How to use azurerm_key_vault_key automatic rotation?
- When I deploy KV key using such code, the key does not have an expiration date, so I can assume it will never be rotated. Am I right?
- When I rotated key via button “Rotate now” in rotation policy then TF wants to recreate KV key because the latest version of key after rotation contains expiration_date, but in the code it’s not defined. Should I ignore expiration_date?
- If ingore_changes if enough, then should I set expiration_date during the creation of KV key so I dont need to use the “Rotate now” button?
resource "azurerm_key_vault_key" "this" {
name = "encryption-key"
key_vault_id = azurerm_key_vault.this.id
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
rotation_policy {
automatic {
time_before_expiry = "P30D"
}
expire_after = "P90D"
notify_before_expiry = "P29D"
}
}
...
- expiration_date = "2025-12-18T16:21:29Z" -> null # forces replacement
...
The automatic rotation is not obvious to me, especially because Azure forces a minimum number of days in the rotation, so testing it is not easy. I’m unsure if it would be worth suggesting a change to this resource code in the provider or updating the documentation to make it clearer.
I would be grateful for any recommendations on how to create keys with automatic rotation via Terraform