Hi everyone, I'm trying to understand if there's a way to rotate the private/public keys generated using the

tls.PrivateKey

custom resource. The reason why I'm asking this is because we potentially need to generate a new set of keys to sign JSON web tokens on a regular basis for security purposes. I was thinking something along the lines of what the

random

package provides. Do you think it's possible somehow? Thanks in advance

As in like manually trigger it to replace? Would this be covered by a

taint

command (https://github.com/pulumi/pulumi/issues/11657)?

Hey @echoing-dinner-19531, if by tainting a specific resource we could force the replacement of the resource itself yes, I suppose that would do the trick. In my case, I could taint the

tls.PrivateKey

resource and pulumi will force the replacement. The problem right now with that resources is there's no way to trigger recreation other then probably deleting the key, deploy the changes to pulumi, and reintroduce the code. Am I right?

Correct

@echoing-dinner-19531 Maybe using a dynamic custom resource would solve the issue? I was thinking of using a node library (we are using typescript to create our applications) to generate a public/private key pair and then somehow trigger the recreation on an external configuration. The problem is I will need to access the private and public key outside of the dynamic resource to populate a BucketObject, but I'm not sure those are accessible from the pulumi program

I'm not sure if dynamic resources can safely create other resources, but if they can then you could do a trick where you just have a counter input + all the normal TLS inputs and just return a replace diff when the counter changes.