azure-vault-key-expiry

Ensure that the expiration date is set on all keys

It is a recommended best practice to always ensure that your Azure Key Vault keys are configured with an expiry which defines a date after which the key may no longer be used for storing sensitive and confidential data.

Examples

Insecure Example

resource "azurerm_key_vault_key" "generated" {
  name         = "generated-certificate"
  key_vault_id = azurerm_key_vault.example.id
  key_type     = "RSA"
  key_size     = 2048

  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]
  expiration_date = null  # (default is to not expire)
}

Secure Example

resource "azurerm_key_vault_key" "generated" {
  name         = "generated-certificate"
  key_vault_id = azurerm_key_vault.example.id
  key_type     = "RSA"
  key_size     = 2048

  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]
  expiration_date = "2022-01-10T09:00:00Z"
}

More information

• Azure Docs
• Terraform Docs