Skip to content

azure-vault-secret-expiry

Ensure that the expiration date is set on all secrets

It is considered an industry best practice to ensure that you rotate your secrets. Within Azure Key Vault, this is can be enforced by definining an expiration date on each secret that is created which will indicate the date after which a secret may no longer be used.

Examples

Insecure Example

resource "azurerm_key_vault_secret" "example" {
  name            = "secret-sauce"
  value           = "szechuan"
  key_vault_id    = azurerm_key_vault.example.id
  expiration_date = null  # (default is to not expire)
}

Secure Example

resource "azurerm_key_vault_secret" "example" {
  name         = "secret-sauce"
  value        = "szechuan"
  key_vault_id = azurerm_key_vault.example.id
  expiration_date = "2020-12-30T20:00:00Z"
}

More information