feat(iam): Add TTL on IAM keys

scaleway-terraform-modules · Aug 13, 2024 · cf39bfe · cf39bfe
1 parent 3db14c4
commit cf39bfe
Show file tree

Hide file tree

Showing 7 changed files with 21 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -24,6 +24,7 @@ module "sdb" {
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement_terraform) | >= 0.13 |
 | <a name="requirement_scaleway"></a> [scaleway](#requirement_scaleway) | >= 2.43.0 |
+| <a name="requirement_time"></a> [time](#requirement_time) | 0.12.0 |
 
 ## Resources
 
@@ -39,13 +40,15 @@ module "sdb" {
 | [scaleway_iam_policy.ro](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/iam_policy) | resource |
 | [scaleway_iam_policy.rw](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/iam_policy) | resource |
 | [scaleway_sdb_sql_database.main](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/sdb_sql_database) | resource |
+| [time_rotating.keys_ttl](https://registry.terraform.io/providers/hashicorp/time/0.12.0/docs/resources/rotating) | resource |
 | [scaleway_account_project.current](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/data-sources/account_project) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_name"></a> [name](#input_name) | Name of the database. | `string` | n/a | yes |
+| <a name="input_keys_ttl"></a> [keys_ttl](#input_keys_ttl) | TTL of IAM keys in days. | `number` | `0` | no |
 | <a name="input_max_cpu"></a> [max_cpu](#input_max_cpu) | Maximum number of CPU units for your database. | `number` | `15` | no |
 | <a name="input_min_cpu"></a> [min_cpu](#input_min_cpu) | Minimum number of CPU units for your database. | `number` | `0` | no |
 | <a name="input_region"></a> [region](#input_region) | Region in which the resource exists. | `string` | `null` | no |

diff --git a/access_admin.tf b/access_admin.tf
@@ -19,4 +19,5 @@ resource "scaleway_iam_policy" "admin" {
 resource "scaleway_iam_api_key" "admin" {
   application_id     = scaleway_iam_application.admin.id
   default_project_id = data.scaleway_account_project.current.id
+  expires_at         = var.keys_ttl > 0 ? time_rotating.keys_ttl[0].rotation_rfc3339 : null
 }
diff --git a/access_ro.tf b/access_ro.tf
@@ -17,4 +17,5 @@ resource "scaleway_iam_policy" "ro" {
 resource "scaleway_iam_api_key" "ro" {
   application_id     = scaleway_iam_application.ro.id
   default_project_id = data.scaleway_account_project.current.id
+  expires_at         = var.keys_ttl > 0 ? time_rotating.keys_ttl[0].rotation_rfc3339 : null
 }
diff --git a/access_rw.tf b/access_rw.tf
@@ -17,4 +17,5 @@ resource "scaleway_iam_policy" "rw" {
 resource "scaleway_iam_api_key" "rw" {
   application_id     = scaleway_iam_application.rw.id
   default_project_id = data.scaleway_account_project.current.id
+  expires_at         = var.keys_ttl > 0 ? time_rotating.keys_ttl[0].rotation_rfc3339 : null
 }
diff --git a/main.tf b/main.tf
@@ -6,3 +6,8 @@ resource "scaleway_sdb_sql_database" "main" {
 
   region = var.region
 }
+
+resource "time_rotating" "keys_ttl" {
+  count         = var.keys_ttl > 0 ? 1 : 0
+  rotation_days = var.keys_ttl
+}
diff --git a/variables.tf b/variables.tf
@@ -3,6 +3,12 @@ variable "name" {
   type        = string
 }
 
+variable "keys_ttl" {
+  description = "TTL of IAM keys in days."
+  type        = number
+  default     = 0
+}
+
 variable "min_cpu" {
   description = "Minimum number of CPU units for your database."
   type        = number

diff --git a/versions.tf b/versions.tf
@@ -5,5 +5,9 @@ terraform {
       source  = "scaleway/scaleway"
       version = ">= 2.43.0"
     }
+    time = {
+      source  = "hashicorp/time"
+      version = "0.12.0"
+    }
   }
 }