-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The ability to keep the previous version of the secret when the google_secret_manager_secret_version is being replaced #14876
The ability to keep the previous version of the secret when the google_secret_manager_secret_version is being replaced #14876
Comments
I think we'd expect the secret to get replaced here- you're updating a specific version to a specific value. Adding a new google_secret_manager_secret_version resource is how you would add a new version of the secret while preserving the old, one. Not entirely related, but possibly relevant: #14488 |
Sorry but I disagree. Think about the following scenario When I renew the new secret_data is stored, usually I want not to destroy the current secret version with the current certificate. I might want to keep it as is or disable the version but not to destroy. Bottom line, not always we want to destroy the previous version when we add a new version to the secret. This is why the google secret has versions, no ? |
The issue is that the |
@rileykarson All what's needed is to add additional param like "dont_destroy_previous_version_on_change". That's all. |
A |
Thanks |
Sorry, is there any update on this? We also are interested in a To avoid the issue of updating a secret and the app not picking it up (due to using latest) we always pin it to a specific version. The issue is that when the secret data is updated, our previous secret is destroyed and we have to immediately start a new deployment pointing to the new version. This can cause downtime if, for example, in the meantime a Cloud Function is triggered and tries to use the old version that was already destroyed. Also as previously mentioned, this makes our rollbacks very difficult to manage since deploying an app pointing to an old secret version won't work. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Sometimes ( usually!) when the current version of the secret is rotated we prefer not to destroy the replaced secret version .
It could be very useful to add a flag to google_secret_manager_secret_version resource which will specefy when I want to destroy/keep/disable the previous secret version when the google_secret_manager_secret_version is need to be replaced
The text was updated successfully, but these errors were encountered: