Feat: Add continuous validation for iam key age (#4)

* Test check 40 days old iam access key * Fix error * Fix iam user name * Update age_in_days to 90 days * Update README.md * Test fix for unknown timestamp * Update age_in_days to 90 days
SPHTech-Platform · Jan 30, 2024 · fd6b37c · fd6b37c
1 parent b09ee54
commit fd6b37c
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -118,7 +118,9 @@ module "vault_secretsync" {
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.67.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.2 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.6.0 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9.0 |
 | <a name="requirement_vault"></a> [vault](#requirement\_vault) | >= 3.23.0 |
 
 ## Providers
@@ -146,7 +148,7 @@ module "vault_secretsync" {
 | [null_resource.rotate_access_key](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [random_id.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
 | [time_rotating.iam_user_secretsync_access_key](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/rotating) | resource |
-| [time_sleep.wait_5_seconds](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [time_sleep.wait_for_destination_sync](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [vault_generic_endpoint.create_association_sync](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/generic_endpoint) | resource |
 | [vault_generic_endpoint.create_destination_sync](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/generic_endpoint) | resource |
 | [vault_generic_endpoint.remove_all_association_sync](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/generic_endpoint) | resource |

diff --git a/checks.tf b/checks.tf
@@ -0,0 +1,9 @@
+check "check_iam_key_age_vault_secretsync" {
+  assert {
+    condition = (
+      timecmp(coalesce(aws_iam_access_key.vault_secretsync.create_date, local.age_in_days), local.age_in_days) > 0
+    )
+    error_message = format("The IAM key for metrics user %s is older than 90 days. Please rotate the key.",
+    module.iam_user_secretsync.iam_user_name)
+  }
+}
diff --git a/locals.tf b/locals.tf
@@ -1,4 +1,5 @@
 locals {
+  age_in_days             = timeadd(plantimestamp(), "-2160h") # 90 days (90*24 hours)
   sync_base_path          = "sys/sync/destinations"
   destination_name        = "${var.name}-${var.region}-${random_id.this.hex}"
   delete_sync_destination = alltrue([var.delete_all_secret_associations, var.delete_sync_destination])