Feature request: Secret rotation using time_rotating

[Breee]

Currently it is not possible to rotate the secrets of clients automatically.

It would be great if clients would support something similar to this:

## Client Secrets have to rotate 
resource "time_rotating" "secret_rotation_days" {
  rotation_days = 120
}

resource "keycloak_openid_client" "openid_client" {
  realm_id            = keycloak_realm.realm.id
  client_id           = "test-client"

  name                = "test client"
  enabled             = true

  access_type         = "CONFIDENTIAL"
  valid_redirect_uris = [
    "http://localhost:8080/openid-callback"
  ]

  login_theme = "keycloak"

  extra_config = {
    "key1" = "value1"
    "key2" = "value2"
  }

  rotate_secret_when_changed = {
    rotation = time_rotating.secret_rotation_days.id
  }
}

where rotate_secret_when_changed checks if the id of the time_rotating object has changed and generates a new secret if so.

[hargut]

It should be possible to use the random provider to generate the secret, add the time_rotating to the keepers and set random result as client_secret on the keycloak resource.

https://registry.terraform.io/providers/hashicorp/random/latest/docs#resource-keepers

[Breee]

It should be possible to use the random provider to generate the secret, add the time_rotating to the keepers and set random result as client_secret on the keycloak resource.

https://registry.terraform.io/providers/hashicorp/random/latest/docs#resource-keepers

thx

resource "time_rotating" "secret_rotation_days" {
  rotation_days = 120
}

resource "random_string" "client_secret" {
  length  = 32
  special = false

  keepers = {
    rotation_days = time_rotating.secret_rotation_days.id
  }
}

resource "keycloak_openid_client" "openid_client" {
  realm_id = data.keycloak_realm.realm.id

  name          = var.service_name
  description   = "Client for ${var.service_root_url}"
  client_id     = var.service_name
  client_secret = random_string.client_secret.result`
  [...]
}

does the trick!