terraform-provider-tfe icon indicating copy to clipboard operation
terraform-provider-tfe copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Add keepers argument for token resources

Open Eric-Jckson opened this issue 3 years ago • 4 comments

Description

Add support to recreate tokens with an argument named keepers. Adding this functionality to recreate token if resources change/update or can be used with the terraform resource time_rotating.

Testing plan

Example: This will rotate the token after 2 minutes.

resource "time_rotating" "token" {
  rotation_minutes = 2
}

resource "tfe_team_token" "manage_workspaces" {
  team_id = "xxxxxx"

  keepers = {
    time_rotation = time_rotating.token.id
  }
}
Screen Shot 2022-05-13 at 8 56 05 PM

Output from acceptance tests

Currently do not have a test organization for TFC setup.

Please let me know if any information is missing or if changes need to me made.

Eric-Jckson avatar May 14 '22 01:05 Eric-Jckson

CLA assistant check
All committers have signed the CLA.

hashicorp-cla avatar May 14 '22 01:05 hashicorp-cla

Hi Erik! Thank you for your contribution! We wanted to check what are the pain points you are going through that motivates you to want to force a token rotation? Understanding your use cases will help us understand if there are other ways to achieve a better solution to your blockers. Thank you @Eric-Jckson

uturunku1 avatar May 25 '22 18:05 uturunku1

Hey @uturunku1 !

Use Case Ability to rotate tokens with terraform based on a time duration. If we have a token that needs to be rotated every 30 days then we can set the resource "time_rotating" to recreate the token resource at the end of that time period.

To achieve this same operation today we would need to do a terraform target destroy on just the token resource.

Possible Solutions I believe that this new terraform option below would be able to achieve the same results that i was planning in the PR. replace_triggered_by is a new lifecycle argument for managed resources which triggers replacement of an object based on changes to an upstream dependency.

Eric-Jckson avatar May 25 '22 19:05 Eric-Jckson

Hey @uturunku1 !

Use Case Ability to rotate tokens with terraform based on a time duration. If we have a token that needs to be rotated every 30 days then we can set the resource "time_rotating" to recreate the token resource at the end of that time period.

To achieve this same operation today we would need to do a terraform target destroy on just the token resource.

Possible Solutions I believe that this new terraform option below would be able to achieve the same results that i was planning in the PR. replace_triggered_by is a new lifecycle argument for managed resources which triggers replacement of an object based on changes to an upstream dependency.

Thanks for the quick response. replace_triggered_by is exactly the option we also thought it could serve your needs! https://www.terraform.io/language/meta-arguments/lifecycle You would have to upgrade terraform 1.2 and then do something similar to this:

resource tfe_team_token "some_team" {
  # ...some tf code
  lifecycle {
    replace_triggered_by = [time_rotating.token.id]
  }
}

Are you able to upgrade to 1.2 and try this out?

uturunku1 avatar May 25 '22 20:05 uturunku1

Closing this PR because the last comment is over 6 months old. Let us know if lifecycle replace_triggered_by didn't help your situation!

brandonc avatar Feb 02 '23 18:02 brandonc