Closed sknibbsascendfs closed 7 months ago
Thank you for reporting this. I am not sure I fully understand the sequence of steps here - typically, the key would be used as part of terraform apply
, at which point the resource will recreate an invalid key if instructed to do so (when the key is reusable, or if recreate_if_invalid
is set)
Also, I wonder if using the time_rotating resource to get the key recreated regularly would accommodate your use case without adding additional arguments to tailscale_tailnet_key
Thank you for suggesting the time_rotating
resource - I learned something new today. This is exactly what I am looking for.
The intent is to replace the auth key before it expires. The sequence is as follows:
terraform apply
to create a reusable auth key that expires in 90 days - also create ephemeral compute resourcesterraform apply
The expectation is that the key is rotated after 30 days. It must be done before the key expires, otherwise some ephemeral compute resource may start before the next scheduled terraform apply
.
The time_rotating
resource is perfect for this. Thanks again.
Is your feature request related to a problem? Please describe. The
tailscale_tailnet_key
resource exposes a race condition where a key must be invalid before it is automatically recreated onterraform apply
. This leaves a window where new machines cannot be authorized until the key is recreated. This can lead to outages.Describe the solution you'd like Add an early renewal window similar to the
tls_locally_signed_cert
resource.