Azurerm postgresql flexible server customer_managed_key rotation

So, Terraform Registry says that updating the cmk-property of the postgres flexible resource will cause a new resource to be created / the server to be replaced. But we have to pass a key_vault_key_id to that (which includes the key’s version) - i wonder how one could ever rotate the CMK in that case?

I assume the process should be as follows:

But that cannot be done with TF because the second step makes TF replace the server?

Or am i just missing some obvious “trick” that would make this possible?

Thank you!

Hi @btbaetwork,

I’m not familiar with the azurerm_postgresql_flexible_server but as per the MS documentation related to Key Vault objects, identifiers, and versioning

Objects in Key Vault can be retrieved by specifying a version or by omitting version to get latest version of the object.

So both of the following are valid, with the first one returning a specific version, the second always returning the latest version.

I am not sure how this interacts with the CMK element of the azurerm_postgresql_flexible_server so you will need to test and validate. But, in other resources that use keyvault objects, such as app services, if a version is not specified in the reference when newer versions become available, such as with a rotation event, the app will automatically update and begin using the latest version within a certain time period.

In such a scenario, no Terraform deployment is required to update or rotate the key on the resource referencing it.

Hope that helps.

Happy Terraforming