Skip to content

Commit 9919bef

Browse files
authored
feat(secrets): add rotate_when_changed attribute for long lasting secrets (#1484)
* feat: add rotate_when_changed attribute long lasting secrets Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud> * revert edge token implementation Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud> --------- Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>
1 parent abc0934 commit 9919bef

40 files changed

Lines changed: 977 additions & 392 deletions

File tree

docs/resources/logs_access_token.md

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,26 @@ resource "stackit_logs_access_token" "accessToken2" {
3535
description = "Example description"
3636
}
3737
38+
resource "time_rotating" "rotate" {
39+
rotation_days = 10
40+
}
41+
42+
resource "stackit_logs_access_token" "accessToken_rotate" {
43+
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
44+
instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
45+
region = "eu01"
46+
display_name = "logs-access-token-example"
47+
lifetime = 30
48+
permissions = [
49+
"write"
50+
]
51+
description = "Example description"
52+
53+
rotate_when_changed = {
54+
rotation = time_rotating.rotate.id
55+
}
56+
}
57+
3858
# Only use the import statement, if you want to import an existing logs access token
3959
# Note: The generated access token is only available upon creation.
4060
# Since this attribute is not fetched from the API call, to prevent the conflicts, you need to add:
@@ -62,6 +82,7 @@ import {
6282
- `description` (String) The description of the access token
6383
- `lifetime` (Number) A lifetime period for an access token in days. If unset the token will not expire.
6484
- `region` (String) STACKIT region name the resource is located in. If not defined, the provider region is used.
85+
- `rotate_when_changed` (Map of String) A map of arbitrary key/value pairs that will force recreation of the resource when they change, enabling resource rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
6586

6687
### Read-Only
6788

docs/resources/mariadb_credential.md

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,19 @@ resource "stackit_mariadb_credential" "example" {
1818
instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
1919
}
2020
21+
resource "time_rotating" "rotate" {
22+
rotation_days = 80
23+
}
24+
25+
resource "stackit_mariadb_credential" "example_rotate" {
26+
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
27+
instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
28+
29+
rotate_when_changed = {
30+
rotation = time_rotating.rotate.id
31+
}
32+
}
33+
2134
# Only use the import statement, if you want to import an existing mariadb credential
2235
import {
2336
to = stackit_mariadb_credential.import-example
@@ -33,6 +46,10 @@ import {
3346
- `instance_id` (String) ID of the MariaDB instance.
3447
- `project_id` (String) STACKIT Project ID to which the instance is associated.
3548

49+
### Optional
50+
51+
- `rotate_when_changed` (Map of String) A map of arbitrary key/value pairs that will force recreation of the resource when they change, enabling resource rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
52+
3653
### Read-Only
3754

3855
- `credential_id` (String) The credential's ID.

docs/resources/mongodbflex_user.md

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,22 @@ resource "stackit_mongodbflex_user" "example" {
2121
database = "database"
2222
}
2323
24+
resource "time_rotating" "rotate" {
25+
rotation_days = 80
26+
}
27+
28+
resource "stackit_mongodbflex_user" "example_rotate" {
29+
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
30+
instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
31+
username = "username"
32+
roles = ["role"]
33+
database = "database"
34+
35+
rotate_when_changed = {
36+
rotation = time_rotating.rotate.id
37+
}
38+
}
39+
2440
# Only use the import statement, if you want to import an existing mongodbflex user
2541
import {
2642
to = stackit_mongodbflex_user.import-example
@@ -41,6 +57,7 @@ import {
4157
### Optional
4258

4359
- `region` (String) The resource region. If not defined, the provider region is used.
60+
- `rotate_when_changed` (Map of String) A map of arbitrary key/value pairs that will force recreation of the resource when they change, enabling resource rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
4461
- `username` (String)
4562

4663
### Read-Only

docs/resources/observability_credential.md

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,20 @@ resource "stackit_observability_credential" "example" {
1818
instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
1919
description = "Description of the credential."
2020
}
21+
22+
resource "time_rotating" "rotate" {
23+
rotation_days = 80
24+
}
25+
26+
resource "stackit_observability_credential" "example_rotate" {
27+
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
28+
instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
29+
description = "Description of the credential."
30+
31+
rotate_when_changed = {
32+
rotation = time_rotating.rotate.id
33+
}
34+
}
2135
```
2236

2337
<!-- schema generated by tfplugindocs -->
@@ -31,6 +45,7 @@ resource "stackit_observability_credential" "example" {
3145
### Optional
3246

3347
- `description` (String) A description of the credential.
48+
- `rotate_when_changed` (Map of String) A map of arbitrary key/value pairs that will force recreation of the resource when they change, enabling resource rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
3449

3550
### Read-Only
3651

docs/resources/opensearch_credential.md

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,19 @@ resource "stackit_opensearch_credential" "example" {
1818
instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
1919
}
2020
21+
resource "time_rotating" "rotate" {
22+
rotation_days = 80
23+
}
24+
25+
resource "stackit_opensearch_credential" "example_rotate" {
26+
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
27+
instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
28+
29+
rotate_when_changed = {
30+
rotation = time_rotating.rotate.id
31+
}
32+
}
33+
2134
# Only use the import statement, if you want to import an existing opensearch credential
2235
import {
2336
to = stackit_opensearch_credential.import-example
@@ -33,6 +46,10 @@ import {
3346
- `instance_id` (String) ID of the OpenSearch instance.
3447
- `project_id` (String) STACKIT Project ID to which the instance is associated.
3548

49+
### Optional
50+
51+
- `rotate_when_changed` (Map of String) A map of arbitrary key/value pairs that will force recreation of the resource when they change, enabling resource rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
52+
3653
### Read-Only
3754

3855
- `credential_id` (String) The credential's ID.

docs/resources/postgresflex_user.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,21 @@ resource "stackit_postgresflex_user" "example" {
2020
roles = ["login"]
2121
}
2222
23+
resource "time_rotating" "rotate" {
24+
rotation_days = 80
25+
}
26+
27+
resource "stackit_postgresflex_user" "example_rotate" {
28+
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
29+
instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
30+
username = "username"
31+
roles = ["login"]
32+
33+
rotate_when_changed = {
34+
rotation = time_rotating.rotate.id
35+
}
36+
}
37+
2338
# Only use the import statement, if you want to import an existing postgresflex user
2439
import {
2540
to = stackit_postgresflex_user.import-example
@@ -40,6 +55,7 @@ import {
4055
### Optional
4156

4257
- `region` (String) The resource region. If not defined, the provider region is used.
58+
- `rotate_when_changed` (Map of String) A map of arbitrary key/value pairs that will force recreation of the resource when they change, enabling resource rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
4359

4460
### Read-Only
4561

docs/resources/rabbitmq_credential.md

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,19 @@ resource "stackit_rabbitmq_credential" "example" {
1818
instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
1919
}
2020
21+
resource "time_rotating" "rotate" {
22+
rotation_days = 80
23+
}
24+
25+
resource "stackit_rabbitmq_credential" "example" {
26+
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
27+
instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
28+
29+
rotate_when_changed = {
30+
rotation = time_rotating.rotate.id
31+
}
32+
}
33+
2134
# Only use the import statement, if you want to import an existing rabbitmq credential
2235
import {
2336
to = stackit_rabbitmq_credential.import-example
@@ -33,6 +46,10 @@ import {
3346
- `instance_id` (String) ID of the RabbitMQ instance.
3447
- `project_id` (String) STACKIT Project ID to which the instance is associated.
3548

49+
### Optional
50+
51+
- `rotate_when_changed` (Map of String) A map of arbitrary key/value pairs that will force recreation of the resource when they change, enabling resource rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
52+
3653
### Read-Only
3754

3855
- `credential_id` (String) The credential's ID.

docs/resources/redis_credential.md

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,19 @@ resource "stackit_redis_credential" "example" {
1818
instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
1919
}
2020
21+
resource "time_rotating" "rotate" {
22+
rotation_days = 80
23+
}
24+
25+
resource "stackit_redis_credential" "example_rotate" {
26+
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
27+
instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
28+
29+
rotate_when_changed = {
30+
rotation = time_rotating.rotate.id
31+
}
32+
}
33+
2134
# Only use the import statement, if you want to import an existing redis credential
2235
import {
2336
to = stackit_redis_credential.import-example
@@ -33,6 +46,10 @@ import {
3346
- `instance_id` (String) ID of the Redis instance.
3447
- `project_id` (String) STACKIT Project ID to which the instance is associated.
3548

49+
### Optional
50+
51+
- `rotate_when_changed` (Map of String) A map of arbitrary key/value pairs that will force recreation of the resource when they change, enabling resource rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
52+
3653
### Read-Only
3754

3855
- `credential_id` (String) The credential's ID.

docs/resources/secretsmanager_user.md

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,21 @@ resource "stackit_secretsmanager_user" "example" {
2020
write_enabled = false
2121
}
2222
23+
resource "time_rotating" "rotate" {
24+
rotation_days = 80
25+
}
26+
27+
resource "stackit_secretsmanager_user" "example_rotate" {
28+
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
29+
instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
30+
description = "Example user"
31+
write_enabled = false
32+
33+
rotate_when_changed = {
34+
rotation = time_rotating.rotate.id
35+
}
36+
}
37+
2338
# Only use the import statement, if you want to import an existing secretsmanager user
2439
import {
2540
to = stackit_secretsmanager_user.import-example
@@ -37,6 +52,10 @@ import {
3752
- `project_id` (String) STACKIT Project ID to which the instance is associated.
3853
- `write_enabled` (Boolean) If true, the user has writeaccess to the secrets engine.
3954

55+
### Optional
56+
57+
- `rotate_when_changed` (Map of String) A map of arbitrary key/value pairs that will force recreation of the resource when they change, enabling resource rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
58+
4059
### Read-Only
4160

4261
- `id` (String) Terraform's internal resource identifier. It is structured as "`project_id`,`instance_id`,`user_id`".

docs/resources/sqlserverflex_user.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,21 @@ resource "stackit_sqlserverflex_user" "example" {
2020
roles = ["role"]
2121
}
2222
23+
resource "time_rotating" "rotate" {
24+
rotation_days = 80
25+
}
26+
27+
resource "stackit_sqlserverflex_user" "example_rotate" {
28+
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
29+
instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
30+
username = "username"
31+
roles = ["role"]
32+
33+
rotate_when_changed = {
34+
rotation = time_rotating.rotate.id
35+
}
36+
}
37+
2338
# Only use the import statement, if you want to import an existing sqlserverflex user
2439
import {
2540
to = stackit_sqlserverflex_user.import-example
@@ -40,6 +55,7 @@ import {
4055
### Optional
4156

4257
- `region` (String)
58+
- `rotate_when_changed` (Map of String) A map of arbitrary key/value pairs that will force recreation of the resource when they change, enabling resource rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
4359

4460
### Read-Only
4561

0 commit comments

Comments
 (0)