Skip to content

ensure-secret-expiry

Explanation

Expiration Date is an optional Key Vault Secret behavior and is not set by default.

Set when the resource will be become inactive.

Possible Impact

Long life secrets increase the opportunity for compromise

Suggested Resolution

Set an expiry for secrets

Insecure Example

The following example will fail the azure-keyvault-ensure-secret-expiry check.

resource "azurerm_key_vault_secret" "bad_example" {
  name         = "secret-sauce"
  value        = "szechuan"
  key_vault_id = azurerm_key_vault.example.id
}

Secure Example

The following example will pass the azure-keyvault-ensure-secret-expiry check.

resource "azurerm_key_vault_secret" "good_example" {
  name            = "secret-sauce"
  value           = "szechuan"
  key_vault_id    = azurerm_key_vault.example.id
  expiration_date = "1982-12-31T00:00:00Z"
}