If a user adds ssh keys to a deployed googlecompute resource, terraform will detect the change and want to overwrite it. However, we want to allow users to be able to add ssh keys without it tainting the infrastructure.

This post outlines a way to resolve the problem, by adding a lifecycle configuration to the resource.

We want to allow at least the "ssh-keys", and probably the "windows-keys" metadata to change. There may be more.