From 78c8f91ca97837fabe66b0b37d53a5ee5d78d088 Mon Sep 17 00:00:00 2001
From: mtweeman <mtweeman@gmail.com>
Date: Wed, 20 Nov 2024 12:34:44 +0100
Subject: [PATCH] fix: add deletion of deprecated secret versions in vault
 (#301)

---
 components/terraform/instance/main.tf |  1 +
 machine-images/scripts/user-data.sh   | 14 ++++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/components/terraform/instance/main.tf b/components/terraform/instance/main.tf
index 93360fa2..bf2ce71a 100644
--- a/components/terraform/instance/main.tf
+++ b/components/terraform/instance/main.tf
@@ -140,5 +140,6 @@ resource "oci_identity_policy" "compute_instances_list" {
     "allow dynamic-group ${oci_identity_dynamic_group.servers.name} to inspect secrets in compartment id ${var.compartment_ocid}",
     "allow dynamic-group ${oci_identity_dynamic_group.servers.name} to read secret-bundle in compartment id ${var.compartment_ocid}",
     "allow dynamic-group ${oci_identity_dynamic_group.servers.name} to use secret in compartment id ${var.compartment_ocid}",
+    "allow dynamic-group ${oci_identity_dynamic_group.servers.name} to manage secret-versions in compartment id ${var.compartment_ocid}",
   ]
 }
diff --git a/machine-images/scripts/user-data.sh b/machine-images/scripts/user-data.sh
index bade1c85..6d12f158 100644
--- a/machine-images/scripts/user-data.sh
+++ b/machine-images/scripts/user-data.sh
@@ -16,6 +16,7 @@ function main() {
     set_env_variables
     deploy_cd_tool_for_container_orchestration_tool
     deploy_business_application
+    remove_cluster_initiated_flag_deprecated_versions
   else
     wait_lb
     join_cluster
@@ -79,6 +80,19 @@ function deploy_business_application() {
 }
 
 
+function remove_cluster_initiated_flag_deprecated_versions() {
+  deprecated_versions=$(oci secrets secret-bundle-version list-versions \
+    --secret-id "${SECRET_ID}" \
+    --all | jq -r '.data[] | select(.stages[] == "DEPRECATED") | select(."time-of-deletion" == null) | ."version-number"')
+  for deprecated_version in "${deprecated_versions[@]}"; do
+    oci vault secret-version schedule-deletion \
+      --secret-id "${SECRET_ID}" \
+      --time-of-deletion $(date -uIs -d "1 day 1 minute") \
+      --secret-version-number "${deprecated_version}"
+  done
+}
+
+
 function wait_lb() {
   while true; do
     curl --output /dev/null --silent -k "https://${INTERNAL_LB}:6443"