From 99a6b28dee40ac9322e96561921505e00ce14e2f Mon Sep 17 00:00:00 2001 From: Hazmei Abdul Rahman Date: Wed, 24 Jan 2024 15:15:03 +0800 Subject: [PATCH 1/7] Test check 40 days old iam access key --- checks.tf | 9 +++++++++ locals.tf | 1 + 2 files changed, 10 insertions(+) create mode 100644 checks.tf diff --git a/checks.tf b/checks.tf new file mode 100644 index 0000000..e698f93 --- /dev/null +++ b/checks.tf @@ -0,0 +1,9 @@ +check "check_iam_key_age_vault_secretsync" { + assert { + condition = ( + timecmp(coalesce(aws_iam_access_key.vault_secretsync[0].create_date, local.age_in_days), local.age_in_days) > 0 + ) + error_message = format("The IAM key for metrics user %s is older than 40 days. Please rotate the key.", + aws_iam_user.vault_secretsync[0].name) + } +} diff --git a/locals.tf b/locals.tf index afa94dd..6587bca 100644 --- a/locals.tf +++ b/locals.tf @@ -1,4 +1,5 @@ locals { + age_in_days = timeadd(timestamp(), "-960h") # 44 days (44*24 hours) sync_base_path = "sys/sync/destinations" destination_name = "${var.name}-${var.region}-${random_id.this.hex}" delete_sync_destination = alltrue([var.delete_all_secret_associations, var.delete_sync_destination]) From 01faafbe06173ed1ebe2cb052651146aae49728f Mon Sep 17 00:00:00 2001 From: Hazmei Abdul Rahman Date: Wed, 24 Jan 2024 15:25:23 +0800 Subject: [PATCH 2/7] Fix error --- checks.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/checks.tf b/checks.tf index e698f93..ff45e6c 100644 --- a/checks.tf +++ b/checks.tf @@ -1,9 +1,9 @@ check "check_iam_key_age_vault_secretsync" { assert { condition = ( - timecmp(coalesce(aws_iam_access_key.vault_secretsync[0].create_date, local.age_in_days), local.age_in_days) > 0 + timecmp(coalesce(aws_iam_access_key.vault_secretsync.create_date, local.age_in_days), local.age_in_days) > 0 ) error_message = format("The IAM key for metrics user %s is older than 40 days. Please rotate the key.", - aws_iam_user.vault_secretsync[0].name) + aws_iam_user.vault_secretsync.name) } } From fedce31f65590d9e3b6019936bc9150960384b0c Mon Sep 17 00:00:00 2001 From: Hazmei Abdul Rahman Date: Wed, 24 Jan 2024 15:31:59 +0800 Subject: [PATCH 3/7] Fix iam user name --- checks.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checks.tf b/checks.tf index ff45e6c..07f7378 100644 --- a/checks.tf +++ b/checks.tf @@ -4,6 +4,6 @@ check "check_iam_key_age_vault_secretsync" { timecmp(coalesce(aws_iam_access_key.vault_secretsync.create_date, local.age_in_days), local.age_in_days) > 0 ) error_message = format("The IAM key for metrics user %s is older than 40 days. Please rotate the key.", - aws_iam_user.vault_secretsync.name) + module.iam_user_secretsync.iam_user_name) } } From b3d0bfb3b10106d85176f4d897d76647b7502005 Mon Sep 17 00:00:00 2001 From: Hazmei Abdul Rahman Date: Wed, 24 Jan 2024 16:31:05 +0800 Subject: [PATCH 4/7] Update age_in_days to 90 days --- checks.tf | 2 +- locals.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checks.tf b/checks.tf index 07f7378..c03c463 100644 --- a/checks.tf +++ b/checks.tf @@ -3,7 +3,7 @@ check "check_iam_key_age_vault_secretsync" { condition = ( timecmp(coalesce(aws_iam_access_key.vault_secretsync.create_date, local.age_in_days), local.age_in_days) > 0 ) - error_message = format("The IAM key for metrics user %s is older than 40 days. Please rotate the key.", + error_message = format("The IAM key for metrics user %s is older than 90 days. Please rotate the key.", module.iam_user_secretsync.iam_user_name) } } diff --git a/locals.tf b/locals.tf index 6587bca..d5383cd 100644 --- a/locals.tf +++ b/locals.tf @@ -1,5 +1,5 @@ locals { - age_in_days = timeadd(timestamp(), "-960h") # 44 days (44*24 hours) + age_in_days = timeadd(timestamp(), "-2160h") # 90 days (90*24 hours) sync_base_path = "sys/sync/destinations" destination_name = "${var.name}-${var.region}-${random_id.this.hex}" delete_sync_destination = alltrue([var.delete_all_secret_associations, var.delete_sync_destination]) From ebdc287fd3dc8cc466e5f15953e874a385b78b83 Mon Sep 17 00:00:00 2001 From: Hazmei Abdul Rahman Date: Thu, 25 Jan 2024 16:48:14 +0800 Subject: [PATCH 5/7] Update README.md --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 7190c1a..38af065 100644 --- a/README.md +++ b/README.md @@ -118,7 +118,9 @@ module "vault_secretsync" { |------|---------| | [terraform](#requirement\_terraform) | >= 1.5 | | [aws](#requirement\_aws) | >= 4.67.0 | +| [null](#requirement\_null) | >= 3.2.2 | | [random](#requirement\_random) | >= 3.6.0 | +| [time](#requirement\_time) | >= 0.9.0 | | [vault](#requirement\_vault) | >= 3.23.0 | ## Providers @@ -146,7 +148,7 @@ module "vault_secretsync" { | [null_resource.rotate_access_key](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [random_id.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | | [time_rotating.iam_user_secretsync_access_key](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/rotating) | resource | -| [time_sleep.wait_5_seconds](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [time_sleep.wait_for_destination_sync](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [vault_generic_endpoint.create_association_sync](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/generic_endpoint) | resource | | [vault_generic_endpoint.create_destination_sync](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/generic_endpoint) | resource | | [vault_generic_endpoint.remove_all_association_sync](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/generic_endpoint) | resource | From f40b5f8b5682014cdc1cf0c789f580b4c83caa11 Mon Sep 17 00:00:00 2001 From: Hazmei Abdul Rahman Date: Mon, 29 Jan 2024 14:22:19 +0800 Subject: [PATCH 6/7] Test fix for unknown timestamp --- locals.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/locals.tf b/locals.tf index d5383cd..0c738f8 100644 --- a/locals.tf +++ b/locals.tf @@ -1,5 +1,6 @@ locals { - age_in_days = timeadd(timestamp(), "-2160h") # 90 days (90*24 hours) + # age_in_days = timeadd(timestamp(), "-2160h") # 90 days (90*24 hours) + age_in_days = timeadd(plantimestamp(), "-1056h") # 44 days (44*24 hours) sync_base_path = "sys/sync/destinations" destination_name = "${var.name}-${var.region}-${random_id.this.hex}" delete_sync_destination = alltrue([var.delete_all_secret_associations, var.delete_sync_destination]) From 8ede0d5904501195b25625f4dacf4ec474c02ce6 Mon Sep 17 00:00:00 2001 From: Hazmei Abdul Rahman Date: Mon, 29 Jan 2024 14:39:14 +0800 Subject: [PATCH 7/7] Update age_in_days to 90 days --- locals.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/locals.tf b/locals.tf index 0c738f8..b3d6e24 100644 --- a/locals.tf +++ b/locals.tf @@ -1,6 +1,5 @@ locals { - # age_in_days = timeadd(timestamp(), "-2160h") # 90 days (90*24 hours) - age_in_days = timeadd(plantimestamp(), "-1056h") # 44 days (44*24 hours) + age_in_days = timeadd(plantimestamp(), "-2160h") # 90 days (90*24 hours) sync_base_path = "sys/sync/destinations" destination_name = "${var.name}-${var.region}-${random_id.this.hex}" delete_sync_destination = alltrue([var.delete_all_secret_associations, var.delete_sync_destination])