https://pulumi.com logo
Title
n

nice-butcher-64302

01/04/2023, 4:18 PM
Hi everyone, I'm trying to understand if there's a way to rotate the private/public keys generated using the
tls.PrivateKey
custom resource. The reason why I'm asking this is because we potentially need to generate a new set of keys to sign JSON web tokens on a regular basis for security purposes. I was thinking something along the lines of what the
random
package provides. Do you think it's possible somehow? Thanks in advance
e

echoing-dinner-19531

01/04/2023, 5:48 PM
As in like manually trigger it to replace? Would this be covered by a
taint
command (https://github.com/pulumi/pulumi/issues/11657)?
n

nice-butcher-64302

01/05/2023, 4:29 PM
Hey @echoing-dinner-19531, if by tainting a specific resource we could force the replacement of the resource itself yes, I suppose that would do the trick. In my case, I could taint the
tls.PrivateKey
resource and pulumi will force the replacement. The problem right now with that resources is there's no way to trigger recreation other then probably deleting the key, deploy the changes to pulumi, and reintroduce the code. Am I right?
e

echoing-dinner-19531

01/05/2023, 4:50 PM
Correct
n

nice-butcher-64302

01/05/2023, 6:03 PM
@echoing-dinner-19531 Maybe using a dynamic custom resource would solve the issue? I was thinking of using a node library (we are using typescript to create our applications) to generate a public/private key pair and then somehow trigger the recreation on an external configuration. The problem is I will need to access the private and public key outside of the dynamic resource to populate a BucketObject, but I'm not sure those are accessible from the pulumi program
e

echoing-dinner-19531

01/05/2023, 7:00 PM
I'm not sure if dynamic resources can safely create other resources, but if they can then you could do a trick where you just have a counter input + all the normal TLS inputs and just return a replace diff when the counter changes.