Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add warning state to rotation #8030

Merged
merged 3 commits into from
Apr 15, 2024
Merged

Add warning state to rotation #8030

merged 3 commits into from
Apr 15, 2024

Conversation

hallipr
Copy link
Member

@hallipr hallipr commented Apr 6, 2024

This change allows for a secret to be in a warning state (should have been rotated previously and is close to expiration) and replaces the state booleans Expired, ThresholdExpired, and now WarningExpired with a single state enum:

    Error,
    UpToDate,
    Rotate,
    Warning,
    Expired,

If any secret enters the WarningThreshold, the cli will categorize it as Expiring and the status command will return a non-zero exit code.

The WarningThreshold for plans should be configured so there is reasonable time past the RotationThreshold to allow for rotation and prevent unnecessary warnings.

@hallipr hallipr requested a review from a team as a code owner April 6, 2024 06:40
weshaggard
weshaggard reviewed Apr 8, 2024
View reviewed changes
tools/secret-management/Azure.Sdk.Tools.SecretRotation.Core/RotationPlan.cs Outdated

DateTimeOffset? warningThresholdDate = WarningThreshold.HasValue
? this.timeProvider.GetCurrentDateTimeOffset().Add(WarningThreshold.Value)
: default;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we have a smart default? Perhaps half the time of the expire?

Copy link
Member Author

@hallipr hallipr Apr 15, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that will be rotationThreshold / 2.

For the config:

{
  "rotationPeriod": ".180.00:00:00",
  "rotationThreshold": "30.00:00:00"
}

we'd get the implicit:

 "warningThreshold": "15.00:00:00"

meaning, we create a 180 day secret and rotate it 30 days before expiration. If we haven't rotated it 15 days before expiration, we start reporting a warning

@hallipr hallipr enabled auto-merge (squash) April 15, 2024 20:29
@hallipr hallipr merged commit 9ae20c3 into main Apr 15, 2024
10 checks passed
@hallipr hallipr deleted the users/pahallis/secrets-warning branch April 15, 2024 20:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@weshaggard weshaggard weshaggard approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hallipr @weshaggard