LOW
Source
Trivy
ID
AVD-AZU-0017

Key Vault Secret should have an expiration date set

Expiration Date is an optional Key Vault Secret behavior and is not set by default.

Set when the resource will be become inactive.

Impact

Follow the appropriate remediation steps below to resolve the issue.

Set an expiry for secrets

1
2
3
4
5
6
resource "azurerm_key_vault_secret" "good_example" {
  name            = "secret-sauce"
  value           = "szechuan"
  key_vault_id    = azurerm_key_vault.example.id
  expiration_date = "1982-12-31T00:00:00Z"
}
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
resource "azuread_application" "myapp" {
  display_name = "MyAzureAD App"

  group_membership_claims = ["ApplicationGroup"]
  prevent_duplicate_names = true

}

resource "azuread_application_password" "myapp" {
  application_object_id = azuread_application.myapp.object_id
  end_date              = "2024-12-18T00:00:00Z"
}

resource "azurerm_key_vault_secret" "myapp_pass" {
  name            = "myapp-oauth"
  value           = azuread_application_password.myapp.value
  key_vault_id    = azurerm_key_vault.cluster_key_vault.id
  expiration_date = azuread_application_password.myapp.end_date
  content_type    = "Password"
}