Tls_private_key resource auto trigger to create RSA keys after 30 days of creation

Terraform
1

This blocks creates a new RSA key-pair.

resource "tls_private_key" "rsa" {
  count = var.generate_rsa_key ? 1 : 0

  algorithm = "RSA"
  rsa_bits  =  4096
}

I would like this resource to recreate every 90 days to have a RSA key rotated for compliance reason.
I have tried triggers {}, keepers{}, lifecycle{} with time provider, seems these blocks aren’t supported inside tls_private_key resource.

sample Error for triggers

Error: Unsupported argument

│ on generate_rsa.tf line 7, in resource "tls_private_key" "rsa":
│ 7: triggers = {
│ An argument named "triggers" is not expected here.

Is there any other way to auto-rotate RSA key based on time using Terraform? Excluding - explicit taint

2

triggers and keepers might be attributes of some certain resources, but they are not universal features of the language. The lifecycle block however is universal for all managed resources, so I’m not sure how that didn’t work for your use case.

Using the replace_triggered_by feature of the lifecycle block, along with a time_rotating resource would look like so:

resource "time_rotating" "replace_private_key" {
  rotation_minutes = 1
}

resource "tls_private_key" "rsa" {
  algorithm = "RSA"
  rsa_bits = 4096
  lifecycle {
    replace_triggered_by = [time_rotating.replace_private_key]
  }
}
1 Like
3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.