From df23675f0d1cba70a57d77315462c82e98fda448 Mon Sep 17 00:00:00 2001 From: Zidong Lu Date: Wed, 9 Oct 2024 14:56:31 +0800 Subject: [PATCH] add variables to set expiration date for secrets (#20) --- README.md | 32 ++++++++++++++++++++++++++++++++ keyvault.tf | 44 ++++++++++++++++++++++++-------------------- variables.tf | 24 ++++++++++++++++++++++++ 3 files changed, 80 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index 0bf6cbc..4b422a1 100644 --- a/README.md +++ b/README.md @@ -241,6 +241,14 @@ Type: `string` Default: `null` +### [azure\_stack\_lcm\_user\_credential\_expiration\_date](#input\_azure\_stack\_lcm\_user\_credential\_expiration\_date) + +Description: (Optional) Expiration date of the azure stack lcm user credential. + +Type: `string` + +Default: `null` + ### [azure\_stack\_lcm\_user\_credential\_tags](#input\_azure\_stack\_lcm\_user\_credential\_tags) Description: (Optional) Tags of the azure stack lcm user credential. @@ -392,6 +400,14 @@ Type: `string` Default: `null` +### [default\_arb\_application\_expiration\_date](#input\_default\_arb\_application\_expiration\_date) + +Description: (Optional) Expiration date of the default arb application. + +Type: `string` + +Default: `null` + ### [default\_arb\_application\_tags](#input\_default\_arb\_application\_tags) Description: (Optional) Tags of the default arb application. @@ -542,6 +558,14 @@ Type: `string` Default: `null` +### [local\_admin\_credential\_expiration\_date](#input\_local\_admin\_credential\_expiration\_date) + +Description: (Optional) Expiration date of the local admin credential. + +Type: `string` + +Default: `null` + ### [local\_admin\_credential\_tags](#input\_local\_admin\_credential\_tags) Description: (Optional) Tags of the local admin credential. @@ -884,6 +908,14 @@ Type: `string` Default: `null` +### [witness\_storage\_key\_expiration\_date](#input\_witness\_storage\_key\_expiration\_date) + +Description: (Optional) Expiration date of the witness storage key. + +Type: `string` + +Default: `null` + ### [witness\_storage\_key\_tags](#input\_witness\_storage\_key\_tags) Description: (Optional) Tags of the witness storage key. diff --git a/keyvault.tf b/keyvault.tf index e446155..ac35832 100644 --- a/keyvault.tf +++ b/keyvault.tf @@ -27,11 +27,12 @@ data "azurerm_key_vault" "key_vault" { } resource "azurerm_key_vault_secret" "azure_stack_lcm_user_credential" { - key_vault_id = local.key_vault.id - name = local.keyvault_secret_names["AzureStackLCMUserCredential"] - value = base64encode("${var.deployment_user}:${var.deployment_user_password}") - content_type = one(flatten([var.azure_stack_lcm_user_credential_content_type])) - tags = var.azure_stack_lcm_user_credential_tags + key_vault_id = local.key_vault.id + name = local.keyvault_secret_names["AzureStackLCMUserCredential"] + value = base64encode("${var.deployment_user}:${var.deployment_user_password}") + content_type = one(flatten([var.azure_stack_lcm_user_credential_content_type])) + expiration_date = var.azure_stack_lcm_user_credential_expiration_date + tags = var.azure_stack_lcm_user_credential_tags depends_on = [ azurerm_key_vault.deployment_keyvault, @@ -40,11 +41,12 @@ resource "azurerm_key_vault_secret" "azure_stack_lcm_user_credential" { } resource "azurerm_key_vault_secret" "local_admin_credential" { - key_vault_id = local.key_vault.id - name = local.keyvault_secret_names["LocalAdminCredential"] - value = base64encode("${var.local_admin_user}:${var.local_admin_password}") - content_type = one(flatten([var.local_admin_credential_content_type])) - tags = var.local_admin_credential_tags + key_vault_id = local.key_vault.id + name = local.keyvault_secret_names["LocalAdminCredential"] + value = base64encode("${var.local_admin_user}:${var.local_admin_password}") + content_type = one(flatten([var.local_admin_credential_content_type])) + expiration_date = var.local_admin_credential_expiration_date + tags = var.local_admin_credential_tags depends_on = [ azurerm_key_vault.deployment_keyvault, @@ -53,11 +55,12 @@ resource "azurerm_key_vault_secret" "local_admin_credential" { } resource "azurerm_key_vault_secret" "default_arb_application" { - key_vault_id = local.key_vault.id - name = local.keyvault_secret_names["DefaultARBApplication"] - value = base64encode("${var.service_principal_id}:${var.service_principal_secret}") - content_type = one(flatten([var.default_arb_application_content_type])) - tags = var.default_arb_application_tags + key_vault_id = local.key_vault.id + name = local.keyvault_secret_names["DefaultARBApplication"] + value = base64encode("${var.service_principal_id}:${var.service_principal_secret}") + content_type = one(flatten([var.default_arb_application_content_type])) + expiration_date = var.default_arb_application_expiration_date + tags = var.default_arb_application_tags depends_on = [ azurerm_key_vault.deployment_keyvault, @@ -66,11 +69,12 @@ resource "azurerm_key_vault_secret" "default_arb_application" { } resource "azurerm_key_vault_secret" "witness_storage_key" { - key_vault_id = local.key_vault.id - name = local.keyvault_secret_names["WitnessStorageKey"] - value = base64encode(var.create_witness_storage_account ? azurerm_storage_account.witness[0].primary_access_key : data.azurerm_storage_account.witness[0].primary_access_key) - content_type = one(flatten([var.witness_storage_key_content_type])) - tags = var.witness_storage_key_tags + key_vault_id = local.key_vault.id + name = local.keyvault_secret_names["WitnessStorageKey"] + value = base64encode(var.create_witness_storage_account ? azurerm_storage_account.witness[0].primary_access_key : data.azurerm_storage_account.witness[0].primary_access_key) + content_type = one(flatten([var.witness_storage_key_content_type])) + expiration_date = var.witness_storage_key_expiration_date + tags = var.witness_storage_key_tags depends_on = [ azurerm_key_vault.deployment_keyvault, diff --git a/variables.tf b/variables.tf index ee1861f..5562549 100644 --- a/variables.tf +++ b/variables.tf @@ -156,6 +156,12 @@ variable "azure_stack_lcm_user_credential_content_type" { description = "(Optional) Content type of the azure stack lcm user credential." } +variable "azure_stack_lcm_user_credential_expiration_date" { + type = string + default = null + description = "(Optional) Expiration date of the azure stack lcm user credential." +} + variable "azure_stack_lcm_user_credential_tags" { type = map(string) default = null @@ -268,6 +274,12 @@ variable "default_arb_application_content_type" { description = "(Optional) Content type of the default arb application." } +variable "default_arb_application_expiration_date" { + type = string + default = null + description = "(Optional) Expiration date of the default arb application." +} + variable "default_arb_application_tags" { type = map(string) default = null @@ -392,6 +404,12 @@ variable "local_admin_credential_content_type" { description = "(Optional) Content type of the local admin credential." } +variable "local_admin_credential_expiration_date" { + type = string + default = null + description = "(Optional) Expiration date of the local admin credential." +} + variable "local_admin_credential_tags" { type = map(string) default = null @@ -655,6 +673,12 @@ variable "witness_storage_key_content_type" { description = "(Optional) Content type of the witness storage key." } +variable "witness_storage_key_expiration_date" { + type = string + default = null + description = "(Optional) Expiration date of the witness storage key." +} + variable "witness_storage_key_tags" { type = map(string) default = null