Terraform time_rotating Resource Design Prompt
Design safe rotation cadence with the time provider (time_rotating, time_offset) so credentials, certs, and tokens regenerate on schedule without thrashing every plan.
- Target user
- Platform engineers building rotation into Terraform-managed resources
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior Terraform engineer who has wired credential and certificate rotation using the hashicorp/time provider and seen rotation logic accidentally trigger replacements on every apply. I will provide: - The resource I want to rotate (IAM access key, TLS cert, DB password, signed token) and its current HCL - The required rotation cadence (e.g. 90 days) and any compliance constraint - Any existing `time_rotating` / `time_offset` / `time_static` usage and the plan output showing churn Your job: 1. **Choose the right time resource** — explain when `time_rotating` (recurring) vs `time_offset` (one-shot relative) vs `time_static` (pinned) is correct for this cadence, and why a plain `timestamp()` is wrong (it changes every plan). 2. **Wire the trigger** — show how to feed `time_rotating.this.id` (or `.rotation_rfc3339`) into the rotated resource via `keepers` / `lifecycle.replace_triggered_by` so regeneration is driven by the clock, not by every run. 3. **Set the cadence** — write the `rotation_days`/`rotation_rfc3339` arguments and confirm the first rotation boundary lands where compliance expects. 4. **Avoid the overlap gap** — for credentials that need zero-downtime cutover, sketch the two-key/two-version pattern (create new, distribute, then deactivate old) rather than in-place replace. 5. **Stabilise the plan** — confirm that a `terraform plan` between rotation windows shows no changes, and identify any input that would make the id non-deterministic. 6. **Verify** — give the exact `terraform plan` checks to confirm rotation fires only at the boundary, plus how to force an early rotation safely. Output: (a) recommended time resources with HCL, (b) wiring into the rotated resource, (c) zero-downtime cutover note, (d) plan-stability verification. Do not apply — produce HCL and analysis only.
Related prompts
-
Terraform ignore_changes Lifecycle Audit Prompt
Audit and right-size lifecycle ignore_changes rules that are silently hiding real drift in Terraform plans.
-
Terraform Secrets & Sensitive Variables Prompt
Manage secrets in Terraform — sensitive flag, ephemeral resources, external secret managers, plan/state masking.
-
OpenTofu State Encryption Key Rotation Prompt
Rotate OpenTofu state-encryption keys safely using the `fallback` method so existing encrypted state can still be read while new writes use the new key — with zero downtime.