Renew advanced certificates using Terraform

Hello community

We have a Cloudflare “Partial Zone” and are looking to automate the renewal of Cloudflare advanced certificates. Currently the following options exist

  • DCV delegation for partial zones - this is described in detail here, but has one huge limitation - it prevents us from issuing certificates outside of Cloudflare, which does not allow us use it.
  • Use of any IaC and CI/CD. We would like to use terraform and following the documentation we can create the following resource
resource "cloudflare_certificate_pack" "example" {
    Zone_id = "0da42c8d2132a9ddaf714f9e7c920711"
    type = "advanced"
    hosts = ["example.com", "*.example.com"]
    verification_method = "http"
    validity_days = 90
    certificate_authority = "lets_encrypt"
    cloudflare_branding = false
    wait_for_active_status = true
}

and it is also recommended to use create_before_destroy resource metadata to avoid downtime

    Certificate bundles are not in-place refreshable, and if you require zero downtime rotation, you need to use Terraform meta-arguments for lifecycle blocks. create_before_destroy should be sufficient for most scenarios (exceptions include things like no rights, high ranking domain). To completely reduce the risk of rotation, use the ability to create multiple resources using a two-step change, where both resources run simultaneously and the old one is deleted after the certificate is confirmed to be available.

but we don’t really understand how this will work or whether it will actually eliminate downtime

There are the following questions:

  • assuming we run terraform apply once a week - under what circumstances does terraform detect a certificate that needs to be recreated? Until the old one expires, it is valid, and I think terraform will not try to create a new one… at the same time, when it expires, it will be too late
  • will the terraform job wait for the certificate to be activated? What I mean is that creating a certificate requires creating DNS records to validate it, and that can take a while… if terraform removes old certificates before the new one is active, that could also cause downtime…

In short, I would be very happy to hear about others’ experiences with automating the certificate renewal process.
Thank you in advance