From 270f61a75a2796964e7d7ff3b8f06890c1d8f24b Mon Sep 17 00:00:00 2001
From: Dean Sorie <66969624+deanosaurx@users.noreply.github.com>
Date: Sun, 23 Jun 2024 18:20:10 +0300
Subject: [PATCH] Added expire_time option to the secret-manager module (#2373)

* Added expire_time option to the secret module

* Ran tfdoc to update the readme file

* Fixed a failed test, moved the expire_time variable to the top and ran tfdoc again
---
 modules/secret-manager/README.md    | 11 ++++++-----
 modules/secret-manager/main.tf      | 12 +++++++-----
 modules/secret-manager/variables.tf |  7 ++++++-
 3 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/modules/secret-manager/README.md b/modules/secret-manager/README.md
index eefec750b5..32e6b305a2 100644
--- a/modules/secret-manager/README.md
+++ b/modules/secret-manager/README.md
@@ -110,11 +110,12 @@ module "secret-manager" {
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [project_id](variables.tf#L29) | Project id where the keyring will be created. | <code>string</code> | ✓ |  |
-| [iam](variables.tf#L17) | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [labels](variables.tf#L23) | Optional labels for each secret. | <code>map&#40;map&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [secrets](variables.tf#L34) | Map of secrets to manage, their locations and KMS keys in {LOCATION => KEY} format. {GLOBAL => KEY} format enables CMEK for automatic managed secrets. If locations is null, automatic management will be set. | <code title="map&#40;object&#40;&#123;&#10;  locations &#61; optional&#40;list&#40;string&#41;, null&#41;&#10;  keys      &#61; optional&#40;map&#40;string&#41;, null&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [versions](variables.tf#L43) | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | <code title="map&#40;map&#40;object&#40;&#123;&#10;  enabled &#61; bool&#10;  data    &#61; string&#10;&#125;&#41;&#41;&#41;">map&#40;map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [project_id](variables.tf#L34) | Project id where the keyring will be created. | <code>string</code> | ✓ |  |
+| [expire_time](variables.tf#L16) | Timestamp in UTC when the Secret is scheduled to expire. | <code>string</code> |  | <code>null</code> |
+| [iam](variables.tf#L22) | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [labels](variables.tf#L28) | Optional labels for each secret. | <code>map&#40;map&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [secrets](variables.tf#L39) | Map of secrets to manage, their locations and KMS keys in {LOCATION => KEY} format. {GLOBAL => KEY} format enables CMEK for automatic managed secrets. If locations is null, automatic management will be set. | <code title="map&#40;object&#40;&#123;&#10;  locations &#61; optional&#40;list&#40;string&#41;, null&#41;&#10;  keys      &#61; optional&#40;map&#40;string&#41;, null&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [versions](variables.tf#L48) | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | <code title="map&#40;map&#40;object&#40;&#123;&#10;  enabled &#61; bool&#10;  data    &#61; string&#10;&#125;&#41;&#41;&#41;">map&#40;map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 
 ## Outputs
 
diff --git a/modules/secret-manager/main.tf b/modules/secret-manager/main.tf
index 61f4d5efe2..d5df3730c3 100644
--- a/modules/secret-manager/main.tf
+++ b/modules/secret-manager/main.tf
@@ -33,13 +33,15 @@ locals {
   version_keypairs = {
     for pair in local.version_pairs : "${pair.secret}:${pair.name}" => pair
   }
+  expire_time = var.expire_time != null ? var.expire_time : ""
 }
 
 resource "google_secret_manager_secret" "default" {
-  for_each  = var.secrets
-  project   = var.project_id
-  secret_id = each.key
-  labels    = lookup(var.labels, each.key, null)
+  for_each    = var.secrets
+  project     = var.project_id
+  secret_id   = each.key
+  labels      = lookup(var.labels, each.key, null)
+  expire_time = local.expire_time != "" ? local.expire_time : null
 
   dynamic "replication" {
     for_each = each.value.locations == null ? [""] : []
@@ -93,4 +95,4 @@ resource "google_secret_manager_secret_iam_binding" "default" {
   role      = each.value.role
   secret_id = google_secret_manager_secret.default[each.value.secret].id
   members   = each.value.members
-}
\ No newline at end of file
+}
diff --git a/modules/secret-manager/variables.tf b/modules/secret-manager/variables.tf
index 089f2a69b2..6fb447239c 100644
--- a/modules/secret-manager/variables.tf
+++ b/modules/secret-manager/variables.tf
@@ -13,6 +13,11 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+variable "expire_time" {
+  description = "Timestamp in UTC when the Secret is scheduled to expire."
+  type        = string
+  default     = null
+}
 
 variable "iam" {
   description = "IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format."
@@ -47,4 +52,4 @@ variable "versions" {
     data    = string
   })))
   default = {}
-}
\ No newline at end of file
+}