[aequitas]

> so we're asking teams to spend potentially hours or days fixing things

At the risk of sounding pedantic, but this is why you have everything as IaC. These kind of changes should not cost days. It should take merely minutes or an hour tops to change all your keys. It should be trivial, for cases just like this.

[tootie]

You can't use IaC to change third-party API keys. And woe unto any service that doesn't allow multiple keys because then you're looking at outages.

[aequitas]

You can, for circleci for example: https://registry.terraform.io/providers/mrolla/circleci/late...

[tootie]

I get that you can manage the values in Circle, but you can't actually generate the values. IE, if you have a API token to write to Salesforce, you have to go into the Salesforce admin and generate a new token. Pasting the value in the Circle UI or a terraform descriptor are not the hard part. For lots of services, you can only have one key at a time meaning that generating a new one invalidates the old one meaning you'd have to have an outage while you're pasting and deploying.

[bamboozled]

I fully agree, our team just had to change one set of keys, other teams didn't follow best practices and are in a bad situation.

It's not Circle's fault people didn't do things propertly, but I think they just owe us a better explanation.