I have the following minimal vault_transit_secret_backend_key resource in my configuration:
resource "vault_transit_secret_backend_key" "identity_service" {
backend = "pii"
name = "identity-service-${var.environment_suffix}"
}
This creates the key under the “pii” Transit Engine as expected.
I also have a CronJob which periodically rotates this Key and updates min_decrypt_version and min_encrypt_version. The goal is that we only allow encrypted data to be decrypted for about 12 days (Crypto Shredding).
The Problem is that when I apply my original configuration from above, Terraform wants to reset min_decrypt_version and min_encrypt_version:
# module.secrets.vault_transit_secret_backend_key.identity_service will be updated in-place
~ resource "vault_transit_secret_backend_key" "identity_service" {
id = "pii/keys/identity-service-staging"
~ min_decryption_version = 2 -> 1
~ min_encryption_version = 5 -> 0
name = "identity-service-staging"
# (15 unchanged attributes hidden)
}
This is a problem because I expect these values to have changed and don’t want them reset every time I apply the configuration. Worse yet, I feel like Terraform shouldn’t care about these values at all, since I didn’t specify any explicit values.
How do I deal with this? I haven’t found anything on this particular use case, so maybe I’m doing it wrong or it isn’t supported?
