Terraform provider: Allow early recreation of tailscale_tailnet_key

[sknibbsascendfs]

Is your feature request related to a problem? Please describe. The tailscale_tailnet_key resource exposes a race condition where a key must be invalid before it is automatically recreated on terraform apply. This leaves a window where new machines cannot be authorized until the key is recreated. This can lead to outages.

Describe the solution you'd like Add an early renewal window similar to the tls_locally_signed_cert resource.

[knyar]

Thank you for reporting this. I am not sure I fully understand the sequence of steps here - typically, the key would be used as part of terraform apply, at which point the resource will recreate an invalid key if instructed to do so (when the key is reusable, or if recreate_if_invalid is set)

Also, I wonder if using the time_rotating resource to get the key recreated regularly would accommodate your use case without adding additional arguments to tailscale_tailnet_key

[sknibbsascendfs]

Thank you for suggesting the time_rotating resource - I learned something new today. This is exactly what I am looking for.

The intent is to replace the auth key before it expires. The sequence is as follows:

1. terraform apply to create a reusable auth key that expires in 90 days - also create ephemeral compute resources
2. Compute resources use the auth key to join the tailnet
3. At 30 day intervals, run terraform apply

The expectation is that the key is rotated after 30 days. It must be done before the key expires, otherwise some ephemeral compute resource may start before the next scheduled terraform apply.

The time_rotating resource is perfect for this. Thanks again.