terraform.azure.best-practice.azure-secret-expiration-date.azure-secret-expiration-date

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Ensure that the expiration date is set on all secrets

Run Locally

Run in CI

Defintion

rules:
  - id: azure-secret-expiration-date
    message: Ensure that the expiration date is set on all secrets
    patterns:
      - pattern: resource
      - pattern-inside: |
          resource "azurerm_key_vault_secret" "..." {
          ...
          }
      - pattern-not-inside: |
          resource "azurerm_key_vault_secret" "..." {
          ...
          expiration_date = "..."
          ...
          }
    metadata:
      category: best-practice
      technology:
        - terraform
        - azure
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - hcl
    severity: WARNING

Examples

azure-secret-expiration-date.tf

# fail
# ruleid: azure-secret-expiration-date
resource "azurerm_key_vault_secret" "example" {
    name         = "secret-sauce"
    value        = "szechuan"
    key_vault_id = azurerm_key_vault.example.id

    tags = {
    environment = "Production"
    }
}

# pass
resource "azurerm_key_vault_secret" "example" {
    name         = "secret-sauce"
    value        = "szechuan"
    key_vault_id = azurerm_key_vault.example.id

    tags = {
    environment = "Production"
    }
    expiration_date = "2020-12-30T20:00:00Z"
}