Vault Provider wants to restet rotated Transit Key versions

I have the following minimal vault_transit_secret_backend_key resource in my configuration:

resource "vault_transit_secret_backend_key" "identity_service" {
  backend = "pii"
  name    = "identity-service-${var.environment_suffix}"

This creates the key under the “pii” Transit Engine as expected.

I also have a CronJob which periodically rotates this Key and updates min_decrypt_version and min_encrypt_version. The goal is that we only allow encrypted data to be decrypted for about 12 days (Crypto Shredding).

The Problem is that when I apply my original configuration from above, Terraform wants to reset min_decrypt_version and min_encrypt_version:

# module.secrets.vault_transit_secret_backend_key.identity_service will be updated in-place
 ~ resource "vault_transit_secret_backend_key" "identity_service" {
        id                     = "pii/keys/identity-service-staging"
      ~ min_decryption_version = 2 -> 1
      ~ min_encryption_version = 5 -> 0
        name                   = "identity-service-staging"
        # (15 unchanged attributes hidden)

This is a problem because I expect these values to have changed and don’t want them reset every time I apply the configuration. Worse yet, I feel like Terraform shouldn’t care about these values at all, since I didn’t specify any explicit values.

How do I deal with this? I haven’t found anything on this particular use case, so maybe I’m doing it wrong or it isn’t supported?

Try using

  lifecycle {
    ignore_changes = [
1 Like

Yes, this works. Thank you :slight_smile: