From 5472becbfe19fb0084b7b6fcca0981822abdf261 Mon Sep 17 00:00:00 2001
From: huayuenh <huayuenh@ie.ibm.com>
Date: Mon, 29 Jul 2024 15:19:33 +0100
Subject: [PATCH] ci: add secret expiration support

---
 README.md                | 2 +-
 code-engine/README.md    | 1 +
 code-engine/main.tf      | 1 +
 code-engine/variables.tf | 2 +-
 main.tf                  | 1 +
 prereqs/variables.tf     | 2 +-
 variables.tf             | 2 +-
 7 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 30f2ea68..22757cc9 100644
--- a/README.md
+++ b/README.md
@@ -566,7 +566,7 @@ statement instead the previous block.
 | <a name="input_evidence_repo_integration_owner"></a> [evidence\_repo\_integration\_owner](#input\_evidence\_repo\_integration\_owner) | The name of the integration owner. | `string` | `""` | no |
 | <a name="input_evidence_repo_name"></a> [evidence\_repo\_name](#input\_evidence\_repo\_name) | The repository name. | `string` | `""` | no |
 | <a name="input_evidence_repo_url"></a> [evidence\_repo\_url](#input\_evidence\_repo\_url) | Deprecated: Use `evidence_repo_existing_url`. This is a template repository to link compliance-evidence-locker for reference DevSecOps toolchain templates. | `string` | `""` | no |
-| <a name="input_expiration_period"></a> [expiration\_period](#input\_expiration\_period) | The number of days until the secret expires. | `string` | `""` | no |
+| <a name="input_expiration_period"></a> [expiration\_period](#input\_expiration\_period) | The number of days until the secret expires. Leave empty to not set an expiration. | `string` | `""` | no |
 | <a name="input_gosec_private_repository_host"></a> [gosec\_private\_repository\_host](#input\_gosec\_private\_repository\_host) | Your private repository base URL. | `string` | `""` | no |
 | <a name="input_gosec_private_repository_ssh_key_secret_crn"></a> [gosec\_private\_repository\_ssh\_key\_secret\_crn](#input\_gosec\_private\_repository\_ssh\_key\_secret\_crn) | The CRN for the GoSec repository secret. | `string` | `""` | no |
 | <a name="input_gosec_repo_ssh_key_secret_group"></a> [gosec\_repo\_ssh\_key\_secret\_group](#input\_gosec\_repo\_ssh\_key\_secret\_group) | Secret group prefix for the gosec private repository ssh key secret. Defaults to `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |
diff --git a/code-engine/README.md b/code-engine/README.md
index 88717580..6629894c 100644
--- a/code-engine/README.md
+++ b/code-engine/README.md
@@ -570,6 +570,7 @@ statement instead the previous block.
 | <a name="input_evidence_repo_integration_owner"></a> [evidence\_repo\_integration\_owner](#input\_evidence\_repo\_integration\_owner) | The name of the integration owner. | `string` | `""` | no |
 | <a name="input_evidence_repo_name"></a> [evidence\_repo\_name](#input\_evidence\_repo\_name) | The repository name. | `string` | `""` | no |
 | <a name="input_evidence_repo_url"></a> [evidence\_repo\_url](#input\_evidence\_repo\_url) | Deprecated: Use `evidence_repo_existing_url`. This is a template repository to link compliance-evidence-locker for reference DevSecOps toolchain templates. | `string` | `""` | no |
+| <a name="input_expiration_period"></a> [expiration\_period](#input\_expiration\_period) | The number of days until the secret expires. Leave empty to not set an expiration. | `string` | `""` | no |
 | <a name="input_gosec_private_repository_host"></a> [gosec\_private\_repository\_host](#input\_gosec\_private\_repository\_host) | Your private repository base URL. | `string` | `""` | no |
 | <a name="input_gosec_private_repository_ssh_key_secret_crn"></a> [gosec\_private\_repository\_ssh\_key\_secret\_crn](#input\_gosec\_private\_repository\_ssh\_key\_secret\_crn) | The CRN for the GoSec repository secret. | `string` | `""` | no |
 | <a name="input_gosec_repo_ssh_key_secret_group"></a> [gosec\_repo\_ssh\_key\_secret\_group](#input\_gosec\_repo\_ssh\_key\_secret\_group) | Secret group prefix for the gosec private repository ssh key secret. Defaults to `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |
diff --git a/code-engine/main.tf b/code-engine/main.tf
index 810a69c6..86fb13ed 100644
--- a/code-engine/main.tf
+++ b/code-engine/main.tf
@@ -114,6 +114,7 @@ module "prereqs" {
   iam_api_key_secret_name        = var.pipeline_ibmcloud_api_key_secret_name
   signing_key_secret_name        = var.ci_signing_key_secret_name
   signing_certifcate_secret_name = var.cd_code_signing_cert_secret_name
+  expiration_period              = var.expiration_period
   sm_exists                      = var.enable_secrets_manager
   sm_endpoint_type               = var.sm_endpoint_type
 }
diff --git a/code-engine/variables.tf b/code-engine/variables.tf
index 5e2d636e..df55bf80 100644
--- a/code-engine/variables.tf
+++ b/code-engine/variables.tf
@@ -189,7 +189,7 @@ variable "sm_endpoint_type" {
 
 variable "expiration_period" {
   type        = string
-  description = "The number of days until the secret expires."
+  description = "The number of days until the secret expires. Leave empty to not set an expiration."
   default     = ""
 }
 
diff --git a/main.tf b/main.tf
index f2916f84..babd21c9 100644
--- a/main.tf
+++ b/main.tf
@@ -98,6 +98,7 @@ module "prereqs" {
   iam_api_key_secret_name        = var.pipeline_ibmcloud_api_key_secret_name
   signing_key_secret_name        = var.ci_signing_key_secret_name
   signing_certifcate_secret_name = var.cd_code_signing_cert_secret_name
+  expiration_period              = var.expiration_period
   sm_exists                      = var.enable_secrets_manager
   sm_endpoint_type               = var.sm_endpoint_type
 }
diff --git a/prereqs/variables.tf b/prereqs/variables.tf
index 6a875e53..1fec5564 100644
--- a/prereqs/variables.tf
+++ b/prereqs/variables.tf
@@ -78,7 +78,7 @@ variable "sm_endpoint_type" {
 
 variable "expiration_period" {
   type        = string
-  description = "The number of days until the secret expires."
+  description = "The number of days until the secret expires. Leave empty to not set an expiration."
   default     = ""
 }
 
diff --git a/variables.tf b/variables.tf
index 5c6013c3..d8736be9 100644
--- a/variables.tf
+++ b/variables.tf
@@ -189,7 +189,7 @@ variable "sm_endpoint_type" {
 
 variable "expiration_period" {
   type        = string
-  description = "The number of days until the secret expires."
+  description = "The number of days until the secret expires. Leave empty to not set an expiration."
   default     = ""
 }