Need

Enforce expiration dates for secrets stored in Azure Key Vault

Context

Description

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
...

The above Terraform code is used to create a resource group, key vault and a secret in Azure. The vulnerability lies in the `azurerm_key_vault_secret` block where a secret is created without an expiration date. In this block: ```hcl resource "azurerm_key_vault_secret" "example" { name = "secret-sauce" value = "szechuan" key_vault_id = azurerm_key_vault.example.id } ``` The secret `secret-sauce` is being stored in the key vault `examplevault` without an expiration date. This is a security risk because if the secret is compromised, it can be used indefinitely by an attacker. The best practice is to always set an expiration date for secrets to limit the time window in which a compromised secret can be used.

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
...

The updated code includes an `expiration_date` property for the `azurerm_key_vault_secret` resource. This property is set to a specific date and time in the future, which represents when the secret will expire. The `expiration_date` is set in the format "YYYY-MM-DDTHH:MM:SSZ", which is the ISO 8601 format. In this example, the secret will expire on April 1, 2023, at 01:02:03 UTC. By setting an expiration date for the secret, we ensure that the secret cannot be used indefinitely, reducing the potential impact of a compromised secret. After the secret has expired, it will need to be renewed before it can be used again, providing an opportunity to review and potentially update the secret. After updating the Terraform configuration with the `expiration_date` property, you will need to deploy the configuration to apply the changes. This can be done using the `terraform apply` command.

References