Introduction
Terraform relies on plugins called "providers" to interact with cloud providers, SaaS providers, and other APIs. The Vault provider allows Terraform to read from, write to, and configure HashiCorp Vault. Terraform uses resources to configure specific Secret Engines etc in vault.
This guide provides more information about arguments min_seconds_remaining and auto_renew for terraform resource pki_secret_backend_cert and pki_secret_backend_sign.
Overview
Terraform resources pki_secret_backend_cert and pki_secret_backend_sign are used to "Generate a certificate from the PKI Secret Backend" and "Sign a new certificate based upon the provided CSR and the supplied parameters by the PKI Secret Backend" respectively programatically using terraform.
Both these resources have min_seconds_remaining and auto_renew arguments. Though most of the argument in above resources are vault specific, these two arguments are specific to terraform (and vault provider), Vault is not aware of these parameter/arguments. These parameters are introduced to generate/sign certificates if these are about to expire (or expired) and terraform apply is run again.
When terraform apply is run again, it checks if auto_renew is set to true and if certificate is going to expire within min_seconds_remaining, it requests vault to renew the certificate. There should be logic in terraform to fetch new certificate/keys etc and save/push it to application.
As vault is not aware of these arguments, it does not renew these certs automatically.
Here is more information about these arguments:
-
min_seconds_remaining- (Optional) Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days)
Default value for this parameter is 7 days, meaning if terraform apply is run again at a time when certificate expiry is within next 7 days, a new certificate will be generated. This value can be changed and is set in seconds, to make sure certificate with lower value of validity can also be maintained using vault provider.
-
auto_renew- (Optional) If set totrue, certs will be renewed if the expiration is withinmin_seconds_remaining. Defaultfalse
This parameter should be set to true, if new certificate should be created as mentioned above.