Easiest way to assemble/store a list of values, and not remove from the list on destroy?

What I’m trying to achieve is:

I have a list of active signed certificates in TF that are for connecting to a VPN (also managed in TF), and that VPN resource (azurerm_virtual_network_gateway) accepts a certificate revocation list.

I basically only want “active” certificates to be allowed to connect to the VPN, so I want to ensure that any certificate that’s not “active” (i.e. not managed by my TF) to automatically be revoked for my VPN. In order to do this, my idea is to maintain a list of all certificates (or just their fingerprints) that TF ever generated (so add to the list when a new active certificate is generated, but do not remove it from the list when the certificate is destroyed), that way I can derive the revocation list by taking the list of all certificates, and subtracting from it the list of active certificates.

The main issue is somehow storing such a list (of all certificates) that can get added to, but is never removed from.

Here is my relevant Github comment: Certificate revocation list · Issue #20 · hashicorp/terraform-provider-tls · GitHub

Hi @amcsi,

Terraform alone cannot do this, because there is no “memory” of historical states. You would need some other system to keep track of all of the historical certs and then do one of the following:

  • access the list via a data source

  • use automation around Terraform that fetches the list from somewhere else and passes it in as an input variable

  • use automation around Terraform that takes the terraform show -json PLANFILE output and enforces a policy something like:

    1. No certificates can be removed from the CRL.
    2. A certificate can only be removed from the active set if the same plan also adds it to the CRL.

    Taken together, this can help you to maintain two sets of certificates directly inside the Terraform configuration (e.g. as local values) by catching any situation where a maintainer doesn’t preserve these invariants correctly, without introducing a separate data store. (The configuration is the data store)

@apparentlymart I know there’s no way to get historic values. That’s why I want to manage a list of all certificates somewhere by always adding certificates somewhere, but never removing them on destroy, that way I’ll have a list of all certificates and a list of active certificates with which I can derive the list of certificates I want revoked. But it is the ability to add and the ability to not remove on destroy is what I’m having trouble with.

Terraform configuration is used to represent the desired state of the system, so there’s not going to be a way to directly do this with configuration alone.

You need a place to store arbitrary data that no longer appears in the configuration. Using only the facilities provided by Terraform, that could be done by creating a new resource which takes some input, and continually appends new input values to another computed attribute which will be stored in the state.