New signing key is created with every deployment

[in-1911]

When using the module with create_signing_key = true a new signing key is generated with every deployment.
This may make incremental updates to the deployed resources problematic as the previously signed components may not pass validation once the key is regenerated.

Affected modules

prereq/main.tf

Terraform CLI and Terraform provider versions

• Terraform version:
• Provider version:

Terraform output

Applying the module without any change in input variables:

2024/07/30 02:23:53 Terraform apply | Terraform used the selected providers to generate the following execution
 2024/07/30 02:23:53 Terraform apply | plan. Resource actions are indicated with the following symbols:
 2024/07/30 02:23:53 Terraform apply |   ~ update in-place
 2024/07/30 02:23:53 Terraform apply | 
 2024/07/30 02:23:53 Terraform apply | Terraform will perform the following actions:
 2024/07/30 02:23:53 Terraform apply | 
 2024/07/30 02:23:53 Terraform apply |   # module.prereqs[0].ibm_sm_arbitrary_secret.secret_signing_certifcate[0] will be updated in-place
 2024/07/30 02:23:53 Terraform apply |   ~ resource "ibm_sm_arbitrary_secret" "secret_signing_certifcate" {
 2024/07/30 02:23:53 Terraform apply |         id                      = "us-south/ed0****203/793****275e"
 2024/07/30 02:23:53 Terraform apply |         name                    = "signing-certificate"
 2024/07/30 02:23:53 Terraform apply |       ~ payload                 = (sensitive value)
 2024/07/30 02:23:53 Terraform apply |         # (19 unchanged attributes hidden)
 2024/07/30 02:23:53 Terraform apply |     }
 2024/07/30 02:23:53 Terraform apply | 
 2024/07/30 02:23:53 Terraform apply |   # module.prereqs[0].ibm_sm_arbitrary_secret.secret_signing_key[0] will be updated in-place
 2024/07/30 02:23:53 Terraform apply |   ~ resource "ibm_sm_arbitrary_secret" "secret_signing_key" {
 2024/07/30 02:23:53 Terraform apply |         id                      = "us-south/ed0****203/983****e4b"
 2024/07/30 02:23:53 Terraform apply |         name                    = "signing-key"
 2024/07/30 02:23:53 Terraform apply |       ~ payload                 = (sensitive value)
 2024/07/30 02:23:53 Terraform apply |         # (19 unchanged attributes hidden)
 2024/07/30 02:23:53 Terraform apply |     }
 2024/07/30 02:23:53 Terraform apply | 
 2024/07/30 02:23:53 Terraform apply | Plan: 0 to add, 2 to change, 0 to destroy.
 2024/07/30 02:23:57 Terraform apply | module.prereqs[0].ibm_sm_arbitrary_secret.secret_signing_key[0]: Modifying... [id=us-south/ed07****203/983****e4b]
 2024/07/30 02:23:57 Terraform apply | module.prereqs[0].ibm_sm_arbitrary_secret.secret_signing_certifcate[0]: Modifying... [id=us-south/ed0****203/793****75e]
 2024/07/30 02:23:58 Terraform apply | module.prereqs[0].ibm_sm_arbitrary_secret.secret_signing_certifcate[0]: Modifications complete after 2s [id=us-south/ed0****203/793****75e]
 2024/07/30 02:23:59 Terraform apply | module.prereqs[0].ibm_sm_arbitrary_secret.secret_signing_key[0]: Modifications complete after 2s [id=us-south/ed0****203/983****e4b]

Debug output

Expected behavior

A new key should only be generated if the key parameters (name/email) are changing

Actual behavior

Steps to reproduce (including links and screen captures)

1. Run terraform apply

Anything else

---

By submitting this issue, you agree to follow our Code of Conduct

[huayuenh]

Related to this #457

The secrets provisioning is the draft version. Scoping the apikeys and not regenerating the signing keys is planned