This may be difficult to test, since the API doesn't return any fields related to the old key expiration specifically. It just returns the newly-rotated key.
Next, rotate the API token by setting a new expiration (this is required to trigger a key rotation). Also, set the number of seconds for the old key to expire in (this is what this PR adds).
The previous token is now listed under Rotating API keys and is set to expire at time you applied the change + number of seconds you specified
I was also able to import an existing object:
$ tf import prefect_service_account.mitch name/mitch
prefect_service_account.mitch: Importing from ID "name/mitch"...
prefect_service_account.mitch: Import prepared!
Prepared prefect_service_account for import
prefect_service_account.mitch: Refreshing state...
Import successful!
The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.
... and destroy one:
prefect_service_account.mitch: Refreshing state... [id=13b18d19-c6b9-42ef-b88b-7aa63abd34a6]
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
- destroy
Terraform will perform the following actions:
# prefect_service_account.mitch will be destroyed
- resource "prefect_service_account" "mitch" {
- account_id = "9a67b081-4f14-4035-b000-1f715f46231b" -> null
- account_role_name = "Member" -> null
- actor_id = "959f061e-0038-4737-9828-d229080f9c1d" -> null
- api_key = (sensitive value) -> null
- api_key_created = "2024-07-17T17:08:47Z" -> null
- api_key_expiration = "2024-07-17T17:10:30Z" -> null
- api_key_id = "1fdc14d0-577e-407a-8310-3bedf062b788" -> null
- api_key_name = "mitch_ae4cdcfb3a054de3b02ec134322fcadb" -> null
- created = "2024-07-17T16:57:55Z" -> null
- id = "13b18d19-c6b9-42ef-b88b-7aa63abd34a6" -> null
- name = "mitch" -> null
- old_key_expires_in_seconds = 181 -> null
- updated = "2024-07-17T17:08:47Z" -> null
}
# time_rotating.two_minutes will be destroyed
- resource "time_rotating" "two_minutes" {
- day = 17 -> null
- hour = 17 -> null
- id = "2024-07-17T17:08:30Z" -> null
- minute = 10 -> null
- month = 7 -> null
- rfc3339 = "2024-07-17T17:08:30Z" -> null
- rotation_minutes = 2 -> null
- rotation_rfc3339 = "2024-07-17T17:10:30Z" -> null
- second = 30 -> null
- unix = 1721236230 -> null
- year = 2024 -> null
}
Plan: 0 to add, 0 to change, 2 to destroy.
Do you really want to destroy all resources?
Terraform will destroy all your managed infrastructure, as shown above.
There is no undo. Only 'yes' will be accepted to confirm.
Enter a value: yes
prefect_service_account.mitch: Destroying... [id=13b18d19-c6b9-42ef-b88b-7aa63abd34a6]
prefect_service_account.mitch: Destruction complete after 0s
time_rotating.two_minutes: Destroying... [id=2024-07-17T17:08:30Z]
time_rotating.two_minutes: Destruction complete after 0s
Summary
Supports setting the old key expiration seconds for service accounts.
API docs: https://app.prefect.cloud/api/docs#tag/Bots/operation/rotate_api_key_api_accounts__account_id__bots__id__rotate_api_key_post
Closes https://github.com/PrefectHQ/terraform-provider-prefect/issues/233
Notes
Testing
For the first test, just create a new Service Account and set the expiration:
Next, rotate the API token by setting a new expiration (this is required to trigger a key rotation). Also, set the number of seconds for the old key to expire in (this is what this PR adds).
In the UI, you'll now see that:
Rotating API keysand is set to expire attime you applied the change+number of seconds you specifiedI was also able to import an existing object:
... and destroy one: