Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Example for Rotation Windows #378

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add Example for Rotation Windows #378

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0f9e4f3
feat: add rotation window example
undefinedhuman Jan 8, 2025
7f5f318
chore: fix spelling
undefinedhuman Jan 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 62 additions & 0 deletions docs/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,3 +46,65 @@ resource "aws_instance" "server" {
`triggers` are *not* treated as sensitive attributes; a value used for `triggers` will be displayed in Terraform UI output as plaintext.

To force a these actions to reoccur without updating `triggers`, the [`terraform taint` command](https://www.terraform.io/docs/commands/taint.html) can be used to produce the action on the next run.

## Implementing Rotation Windows

The following example demonstrates how to use `time_rotating` to implement a rotation mechanism for tokens, ensuring overlapping availability during transitions.

### Example Usage

```terraform
resource "time_rotating" "rotate_token_1" {
rotation_minutes = var.expiration_time_in_minutes
}

resource "time_rotating" "rotate_token_2" {
rfc3339 = time_rotating.rotate_token_1.rotation_rfc3339

# Shorter rotation window to overlap with the first token
rotation_minutes = var.expiration_time_in_minutes / 2

lifecycle {
ignore_changes = [
rfc3339
]
}
}

# Replace with a token resource from another provider
resource "token_resource" "token_1" {
expires_at = timeadd(time_rotating.rotate_token_1.rfc3339, "${var.expiration_time_in_minutes * 1.5}m")

# ... (other token arguments) ...
}

# Replace with a token resource from another provider
resource "token_resource" "token_2" {
expires_at = timeadd(time_rotating.rotate_token_2.rfc3339, "${var.expiration_time_in_minutes * 1.5}m")

# ... (other token arguments) ...
}

locals {
use_token1 = timecmp(time_rotating.rotate_token_1.rfc3339, time_rotating.rotate_token_2.rfc3339) > 0
}

output "active_token" {
value = local.use_token1 ? token_resource.token_1.value : token_resource.token_2.value
sensitive = true
}
```

### Key Considerations

1. **Overlapping Availability**:
- Token 1 and Token 2 have overlapping rotation windows to ensure seamless availability during transitions. This minimizes potential downtime or lapses in functionality.

2. **Simplified Token Resources**:
- The `token_resource` represents a generalized token configuration. Replace this with your specific token implementation.

3. **Active Token Logic**:
- The `local.use_token1` logic determines which token is currently active based on the rotation timestamps.

4. **Customizable Rotation**:
- The rotation intervals (`rotation_minutes`) can be tailored to meet your system's requirements for availability and security.
Loading