fix: add deletion of deprecated secret versions in vault (#301)

components/terraform/instance/main.tf

@@ -140,5 +140,6 @@ resource "oci_identity_policy" "compute_instances_list" {
     "allow dynamic-group ${oci_identity_dynamic_group.servers.name} to inspect secrets in compartment id ${var.compartment_ocid}",
     "allow dynamic-group ${oci_identity_dynamic_group.servers.name} to read secret-bundle in compartment id ${var.compartment_ocid}",
     "allow dynamic-group ${oci_identity_dynamic_group.servers.name} to use secret in compartment id ${var.compartment_ocid}",
+    "allow dynamic-group ${oci_identity_dynamic_group.servers.name} to manage secret-versions in compartment id ${var.compartment_ocid}",
   ]
 }

machine-images/scripts/user-data.sh

@@ -16,6 +16,7 @@ function main() {
     set_env_variables
     deploy_cd_tool_for_container_orchestration_tool
     deploy_business_application
+    remove_cluster_initiated_flag_deprecated_versions
   else
     wait_lb
     join_cluster
@@ -79,6 +80,19 @@ function deploy_business_application() {
 }
 
 
+function remove_cluster_initiated_flag_deprecated_versions() {
+  deprecated_versions=$(oci secrets secret-bundle-version list-versions \
+    --secret-id "${SECRET_ID}" \
+    --all | jq -r '.data[] | select(.stages[] == "DEPRECATED") | select(."time-of-deletion" == null) | ."version-number"')
+  for deprecated_version in "${deprecated_versions[@]}"; do
+    oci vault secret-version schedule-deletion \
+      --secret-id "${SECRET_ID}" \
+      --time-of-deletion $(date -uIs -d "1 day 1 minute") \
+      --secret-version-number "${deprecated_version}"
+  done
+}
+
+
 function wait_lb() {
   while true; do
     curl --output /dev/null --silent -k "https://${INTERNAL_LB}:6443"