-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vault_pki_secret_backend_cert: Report when renewal is pending #1597
Conversation
It seems that the CustomizeDiff implementation for this resource type is shared with at least one other resource type, and so that other resource type is now panicking during planning. I'll dig into that now and see whether it makes sense to extend that one with a similar |
da6005d
to
48ff7fe
Compare
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! Only few minor nits/suggestions.
(This also includes vault_pki_secret_backend_sign, which shares the same auto-renew logic.) This exports an additional boolean attribute renew_pending, which should start set to false but will transition to true during refresh if the current time is less than "min_seconds_remaining" seconds before the certificate's expiration time. This adds a little extra information to the plan output to explain why the provider is proposing to replace the object, and also adds a useful hook for postconditions that wish to detect (e.g. during a refresh-only plan) that a renewal is pending.
48ff7fe
to
0f937f9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
…orp#1597) (This also includes vault_pki_secret_backend_sign, which shares the same auto-renew logic.) This exports an additional boolean attribute renew_pending, which should start set to false but will transition to true during refresh if the current time is less than "min_seconds_remaining" seconds before the certificate's expiration time. This adds a little extra information to the plan output to explain why the provider is proposing to replace the object, and also adds a useful hook for postconditions that wish to detect (e.g. during a refresh-only plan) that a renewal is pending.
(This actually affects both
vault_pki_secret_backend_cert
andvault_pki_secret_backend_sign
in the same way, because they share the same logic for refreshing and planning.)This exports an additional boolean attribute
renew_pending
, which will start set tofalse
but will transition totrue
during refresh if the current time is less thanmin_seconds_remaining
seconds before the certificate's expiration time. The auto renew behavior is then triggered by this new attribute becomingtrue
, ensuring that these two behaviors will always agree with one another about when renewal is pending.This adds a little extra information to the plan output to explain why the provider is proposing to replace the object, and also adds a useful hook for postconditions that wish to detect (e.g. during a refresh-only plan) that a renewal is pending.
Community Note
Release note for CHANGELOG:
Output from acceptance testing: