Destroying secrets through sanctuary destroys initial version
Description
Using the example implementation of sanctuary maintained secrets of creating an initial secret version through terraform, and then using sanctuary to destroy previous versions, causes the initial version to be deleted.
Terraform then wants to recreate it, effectively resetting the latest secret on apply
.
Further details
Without using the destruction flag or command in sanctuary, all previous secret versions are left un-destroyed and enabled.
It would appear from the example terraform we may have been expecting this version to be disabled, since it is set to ignore changes on enabled
.
We have no way of disabling secrets through sanctuary (to my knowledge).
If not making any tooling changes, we at least need to document the recommended way to handle this.
Task list
Acceptance criteria
I have made some guesses of some options here:
- The sanctuary example documentation is updated with a recommended route to handle this.
- (?) Sanctuary has functionality to disable old secret versions, similar to its current tools for secret destruction.
- (?) Sanctuary does not destroy the terraform created secret versions, it just disables them.
- (?) Sanctuary by default disables old secret versions.
Links/references
#31 (comment 590451)
https://gitlab.developers.cam.ac.uk/uis/devops/digital-admissions/pools/deploy/-/merge_requests/125#note_590353