Tls_private_key resource auto trigger to create RSA keys after 30 days of creation

gokul29 · May 13, 2025, 8:18am

This blocks creates a new RSA key-pair.

resource "tls_private_key" "rsa" {
  count = var.generate_rsa_key ? 1 : 0

  algorithm = "RSA"
  rsa_bits  =  4096
}

I would like this resource to recreate every 90 days to have a RSA key rotated for compliance reason.
I have tried triggers {}, keepers{}, lifecycle{} with time provider, seems these blocks aren’t supported inside tls_private_key resource.

sample Error for triggers

Error: Unsupported argument

│ on generate_rsa.tf line 7, in resource "tls_private_key" "rsa":
│ 7: triggers = {
│ An argument named "triggers" is not expected here.

Is there any other way to auto-rotate RSA key based on time using Terraform? Excluding - explicit taint

jbardin · May 13, 2025, 4:20pm

triggers and keepers might be attributes of some certain resources, but they are not universal features of the language. The lifecycle block however is universal for all managed resources, so I’m not sure how that didn’t work for your use case.

Using the replace_triggered_by feature of the lifecycle block, along with a time_rotating resource would look like so:

resource "time_rotating" "replace_private_key" {
  rotation_minutes = 1
}

resource "tls_private_key" "rsa" {
  algorithm = "RSA"
  rsa_bits = 4096
  lifecycle {
    replace_triggered_by = [time_rotating.replace_private_key]
  }
}

Topic		Replies	Views
Periodically recreate tls_private_key Terraform	6	3084	April 16, 2024
Using time_rotating resource for key rotation on CMKs Terraform	1	137	February 27, 2025
Rotate password with grace period for an Entra App use case Azure vault , azure	2	512	September 13, 2024
Vault Provider wants to restet rotated Transit Key versions Terraform Providers vault	2	191	August 8, 2023
Handling SSH auth in Terraform Cloud Terraform	2	506	June 8, 2023

Tls_private_key resource auto trigger to create RSA keys after 30 days of creation

Related topics