azurerm_key_vault_secret - support for not_before_date and `expir…

…ation_date` (#4873)

azurerm/resource_arm_key_vault_secret.go

@@ -6,6 +6,7 @@ import (
 	"time"
 
 	"github.com/Azure/azure-sdk-for-go/services/keyvault/2016-10-01/keyvault"
+	"github.com/Azure/go-autorest/autorest/date"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/azure"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/tf"
@@ -72,6 +73,18 @@ func resourceArmKeyVaultSecret() *schema.Resource {
 				Optional: true,
 			},
 
+			"not_before_date": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: validate.RFC3339Time,
+			},
+
+			"expiration_date": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: validate.RFC3339Time,
+			},
+
 			"version": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -131,9 +144,22 @@ func resourceArmKeyVaultSecretCreate(d *schema.ResourceData, meta interface{}) e
 	t := d.Get("tags").(map[string]interface{})
 
 	parameters := keyvault.SecretSetParameters{
-		Value:       utils.String(value),
-		ContentType: utils.String(contentType),
-		Tags:        tags.Expand(t),
+		Value:            utils.String(value),
+		ContentType:      utils.String(contentType),
+		Tags:             tags.Expand(t),
+		SecretAttributes: &keyvault.SecretAttributes{},
+	}
+
+	if v, ok := d.GetOk("not_before_date"); ok {
+		notBeforeDate, _ := time.Parse(time.RFC3339, v.(string)) //validated by schema
+		notBeforeUnixTime := date.UnixTime(notBeforeDate)
+		parameters.SecretAttributes.NotBefore = &notBeforeUnixTime
+	}
+
+	if v, ok := d.GetOk("expiration_date"); ok {
+		expirationDate, _ := time.Parse(time.RFC3339, v.(string)) //validated by schema
+		expirationUnixTime := date.UnixTime(expirationDate)
+		parameters.SecretAttributes.Expires = &expirationUnixTime
 	}
 
 	if _, err := client.SetSecret(ctx, keyVaultBaseUrl, name, parameters); err != nil {
@@ -188,12 +214,27 @@ func resourceArmKeyVaultSecretUpdate(d *schema.ResourceData, meta interface{}) e
 	contentType := d.Get("content_type").(string)
 	t := d.Get("tags").(map[string]interface{})
 
+	secretAttributes := &keyvault.SecretAttributes{}
+
+	if v, ok := d.GetOk("not_before_date"); ok {
+		notBeforeDate, _ := time.Parse(time.RFC3339, v.(string)) //validated by schema
+		notBeforeUnixTime := date.UnixTime(notBeforeDate)
+		secretAttributes.NotBefore = &notBeforeUnixTime
+	}
+
+	if v, ok := d.GetOk("expiration_date"); ok {
+		expirationDate, _ := time.Parse(time.RFC3339, v.(string)) //validated by schema
+		expirationUnixTime := date.UnixTime(expirationDate)
+		secretAttributes.Expires = &expirationUnixTime
+	}
+
 	if d.HasChange("value") {
 		// for changing the value of the secret we need to create a new version
 		parameters := keyvault.SecretSetParameters{
-			Value:       utils.String(value),
-			ContentType: utils.String(contentType),
-			Tags:        tags.Expand(t),
+			Value:            utils.String(value),
+			ContentType:      utils.String(contentType),
+			Tags:             tags.Expand(t),
+			SecretAttributes: secretAttributes,
 		}
 
 		if _, err = client.SetSecret(ctx, id.KeyVaultBaseUrl, id.Name, parameters); err != nil {
@@ -214,8 +255,9 @@ func resourceArmKeyVaultSecretUpdate(d *schema.ResourceData, meta interface{}) e
 		d.SetId(*read.ID)
 	} else {
 		parameters := keyvault.SecretUpdateParameters{
-			ContentType: utils.String(contentType),
-			Tags:        tags.Expand(t),
+			ContentType:      utils.String(contentType),
+			Tags:             tags.Expand(t),
+			SecretAttributes: secretAttributes,
 		}
 
 		if _, err = client.UpdateSecret(ctx, id.KeyVaultBaseUrl, id.Name, id.Version, parameters); err != nil {
@@ -280,6 +322,16 @@ func resourceArmKeyVaultSecretRead(d *schema.ResourceData, meta interface{}) err
 	d.Set("version", respID.Version)
 	d.Set("content_type", resp.ContentType)
 
+	if attributes := resp.Attributes; attributes != nil {
+		if v := attributes.NotBefore; v != nil {
+			d.Set("not_before_date", time.Time(*v).Format(time.RFC3339))
+		}
+
+		if v := attributes.Expires; v != nil {
+			d.Set("expiration_date", time.Time(*v).Format(time.RFC3339))
+		}
+	}
+
 	return tags.FlattenAndSet(d, resp.Tags)
 }
 

azurerm/resource_arm_key_vault_secret_test.go

@@ -153,6 +153,8 @@ func TestAccAzureRMKeyVaultSecret_complete(t *testing.T) {
 				Config: config,
 				Check: resource.ComposeTestCheckFunc(
 					testCheckAzureRMKeyVaultSecretExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "not_before_date", "2019-01-01T01:02:03Z"),
+					resource.TestCheckResourceAttr(resourceName, "expiration_date", "2020-01-01T01:02:03Z"),
 					resource.TestCheckResourceAttr(resourceName, "tags.%", "1"),
 					resource.TestCheckResourceAttr(resourceName, "tags.hello", "world"),
 				),
@@ -445,10 +447,12 @@ resource "azurerm_key_vault" "test" {
 }
 
 resource "azurerm_key_vault_secret" "test" {
-  name         = "secret-%s"
-  value        = "<rick><morty /></rick>"
-  key_vault_id = "${azurerm_key_vault.test.id}"
-  content_type = "application/xml"
+  name            = "secret-%s"
+  value           = "<rick><morty /></rick>"
+  key_vault_id    = "${azurerm_key_vault.test.id}"
+  content_type    = "application/xml"
+  not_before_date = "2019-01-01T01:02:03Z"
+  expiration_date = "2020-01-01T01:02:03Z"
 
   tags = {
     "hello" = "world"

website/docs/r/key_vault_secret.html.markdown

@@ -81,14 +81,18 @@ The following arguments are supported:
 
 * `value` - (Required) Specifies the value of the Key Vault Secret.
 
-~> **Note:** Key Vault strips newlines. To preserve newlines in multi-line secrets try replacing them with `\n` or by base 64 encoding them with `replace(file("my_secret_file"), "/\n/", "\n")` or `base64encode(file("my_secret_file"))`, respectively. 
+~> **Note:** Key Vault strips newlines. To preserve newlines in multi-line secrets try replacing them with `\n` or by base 64 encoding them with `replace(file("my_secret_file"), "/\n/", "\n")` or `base64encode(file("my_secret_file"))`, respectively.
 
 * `key_vault_id` - (Required) The ID of the Key Vault where the Secret should be created.
 
 * `content_type` - (Optional) Specifies the content type for the Key Vault Secret.
 
 * `tags` - (Optional) A mapping of tags to assign to the resource.
 
+* `not_before_date` - (Optional) Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
+
+* `expiration_date` - (Optional) Expiration UTC datetime (Y-m-d'T'H:M:S'Z').
+
 ## Attributes Reference
 
 The following attributes are exported: