Vault terraform provider and pki v4.2

We use the terraform vault provider to manage a vault system, and started working PKI. I went through the example:

And while I had no issues withthe the example, There are a few oddities that I’m not certain is a bug, my missunderstanding, or my automation. For the example, you are constantly adding code to TF file, until the whole thing is created. My question is how to handle rotating a certificate. From what I see from the docs, you can use the “vault_pki_secret_backend_config_issuers” setting the “option default_follows_latet_issuer = true”.

While the example in the provider docs works when setting the root, the id of the issuer is not present when using set_certificate in the intermediate certificates. Additionaly, once I added the the resource “vault_pki_secret_backend_config_issuers” and set the follow_latest_issuers = true, I had to remove it to get the default to move to my next set_signed resource. Once I placed it back, it would morve default to what was coded in the resource.

Is there a guide or something on managing the rotation and creation of certificates ? Or is this one of those things - since the state will change - that does not make sense to manage in TF ?

I need to correct something - Adding a new issuing did “move default forward”, but running the same terraform, move it back.

Here is the block:

resource "vault_pki_secret_backend_config_issuers" "config" {
  backend                       = vault_mount.test_org_v1_ica2_v1.path
  default                       = "c022c8fb-e2f6-25db-d6dd-265ba840e85d"
  default_follows_latest_issuer = true

When I add a new issuing:

resource "vault_pki_secret_backend_root_sign_intermediate" "test_org_v1_sign_ica2_v4_by_ica1_v1" {
 depends_on = [
 backend              = local.ica1_path
 csr                  = vault_pki_secret_backend_intermediate_cert_request.test_org_v1_ica2_v1.csr
 common_name          = "Intermediate CA2 v1.4"

resource "vault_pki_secret_backend_intermediate_set_signed" "test_org_v1_ica2_v4_signed_cert" {
 depends_on  = [vault_pki_secret_backend_root_sign_intermediate.test_org_v1_sign_ica2_v4_by_ica1_v1]
 backend     = vault_mount.test_org_v1_ica2_v1.path
 certificate = format("%s\n%s", vault_pki_secret_backend_root_sign_intermediate.test_org_v1_sign_ica2_v4_by_ica1_v1.certificate, file("../${path.module}/cacerts/test_org_v1_ica1_v1.crt"))

It is fine - default goes from my v.1.3 to my v1.4. But If I run the same code again - without changes, will relink to the hardcoded ( v1.3) issuing form the config issuers block.