search

grafana / terraform-provider-grafana

Terraform Grafana provider
https://www.terraform.io/docs/providers/grafana/
Mozilla Public License 2.0
431 stars 228 forks source link

[Feature Request]: Automatic token rotations via taint #1705

Open julienduchesne opened 3 months ago

julienduchesne commented 3 months ago

Feature Request

Resources:

On these resources, it's possible to set a token expiration but it's up to the user to taint the resource and reapply it. For users that have automatic drift detection (and resolution), a way to automatically taint and reapply these resources would allow for rotation

I propose a rotation_time_before_expiration which will allow users to set an expiration and also a duration that will trigger a rotation if (current time - expiration timer) is lesser than that rotation time. For example, an expiration time of 30d and a rotation time of 7d means that the token will be rotated via taint after 23d (7d from expiration)

mjseaman commented 3 weeks ago

Hi @julienduchesne and @tleopold , I'm doing a little feature request triage. This issue is in the backlog, does that mean you intend to do it?

undefinedhuman commented 7 hours ago

Hi there, we are able to rotate the token in time before expiration with the Hashicorp/time provider, but the rotation would also delete/invalidate the old token and therefore an instant update of our entire Infra would be necessary (which is not possible) - would it be possible to implement a flag for the tokens "delete = false/true"

Our current example ():

terraform {
  required_providers {
    grafana = {
      source = "grafana/grafana"
      version = "3.12.0"
    }
  }
}

provider "grafana" {
    alias = "cloud"
}

data "grafana_cloud_stack" "test" {
    provider = grafana.cloud
    slug = "test"
}

// Step 2: Install Synthetic Monitoring on the stack
resource "grafana_cloud_access_policy" "push_policy" {
  provider = grafana.cloud

  region = data.grafana_cloud_stack.test.region_slug
  name   = "metric-publisher-test"
  scopes = ["metrics:write", "logs:write", "traces:write"]
  realm {
    type       = "stack"
    identifier = data.grafana_cloud_stack.test.id
  }
}

resource "time_rotating" "push_token_expiration" {
    rotation_minutes = 4
}

resource "grafana_cloud_access_policy_token" "push_policy" {
  provider = grafana.cloud

  region           = data.grafana_cloud_stack.test.region_slug
  access_policy_id = grafana_cloud_access_policy.push_policy.policy_id
  name             = "metric-publisher-devops"

  expires_at = timeadd(time_rotating.push_token_expiration.rfc3339, "8m")

  lifecycle {
    create_before_destroy = true
  }
}

If you need more info, please let me know!