chance to try it? Can we close this? We will close this by the end of this week if we don't hear anything from you.

[bryanheo]

@chuyich Thank you for the update Our current version is 22.2.1 and TFE plan shows the connector and cvo are recreated with 23.5.1 version so we are investigating it

[chuyich]

@bryanheo Thanks for the update. Yes. Please use 23.5.1. If you do the plan and see the service_account_key is changed, it's normal cause the different key needs to be reflected on the terraform state file. So the setup on state file will be on the same as reality. But after you do the apply, it should not destroy the existing GCP connector and create a new one. Only the service_account_key will be updated in the state file. Let us know if you see anything special.

[chuyich]

It's been over one month with no update from the user. Please raise a new one if it's needed.