From fd6b37cc6a1caf327197b052232398f5c0162806 Mon Sep 17 00:00:00 2001
From: Hazmei Abdul Rahman <hazmei@sph.com.sg>
Date: Tue, 30 Jan 2024 17:34:52 +0800
Subject: [PATCH] Feat: Add continuous validation for iam key age (#4)

* Test check 40 days old iam access key

* Fix error

* Fix iam user name

* Update age_in_days to 90 days

* Update README.md

* Test fix for unknown timestamp

* Update age_in_days to 90 days
---
 README.md | 4 +++-
 checks.tf | 9 +++++++++
 locals.tf | 1 +
 3 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 checks.tf

diff --git a/README.md b/README.md
index 7190c1a..38af065 100644
--- a/README.md
+++ b/README.md
@@ -118,7 +118,9 @@ module "vault_secretsync" {
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.67.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.2 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.6.0 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9.0 |
 | <a name="requirement_vault"></a> [vault](#requirement\_vault) | >= 3.23.0 |
 
 ## Providers
@@ -146,7 +148,7 @@ module "vault_secretsync" {
 | [null_resource.rotate_access_key](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [random_id.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
 | [time_rotating.iam_user_secretsync_access_key](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/rotating) | resource |
-| [time_sleep.wait_5_seconds](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [time_sleep.wait_for_destination_sync](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [vault_generic_endpoint.create_association_sync](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/generic_endpoint) | resource |
 | [vault_generic_endpoint.create_destination_sync](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/generic_endpoint) | resource |
 | [vault_generic_endpoint.remove_all_association_sync](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/generic_endpoint) | resource |
diff --git a/checks.tf b/checks.tf
new file mode 100644
index 0000000..c03c463
--- /dev/null
+++ b/checks.tf
@@ -0,0 +1,9 @@
+check "check_iam_key_age_vault_secretsync" {
+  assert {
+    condition = (
+      timecmp(coalesce(aws_iam_access_key.vault_secretsync.create_date, local.age_in_days), local.age_in_days) > 0
+    )
+    error_message = format("The IAM key for metrics user %s is older than 90 days. Please rotate the key.",
+    module.iam_user_secretsync.iam_user_name)
+  }
+}
diff --git a/locals.tf b/locals.tf
index afa94dd..b3d6e24 100644
--- a/locals.tf
+++ b/locals.tf
@@ -1,4 +1,5 @@
 locals {
+  age_in_days             = timeadd(plantimestamp(), "-2160h") # 90 days (90*24 hours)
   sync_base_path          = "sys/sync/destinations"
   destination_name        = "${var.name}-${var.region}-${random_id.this.hex}"
   delete_sync_destination = alltrue([var.delete_all_secret_associations, var.delete_sync_destination])