So, Terraform Registry says that updating the cmk-property of the postgres flexible resource will cause a new resource to be created / the server to be replaced. But we have to pass a key_vault_key_id to that (which includes the key’s version) - i wonder how one could ever rotate the CMK in that case?
I assume the process should be as follows:
But that cannot be done with TF because the second step makes TF replace the server?
Or am i just missing some obvious “trick” that would make this possible?
Thank you!
Hi @btbaetwork,
I’m not familiar with the azurerm_postgresql_flexible_server but as per the MS documentation related to Key Vault objects, identifiers, and versioning
Objects in Key Vault can be retrieved by specifying a version or by omitting version to get latest version of the object.
So both of the following are valid, with the first one returning a specific version, the second always returning the latest version.
https://fookeyvault.vault.azure.net/keys/test/13b4b63acdb942cabb8082d23ed1b460
https://fookeyvault.vault.azure.net/keys/test
I am not sure how this interacts with the CMK element of the azurerm_postgresql_flexible_server so you will need to test and validate. But, in other resources that use keyvault objects, such as app services, if a version is not specified in the reference when newer versions become available, such as with a rotation event, the app will automatically update and begin using the latest version within a certain time period.
In such a scenario, no Terraform deployment is required to update or rotate the key on the resource referencing it.
Hope that helps.
Happy Terraforming