[Bug] elasticstack_elasticsearch_security_api_key expired keys

[mac2000]

Describe the bug

Not sure if that's a bug or feature request

To Reproduce

imagine you have created an api key like so: (nothing special, bare minimal example) and wish to sync it to key vault

resource "elasticstack_elasticsearch_security_api_key" "example" {
  name             = "example"
  expiration       = "30d"
  role_descriptors = jsonencode({}) # not actually used, but triggers terraform to recreate api key, if not passed
  metadata         = jsonencode({})
}

resource "azurerm_key_vault_secret" "example" {
  name         = "example"
  value        = elasticstack_elasticsearch_security_api_key.example.encoded
  key_vault_id = data.azurerm_key_vault.example.id
}

Expected behavior

After month, I am expecting terraform to somehow notice that apikey is changed and sync it

but nothing happens, attempts to run terraform plan says "nothing changed" 🤔

and because of that, all other resources that rely on apikey stops working

Versions (please complete the following information):

• OS: N/A
• Terraform Version 1.9.8
• Provider version 0.11.11
• Elasticsearch Version 8.12

Additional context

I was thinking may be it is by design and should not be updated, but then it is strange that there is no notes in docs about this

At moment, if I understand correct, the workaround will be to rely on terraform password rotation, aka:

resource "time_rotating" "example" {
  rotation_days = 30
}

resource "elasticstack_elasticsearch_security_api_key" "example" {
  name             = "example"
  role_descriptors = jsonencode({})
  metadata         = jsonencode({})
  lifecycle {
    replace_triggered_by = [time_rotating.elastic-dev.id]
  }
  # expiration = "30d" # does not work as expceted, instead use lifecycle depending on time rotating resource
}