Skip to content

Key Vault Secret should have an expiration date set

Default Severity: low

Explanation

Expiration Date is an optional Key Vault Secret behavior and is not set by default.

Set when the resource will be become inactive.

Possible Impact

Long life secrets increase the opportunity for compromise

Suggested Resolution

Set an expiry for secrets

Insecure Example

The following example will fail the azure-keyvault-ensure-secret-expiry check.

 resource "azurerm_key_vault_secret" "bad_example" {
   name         = "secret-sauce"
   value        = "szechuan"
   key_vault_id = azurerm_key_vault.example.id
 }

Secure Example

The following example will pass the azure-keyvault-ensure-secret-expiry check.

 resource "azurerm_key_vault_secret" "good_example" {
   name            = "secret-sauce"
   value           = "szechuan"
   key_vault_id    = azurerm_key_vault.example.id
   expiration_date = "1982-12-31T00:00:00Z"
 }