Our CI environment has an issue, which is that terraform does not gracefully handle keys that have had key versions destroyed underneath them, so if the rotator ever destroyed a key version, it would cause terraform to be in an unrecoverable state. This exact issue was discussed elsewhere online helpfully answered by our very own Seth. Seth mentioned a workaround could be to create the key ring through terraform, and the individual keys would be created and destroyed within the integration test code itself. Here is an example of this type of logic used.
We don't yet have integration tests implemented, but the key creation logic will need to be done within them in the future.
Tags need to be passed around, as when the integration tests create keys, each system will need to know which key under the key ring to use.
Our CI environment has an issue, which is that terraform does not gracefully handle keys that have had key versions destroyed underneath them, so if the rotator ever destroyed a key version, it would cause terraform to be in an unrecoverable state. This exact issue was discussed elsewhere online helpfully answered by our very own Seth. Seth mentioned a workaround could be to create the key ring through terraform, and the individual keys would be created and destroyed within the integration test code itself. Here is an example of this type of logic used.
We don't yet have integration tests implemented, but the key creation logic will need to be done within them in the future.
Tags need to be passed around, as when the integration tests create keys, each system will need to know which key under the key ring to use.