add variables to set expiration date for secrets (#20)

Azure · Oct 9, 2024 · df23675 · df23675
1 parent 4aa9698
commit df23675
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 20 deletions.
diff --git a/README.md b/README.md
@@ -241,6 +241,14 @@ Type: `string`
 
 Default: `null`
 
+### <a name="input_azure_stack_lcm_user_credential_expiration_date"></a> [azure\_stack\_lcm\_user\_credential\_expiration\_date](#input\_azure\_stack\_lcm\_user\_credential\_expiration\_date)
+
+Description: (Optional) Expiration date of the azure stack lcm user credential.
+
+Type: `string`
+
+Default: `null`
+
 ### <a name="input_azure_stack_lcm_user_credential_tags"></a> [azure\_stack\_lcm\_user\_credential\_tags](#input\_azure\_stack\_lcm\_user\_credential\_tags)
 
 Description: (Optional) Tags of the azure stack lcm user credential.
@@ -392,6 +400,14 @@ Type: `string`
 
 Default: `null`
 
+### <a name="input_default_arb_application_expiration_date"></a> [default\_arb\_application\_expiration\_date](#input\_default\_arb\_application\_expiration\_date)
+
+Description: (Optional) Expiration date of the default arb application.
+
+Type: `string`
+
+Default: `null`
+
 ### <a name="input_default_arb_application_tags"></a> [default\_arb\_application\_tags](#input\_default\_arb\_application\_tags)
 
 Description: (Optional) Tags of the default arb application.
@@ -542,6 +558,14 @@ Type: `string`
 
 Default: `null`
 
+### <a name="input_local_admin_credential_expiration_date"></a> [local\_admin\_credential\_expiration\_date](#input\_local\_admin\_credential\_expiration\_date)
+
+Description: (Optional) Expiration date of the local admin credential.
+
+Type: `string`
+
+Default: `null`
+
 ### <a name="input_local_admin_credential_tags"></a> [local\_admin\_credential\_tags](#input\_local\_admin\_credential\_tags)
 
 Description: (Optional) Tags of the local admin credential.
@@ -884,6 +908,14 @@ Type: `string`
 
 Default: `null`
 
+### <a name="input_witness_storage_key_expiration_date"></a> [witness\_storage\_key\_expiration\_date](#input\_witness\_storage\_key\_expiration\_date)
+
+Description: (Optional) Expiration date of the witness storage key.
+
+Type: `string`
+
+Default: `null`
+
 ### <a name="input_witness_storage_key_tags"></a> [witness\_storage\_key\_tags](#input\_witness\_storage\_key\_tags)
 
 Description: (Optional) Tags of the witness storage key.

diff --git a/keyvault.tf b/keyvault.tf
@@ -27,11 +27,12 @@ data "azurerm_key_vault" "key_vault" {
 }
 
 resource "azurerm_key_vault_secret" "azure_stack_lcm_user_credential" {
-  key_vault_id = local.key_vault.id
-  name         = local.keyvault_secret_names["AzureStackLCMUserCredential"]
-  value        = base64encode("${var.deployment_user}:${var.deployment_user_password}")
-  content_type = one(flatten([var.azure_stack_lcm_user_credential_content_type]))
-  tags         = var.azure_stack_lcm_user_credential_tags
+  key_vault_id    = local.key_vault.id
+  name            = local.keyvault_secret_names["AzureStackLCMUserCredential"]
+  value           = base64encode("${var.deployment_user}:${var.deployment_user_password}")
+  content_type    = one(flatten([var.azure_stack_lcm_user_credential_content_type]))
+  expiration_date = var.azure_stack_lcm_user_credential_expiration_date
+  tags            = var.azure_stack_lcm_user_credential_tags
 
   depends_on = [
     azurerm_key_vault.deployment_keyvault,
@@ -40,11 +41,12 @@ resource "azurerm_key_vault_secret" "azure_stack_lcm_user_credential" {
 }
 
 resource "azurerm_key_vault_secret" "local_admin_credential" {
-  key_vault_id = local.key_vault.id
-  name         = local.keyvault_secret_names["LocalAdminCredential"]
-  value        = base64encode("${var.local_admin_user}:${var.local_admin_password}")
-  content_type = one(flatten([var.local_admin_credential_content_type]))
-  tags         = var.local_admin_credential_tags
+  key_vault_id    = local.key_vault.id
+  name            = local.keyvault_secret_names["LocalAdminCredential"]
+  value           = base64encode("${var.local_admin_user}:${var.local_admin_password}")
+  content_type    = one(flatten([var.local_admin_credential_content_type]))
+  expiration_date = var.local_admin_credential_expiration_date
+  tags            = var.local_admin_credential_tags
 
   depends_on = [
     azurerm_key_vault.deployment_keyvault,
@@ -53,11 +55,12 @@ resource "azurerm_key_vault_secret" "local_admin_credential" {
 }
 
 resource "azurerm_key_vault_secret" "default_arb_application" {
-  key_vault_id = local.key_vault.id
-  name         = local.keyvault_secret_names["DefaultARBApplication"]
-  value        = base64encode("${var.service_principal_id}:${var.service_principal_secret}")
-  content_type = one(flatten([var.default_arb_application_content_type]))
-  tags         = var.default_arb_application_tags
+  key_vault_id    = local.key_vault.id
+  name            = local.keyvault_secret_names["DefaultARBApplication"]
+  value           = base64encode("${var.service_principal_id}:${var.service_principal_secret}")
+  content_type    = one(flatten([var.default_arb_application_content_type]))
+  expiration_date = var.default_arb_application_expiration_date
+  tags            = var.default_arb_application_tags
 
   depends_on = [
     azurerm_key_vault.deployment_keyvault,
@@ -66,11 +69,12 @@ resource "azurerm_key_vault_secret" "default_arb_application" {
 }
 
 resource "azurerm_key_vault_secret" "witness_storage_key" {
-  key_vault_id = local.key_vault.id
-  name         = local.keyvault_secret_names["WitnessStorageKey"]
-  value        = base64encode(var.create_witness_storage_account ? azurerm_storage_account.witness[0].primary_access_key : data.azurerm_storage_account.witness[0].primary_access_key)
-  content_type = one(flatten([var.witness_storage_key_content_type]))
-  tags         = var.witness_storage_key_tags
+  key_vault_id    = local.key_vault.id
+  name            = local.keyvault_secret_names["WitnessStorageKey"]
+  value           = base64encode(var.create_witness_storage_account ? azurerm_storage_account.witness[0].primary_access_key : data.azurerm_storage_account.witness[0].primary_access_key)
+  content_type    = one(flatten([var.witness_storage_key_content_type]))
+  expiration_date = var.witness_storage_key_expiration_date
+  tags            = var.witness_storage_key_tags
 
   depends_on = [
     azurerm_key_vault.deployment_keyvault,

diff --git a/variables.tf b/variables.tf
@@ -156,6 +156,12 @@ variable "azure_stack_lcm_user_credential_content_type" {
   description = "(Optional) Content type of the azure stack lcm user credential."
 }
 
+variable "azure_stack_lcm_user_credential_expiration_date" {
+  type        = string
+  default     = null
+  description = "(Optional) Expiration date of the azure stack lcm user credential."
+}
+
 variable "azure_stack_lcm_user_credential_tags" {
   type        = map(string)
   default     = null
@@ -268,6 +274,12 @@ variable "default_arb_application_content_type" {
   description = "(Optional) Content type of the default arb application."
 }
 
+variable "default_arb_application_expiration_date" {
+  type        = string
+  default     = null
+  description = "(Optional) Expiration date of the default arb application."
+}
+
 variable "default_arb_application_tags" {
   type        = map(string)
   default     = null
@@ -392,6 +404,12 @@ variable "local_admin_credential_content_type" {
   description = "(Optional) Content type of the local admin credential."
 }
 
+variable "local_admin_credential_expiration_date" {
+  type        = string
+  default     = null
+  description = "(Optional) Expiration date of the local admin credential."
+}
+
 variable "local_admin_credential_tags" {
   type        = map(string)
   default     = null
@@ -655,6 +673,12 @@ variable "witness_storage_key_content_type" {
   description = "(Optional) Content type of the witness storage key."
 }
 
+variable "witness_storage_key_expiration_date" {
+  type        = string
+  default     = null
+  description = "(Optional) Expiration date of the witness storage key."
+}
+
 variable "witness_storage_key_tags" {
   type        = map(string)
   default     = null