Key Vault Secret should have an expiration date set
Expiration Date is an optional Key Vault Secret behavior and is not set by default.
Set when the resource will be become inactive.
Impact
Long life secrets increase the opportunity for compromise
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Set an expiry for secrets
1
2
3
4
5
6
7
|
resource "azurerm_key_vault_secret" "good_example" {
name = "secret-sauce"
value = "szechuan"
key_vault_id = azurerm_key_vault.example.id
expiration_date = "1982-12-31T00:00:00Z"
}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
resource "azuread_application" "myapp" {
display_name = "MyAzureAD App"
group_membership_claims = ["ApplicationGroup"]
prevent_duplicate_names = true
}
resource "azuread_application_password" "myapp" {
application_object_id = azuread_application.myapp.object_id
}
resource "azurerm_key_vault_secret" "myapp_pass" {
name = "myapp-oauth"
value = azuread_application_password.myapp.value
key_vault_id = azurerm_key_vault.cluster_key_vault.id
expiration_date = azuread_application_password.myapp.end_date
content_type = "Password"
}
|
Links