feat(secrets): add rotate_when_changed attribute for long lasting secrets (#1484)

* feat: add rotate_when_changed attribute long lasting secrets

Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>

* revert edge token implementation

Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>

---------

Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>

Author: h3adex

docs/resources/logs_access_token.md

@@ -35,6 +35,26 @@ resource "stackit_logs_access_token" "accessToken2" {
   description = "Example description"
 }
 
+resource "time_rotating" "rotate" {
+  rotation_days = 10
+}
+
+resource "stackit_logs_access_token" "accessToken_rotate" {
+  project_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  region       = "eu01"
+  display_name = "logs-access-token-example"
+  lifetime     = 30
+  permissions = [
+    "write"
+  ]
+  description = "Example description"
+
+  rotate_when_changed = {
+    rotation = time_rotating.rotate.id
+  }
+}
+
 # Only use the import statement, if you want to import an existing logs access token
 # Note: The generated access token is only available upon creation.
 # Since this attribute is not fetched from the API call, to prevent the conflicts, you need to add:
@@ -62,6 +82,7 @@ import {
 - `description` (String) The description of the access token
 - `lifetime` (Number) A lifetime period for an access token in days. If unset the token will not expire.
 - `region` (String) STACKIT region name the resource is located in. If not defined, the provider region is used.
+- `rotate_when_changed` (Map of String) A map of arbitrary key/value pairs that will force recreation of the resource when they change, enabling resource rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
 
 ### Read-Only
 

docs/resources/mariadb_credential.md

@@ -18,6 +18,19 @@ resource "stackit_mariadb_credential" "example" {
   instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
 }
 
+resource "time_rotating" "rotate" {
+  rotation_days = 80
+}
+
+resource "stackit_mariadb_credential" "example_rotate" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+
+  rotate_when_changed = {
+    rotation = time_rotating.rotate.id
+  }
+}
+
 # Only use the import statement, if you want to import an existing mariadb credential
 import {
   to = stackit_mariadb_credential.import-example
@@ -33,6 +46,10 @@ import {
 - `instance_id` (String) ID of the MariaDB instance.
 - `project_id` (String) STACKIT Project ID to which the instance is associated.
 
+### Optional
+
+- `rotate_when_changed` (Map of String) A map of arbitrary key/value pairs that will force recreation of the resource when they change, enabling resource rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
+
 ### Read-Only
 
 - `credential_id` (String) The credential's ID.

docs/resources/mongodbflex_user.md

@@ -21,6 +21,22 @@ resource "stackit_mongodbflex_user" "example" {
   database    = "database"
 }
 
+resource "time_rotating" "rotate" {
+  rotation_days = 80
+}
+
+resource "stackit_mongodbflex_user" "example_rotate" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  username    = "username"
+  roles       = ["role"]
+  database    = "database"
+
+  rotate_when_changed = {
+    rotation = time_rotating.rotate.id
+  }
+}
+
 # Only use the import statement, if you want to import an existing mongodbflex user
 import {
   to = stackit_mongodbflex_user.import-example
@@ -41,6 +57,7 @@ import {
 ### Optional
 
 - `region` (String) The resource region. If not defined, the provider region is used.
+- `rotate_when_changed` (Map of String) A map of arbitrary key/value pairs that will force recreation of the resource when they change, enabling resource rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
 - `username` (String)
 
 ### Read-Only

docs/resources/observability_credential.md

@@ -18,6 +18,20 @@ resource "stackit_observability_credential" "example" {
   instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
   description = "Description of the credential."
 }
+
+resource "time_rotating" "rotate" {
+  rotation_days = 80
+}
+
+resource "stackit_observability_credential" "example_rotate" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  description = "Description of the credential."
+
+  rotate_when_changed = {
+    rotation = time_rotating.rotate.id
+  }
+}
 ```
 
 <!-- schema generated by tfplugindocs -->
@@ -31,6 +45,7 @@ resource "stackit_observability_credential" "example" {
 ### Optional
 
 - `description` (String) A description of the credential.
+- `rotate_when_changed` (Map of String) A map of arbitrary key/value pairs that will force recreation of the resource when they change, enabling resource rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
 
 ### Read-Only
 

docs/resources/opensearch_credential.md

@@ -18,6 +18,19 @@ resource "stackit_opensearch_credential" "example" {
   instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
 }
 
+resource "time_rotating" "rotate" {
+  rotation_days = 80
+}
+
+resource "stackit_opensearch_credential" "example_rotate" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+
+  rotate_when_changed = {
+    rotation = time_rotating.rotate.id
+  }
+}
+
 # Only use the import statement, if you want to import an existing opensearch credential
 import {
   to = stackit_opensearch_credential.import-example
@@ -33,6 +46,10 @@ import {
 - `instance_id` (String) ID of the OpenSearch instance.
 - `project_id` (String) STACKIT Project ID to which the instance is associated.
 
+### Optional
+
+- `rotate_when_changed` (Map of String) A map of arbitrary key/value pairs that will force recreation of the resource when they change, enabling resource rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
+
 ### Read-Only
 
 - `credential_id` (String) The credential's ID.

docs/resources/postgresflex_user.md

@@ -20,6 +20,21 @@ resource "stackit_postgresflex_user" "example" {
   roles       = ["login"]
 }
 
+resource "time_rotating" "rotate" {
+  rotation_days = 80
+}
+
+resource "stackit_postgresflex_user" "example_rotate" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  username    = "username"
+  roles       = ["login"]
+
+  rotate_when_changed = {
+    rotation = time_rotating.rotate.id
+  }
+}
+
 # Only use the import statement, if you want to import an existing postgresflex user
 import {
   to = stackit_postgresflex_user.import-example
@@ -40,6 +55,7 @@ import {
 ### Optional
 
 - `region` (String) The resource region. If not defined, the provider region is used.
+- `rotate_when_changed` (Map of String) A map of arbitrary key/value pairs that will force recreation of the resource when they change, enabling resource rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
 
 ### Read-Only
 

docs/resources/rabbitmq_credential.md

@@ -18,6 +18,19 @@ resource "stackit_rabbitmq_credential" "example" {
   instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
 }
 
+resource "time_rotating" "rotate" {
+  rotation_days = 80
+}
+
+resource "stackit_rabbitmq_credential" "example" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+
+  rotate_when_changed = {
+    rotation = time_rotating.rotate.id
+  }
+}
+
 # Only use the import statement, if you want to import an existing rabbitmq credential
 import {
   to = stackit_rabbitmq_credential.import-example
@@ -33,6 +46,10 @@ import {
 - `instance_id` (String) ID of the RabbitMQ instance.
 - `project_id` (String) STACKIT Project ID to which the instance is associated.
 
+### Optional
+
+- `rotate_when_changed` (Map of String) A map of arbitrary key/value pairs that will force recreation of the resource when they change, enabling resource rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
+
 ### Read-Only
 
 - `credential_id` (String) The credential's ID.

docs/resources/redis_credential.md

@@ -18,6 +18,19 @@ resource "stackit_redis_credential" "example" {
   instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
 }
 
+resource "time_rotating" "rotate" {
+  rotation_days = 80
+}
+
+resource "stackit_redis_credential" "example_rotate" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+
+  rotate_when_changed = {
+    rotation = time_rotating.rotate.id
+  }
+}
+
 # Only use the import statement, if you want to import an existing redis credential
 import {
   to = stackit_redis_credential.import-example
@@ -33,6 +46,10 @@ import {
 - `instance_id` (String) ID of the Redis instance.
 - `project_id` (String) STACKIT Project ID to which the instance is associated.
 
+### Optional
+
+- `rotate_when_changed` (Map of String) A map of arbitrary key/value pairs that will force recreation of the resource when they change, enabling resource rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
+
 ### Read-Only
 
 - `credential_id` (String) The credential's ID.

docs/resources/secretsmanager_user.md

@@ -20,6 +20,21 @@ resource "stackit_secretsmanager_user" "example" {
   write_enabled = false
 }
 
+resource "time_rotating" "rotate" {
+  rotation_days = 80
+}
+
+resource "stackit_secretsmanager_user" "example_rotate" {
+  project_id    = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  description   = "Example user"
+  write_enabled = false
+
+  rotate_when_changed = {
+    rotation = time_rotating.rotate.id
+  }
+}
+
 # Only use the import statement, if you want to import an existing secretsmanager user
 import {
   to = stackit_secretsmanager_user.import-example
@@ -37,6 +52,10 @@ import {
 - `project_id` (String) STACKIT Project ID to which the instance is associated.
 - `write_enabled` (Boolean) If true, the user has writeaccess to the secrets engine.
 
+### Optional
+
+- `rotate_when_changed` (Map of String) A map of arbitrary key/value pairs that will force recreation of the resource when they change, enabling resource rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
+
 ### Read-Only
 
 - `id` (String) Terraform's internal resource identifier. It is structured as "`project_id`,`instance_id`,`user_id`".

docs/resources/sqlserverflex_user.md

@@ -20,6 +20,21 @@ resource "stackit_sqlserverflex_user" "example" {
   roles       = ["role"]
 }
 
+resource "time_rotating" "rotate" {
+  rotation_days = 80
+}
+
+resource "stackit_sqlserverflex_user" "example_rotate" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  username    = "username"
+  roles       = ["role"]
+
+  rotate_when_changed = {
+    rotation = time_rotating.rotate.id
+  }
+}
+
 # Only use the import statement, if you want to import an existing sqlserverflex user
 import {
   to = stackit_sqlserverflex_user.import-example
@@ -40,6 +55,7 @@ import {
 ### Optional
 
 - `region` (String)
+- `rotate_when_changed` (Map of String) A map of arbitrary key/value pairs that will force recreation of the resource when they change, enabling resource rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
 
 ### Read-Only