ci: add secret expiration support

terraform-ibm-modules · Jul 29, 2024 · 5472bec · 5472bec
1 parent 27d81fa
commit 5472bec
Show file tree

Hide file tree

Showing 7 changed files with 7 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -566,7 +566,7 @@ statement instead the previous block.
 | <a name="input_evidence_repo_integration_owner"></a> [evidence\_repo\_integration\_owner](#input\_evidence\_repo\_integration\_owner) | The name of the integration owner. | `string` | `""` | no |
 | <a name="input_evidence_repo_name"></a> [evidence\_repo\_name](#input\_evidence\_repo\_name) | The repository name. | `string` | `""` | no |
 | <a name="input_evidence_repo_url"></a> [evidence\_repo\_url](#input\_evidence\_repo\_url) | Deprecated: Use `evidence_repo_existing_url`. This is a template repository to link compliance-evidence-locker for reference DevSecOps toolchain templates. | `string` | `""` | no |
-| <a name="input_expiration_period"></a> [expiration\_period](#input\_expiration\_period) | The number of days until the secret expires. | `string` | `""` | no |
+| <a name="input_expiration_period"></a> [expiration\_period](#input\_expiration\_period) | The number of days until the secret expires. Leave empty to not set an expiration. | `string` | `""` | no |
 | <a name="input_gosec_private_repository_host"></a> [gosec\_private\_repository\_host](#input\_gosec\_private\_repository\_host) | Your private repository base URL. | `string` | `""` | no |
 | <a name="input_gosec_private_repository_ssh_key_secret_crn"></a> [gosec\_private\_repository\_ssh\_key\_secret\_crn](#input\_gosec\_private\_repository\_ssh\_key\_secret\_crn) | The CRN for the GoSec repository secret. | `string` | `""` | no |
 | <a name="input_gosec_repo_ssh_key_secret_group"></a> [gosec\_repo\_ssh\_key\_secret\_group](#input\_gosec\_repo\_ssh\_key\_secret\_group) | Secret group prefix for the gosec private repository ssh key secret. Defaults to `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

diff --git a/code-engine/README.md b/code-engine/README.md
@@ -570,6 +570,7 @@ statement instead the previous block.
 | <a name="input_evidence_repo_integration_owner"></a> [evidence\_repo\_integration\_owner](#input\_evidence\_repo\_integration\_owner) | The name of the integration owner. | `string` | `""` | no |
 | <a name="input_evidence_repo_name"></a> [evidence\_repo\_name](#input\_evidence\_repo\_name) | The repository name. | `string` | `""` | no |
 | <a name="input_evidence_repo_url"></a> [evidence\_repo\_url](#input\_evidence\_repo\_url) | Deprecated: Use `evidence_repo_existing_url`. This is a template repository to link compliance-evidence-locker for reference DevSecOps toolchain templates. | `string` | `""` | no |
+| <a name="input_expiration_period"></a> [expiration\_period](#input\_expiration\_period) | The number of days until the secret expires. Leave empty to not set an expiration. | `string` | `""` | no |
 | <a name="input_gosec_private_repository_host"></a> [gosec\_private\_repository\_host](#input\_gosec\_private\_repository\_host) | Your private repository base URL. | `string` | `""` | no |
 | <a name="input_gosec_private_repository_ssh_key_secret_crn"></a> [gosec\_private\_repository\_ssh\_key\_secret\_crn](#input\_gosec\_private\_repository\_ssh\_key\_secret\_crn) | The CRN for the GoSec repository secret. | `string` | `""` | no |
 | <a name="input_gosec_repo_ssh_key_secret_group"></a> [gosec\_repo\_ssh\_key\_secret\_group](#input\_gosec\_repo\_ssh\_key\_secret\_group) | Secret group prefix for the gosec private repository ssh key secret. Defaults to `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

diff --git a/code-engine/main.tf b/code-engine/main.tf
@@ -114,6 +114,7 @@ module "prereqs" {
   iam_api_key_secret_name        = var.pipeline_ibmcloud_api_key_secret_name
   signing_key_secret_name        = var.ci_signing_key_secret_name
   signing_certifcate_secret_name = var.cd_code_signing_cert_secret_name
+  expiration_period              = var.expiration_period
   sm_exists                      = var.enable_secrets_manager
   sm_endpoint_type               = var.sm_endpoint_type
 }

diff --git a/code-engine/variables.tf b/code-engine/variables.tf
@@ -189,7 +189,7 @@ variable "sm_endpoint_type" {
 
 variable "expiration_period" {
   type        = string
-  description = "The number of days until the secret expires."
+  description = "The number of days until the secret expires. Leave empty to not set an expiration."
   default     = ""
 }
 

diff --git a/main.tf b/main.tf
@@ -98,6 +98,7 @@ module "prereqs" {
   iam_api_key_secret_name        = var.pipeline_ibmcloud_api_key_secret_name
   signing_key_secret_name        = var.ci_signing_key_secret_name
   signing_certifcate_secret_name = var.cd_code_signing_cert_secret_name
+  expiration_period              = var.expiration_period
   sm_exists                      = var.enable_secrets_manager
   sm_endpoint_type               = var.sm_endpoint_type
 }

diff --git a/prereqs/variables.tf b/prereqs/variables.tf
@@ -78,7 +78,7 @@ variable "sm_endpoint_type" {
 
 variable "expiration_period" {
   type        = string
-  description = "The number of days until the secret expires."
+  description = "The number of days until the secret expires. Leave empty to not set an expiration."
   default     = ""
 }
 

diff --git a/variables.tf b/variables.tf
@@ -189,7 +189,7 @@ variable "sm_endpoint_type" {
 
 variable "expiration_period" {
   type        = string
-  description = "The number of days until the secret expires."
+  description = "The number of days until the secret expires. Leave empty to not set an expiration."
   default     = ""
 }