we're using terraform to provision various types of machines. most of these machines will sooner or later need some way to authenticate themselves to other machines. to do this, we are using a custom pki in hashicorp vault.
our plan was to create a short lived, single-use token injected into the userdata of a new machine that allows the issuing of the initial machine certificate, and then use the machine certificate for any future authentication.
as of now, we're using the terraform vault provider to create the role and token in vault, and this works well. from the userdata, we can issue the first certificate, and then we have a perfectly good way of reliably authenticating the machine.
the trouble is that the hashicorp vault provider sees the tokens expiry and/or the fact that it has been used and creates a new token every single time. this means that there would be many, many single-use tokens created that eventually expire, but could be used to issue a certificate for that machine, but we have no way of noticing.
we did try to use the lifecycle argument on the vault token - to no effect.
what we would like to see is some way to say "no recreate" - so that in order to generate a new one, you would have to destroy the old one (and possibly the machine) first.
any ideas on how to achieve this?
