Key Vault Secret should have an expiration date set
Expiration Date is an optional Key Vault Secret behavior and is not set by default.
Set when the resource will be become inactive.
Impact
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Set an expiry for secrets
1
2
3
4
5
6
|
resource "azurerm_key_vault_secret" "good_example" {
name = "secret-sauce"
value = "szechuan"
key_vault_id = azurerm_key_vault.example.id
expiration_date = "1982-12-31T00:00:00Z"
}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
resource "azuread_application" "myapp" {
display_name = "MyAzureAD App"
group_membership_claims = ["ApplicationGroup"]
prevent_duplicate_names = true
}
resource "azuread_application_password" "myapp" {
application_object_id = azuread_application.myapp.object_id
end_date = "2024-12-18T00:00:00Z"
}
resource "azurerm_key_vault_secret" "myapp_pass" {
name = "myapp-oauth"
value = azuread_application_password.myapp.value
key_vault_id = azurerm_key_vault.cluster_key_vault.id
expiration_date = azuread_application_password.myapp.end_date
content_type = "Password"
}
|
Links