Skip to content

Add warning state to rotation#8030

Merged
hallipr merged 3 commits intomainfrom
users/pahallis/secrets-warning
Apr 15, 2024
Merged

Add warning state to rotation#8030
hallipr merged 3 commits intomainfrom
users/pahallis/secrets-warning

Conversation

@hallipr
Copy link
Copy Markdown
Member

@hallipr hallipr commented Apr 6, 2024

This change allows for a secret to be in a warning state (should have been rotated previously and is close to expiration) and replaces the state booleans Expired, ThresholdExpired, and now WarningExpired with a single state enum:

    Error,
    UpToDate,
    Rotate,
    Warning,
    Expired,

If any secret enters the WarningThreshold, the cli will categorize it as Expiring and the status command will return a non-zero exit code.

The WarningThreshold for plans should be configured so there is reasonable time past the RotationThreshold to allow for rotation and prevent unnecessary warnings.

@hallipr hallipr requested a review from a team as a code owner April 6, 2024 06:40
weshaggard
weshaggard reviewed Apr 8, 2024
View reviewed changes
Comment thread tools/secret-management/Azure.Sdk.Tools.SecretRotation.Core/RotationPlan.cs Outdated

DateTimeOffset? warningThresholdDate = WarningThreshold.HasValue
? this.timeProvider.GetCurrentDateTimeOffset().Add(WarningThreshold.Value)
: default;
Copy link
Copy Markdown
Member

@weshaggard weshaggard Apr 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we have a smart default? Perhaps half the time of the expire?

Copy link
Copy Markdown
Member Author

@hallipr hallipr Apr 15, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that will be rotationThreshold / 2.

For the config:

{
  "rotationPeriod": ".180.00:00:00",
  "rotationThreshold": "30.00:00:00"
}

we'd get the implicit:

 "warningThreshold": "15.00:00:00"

meaning, we create a 180 day secret and rotate it 30 days before expiration. If we haven't rotated it 15 days before expiration, we start reporting a warning

@hallipr hallipr enabled auto-merge (squash) April 15, 2024 20:29
@hallipr hallipr merged commit 9ae20c3 into main Apr 15, 2024
@hallipr hallipr deleted the users/pahallis/secrets-warning branch April 15, 2024 20:39
@maorleger maorleger mentioned this pull request Feb 4, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@weshaggard weshaggard weshaggard approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hallipr @weshaggard