Native key cycling

[michaelfarrell76]

Would be nice if the sombra module cycled keys by default

e.g.

resource "tls_private_key" "jwt" {
  algorithm = "ECDSA"
  ecdsa_curve = "P384"
}
resource "random_password" "internal_key" {
  length = 32
  special = true
}
output jwt_ecdsa_key {
  value = base64encode(tls_private_key.jwt.private_key_pem)
}
output internal_key_hash {
  value = base64sha256(random_password.internal_key.result)
}

[dmattia]

Let's hop on a call today to make sure I understand this fully. It would be a game changer if we could nail this.

My understanding is that they would still need to run:

• terraform taint tls_private_key.jwt
• terraform taint random_password.internal_key
• terraform apply

anytime they wanted to cycle keys. But I don't think that's so bad

[michaelfarrell76]

ya i would imagine there would still have to be a manual initialization but at the very least they wouldn't have to think about and run a bunch of crypto node commands.

I also think we can setup a way for our backend to tell when the keys have not been cycled and we can prompt the administrators on the dashboard that its time to run a cycle