Support keepers for password resources, to enable triggered rotation

hashicorp · Jul 21, 2021 · d9ebb86 · d9ebb86
1 parent dab38f9
commit d9ebb86
Show file tree

Hide file tree

Showing 4 changed files with 73 additions and 6 deletions.
diff --git a/docs/resources/application_password.md b/docs/resources/application_password.md
@@ -8,13 +8,34 @@ Manages a password credential associated with an application within Azure Active
 
 ## Example Usage
 
+*Basic example*
+
+```terraform
+resource "azuread_application" "example" {
+  display_name = "example"
+}
+
+resource "azuread_application_password" "example" {
+  application_object_id = azuread_application.example.object_id
+}
+```
+
+*Time-based rotation*
+
 ```terraform
 resource "azuread_application" "example" {
   display_name = "example"
 }
 
+resource "time_rotating" "example" {
+  rotation_days = 7
+}
+
 resource "azuread_application_password" "example" {
   application_object_id = azuread_application.example.object_id
+  keepers = {
+    rotation = time_rotating.example.id
+  }
 }
 ```
 

diff --git a/docs/resources/service_principal_password.md b/docs/resources/service_principal_password.md
@@ -8,6 +8,8 @@ Manages a password credential associated with a service principal within Azure A
 
 ## Example Usage
 
+*Basic example*
+
 ```terraform
 resource "azuread_application" "example" {
   display_name = "example"
@@ -22,6 +24,30 @@ resource "azuread_service_principal_password" "example" {
 }
 ```
 
+*Time-based rotation*
+
+```terraform
+resource "azuread_application" "example" {
+  display_name = "example"
+}
+
+resource "azuread_service_principal" "example" {
+  application_id = azuread_application.example.application_id
+}
+
+resource "time_rotating" "example" {
+  rotation_days = 7
+}
+
+resource "azuread_service_principal_password" "example" {
+  service_principal_id = azuread_service_principal.example.object_id
+  keepers = {
+    rotation = time_rotating.example.id
+  }
+}
+```
+
+
 ## Argument Reference
 
 The following arguments are supported:

diff --git a/internal/services/applications/application_password_resource.go b/internal/services/applications/application_password_resource.go
@@ -52,12 +52,6 @@ func applicationPasswordResource() *schema.Resource {
 				ValidateDiagFunc: validate.UUID,
 			},
 
-			"key_id": {
-				Description: "A UUID used to uniquely identify this password credential",
-				Type:        schema.TypeString,
-				Computed:    true,
-			},
-
 			"display_name": {
 				Description: "A display name for the password",
 				Type:        schema.TypeString,
@@ -94,6 +88,22 @@ func applicationPasswordResource() *schema.Resource {
 				ValidateDiagFunc: validate.NoEmptyStrings,
 			},
 
+			"keepers": {
+				Description: "Arbitrary map of values that, when changed, will trigger rotation of the password",
+				Type:        schema.TypeMap,
+				Optional:    true,
+				ForceNew:    true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+
+			"key_id": {
+				Description: "A UUID used to uniquely identify this password credential",
+				Type:        schema.TypeString,
+				Computed:    true,
+			},
+
 			"value": {
 				Description: "The password for this application, which is generated by Azure Active Directory",
 				Type:        schema.TypeString,

diff --git a/internal/services/serviceprincipals/service_principal_password_resource.go b/internal/services/serviceprincipals/service_principal_password_resource.go
@@ -52,6 +52,16 @@ func servicePrincipalPasswordResource() *schema.Resource {
 				ValidateDiagFunc: validate.UUID,
 			},
 
+			"keepers": {
+				Description: "Arbitrary map of values that, when changed, will trigger rotation of the password",
+				Type:        schema.TypeMap,
+				Optional:    true,
+				ForceNew:    true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+
 			"key_id": {
 				Description: "A UUID used to uniquely identify this password credential",
 				Type:        schema.TypeString,