This Terraform module is designed to manage the creation and rotation of Confluent API Keys. The key rotation is triggered based on the number of days since the key's creation, ensuring that keys are regularly updated for enhanced security. You can also configure the module to retain a specific number of API Keys per Service Account, giving you flexibility in how keys are managed.
A Terraform module is essentially a collection of input and output variables, resources, and configuration files that encapsulate specific functionality. By defining input variables, you can customize the module's behavior without altering its source code, making it adaptable to various use cases. Output variables provide information that can be used by other modules or configurations. This modular approach not only promotes reusability and composability but also simplifies the sharing of standardized configurations across different Terraform setups, enabling more efficient and consistent infrastructure management.
Table of Contents
Important Notice
To ensure seamless operation and avoid potential disruptions when using Terraform with time-based rotation, it’s crucial to regularly execute the module within the specified rotation period. Specifically, the execution frequency should match or exceed the configured rotation interval for API key. Failing to adhere to this schedule risks the deletion of multiple key pairs in a single execution cycle. Such an occurrence could potentially remove all active API keys, thereby disrupting any processes that rely on older keys for accessing Snowflake resources. To maintain uninterrupted access and functionality, it is imperative to keep the module execution timely and consistent with the rotation settings.
These are the steps
-
Take care of the cloud environment prequisities listed below:
You need to have the following cloud accounts:
- Confluent Account
- GitHub Account with OIDC configured for AWS
- Terraform Cloud Account
-
Clone the repo:
git clone https://github.com/j3-signalroom/iac-snowflake-user-rsa_key_pairs_rotation-tf_module.git
-
Update the cloned Terraform module's main.tf by following these steps:
a. Locate the
terraform.cloudblock and replacesignalroomwith your Terraform Cloud Organization Name.b. In the
terraform.cloud.workspacesblock, replacesnowflake-user-rsa-key-generator-workspacewith your Terraform Cloud Organization's Workspaces Name. -
Deploy your Terraform module to GitHub by following these steps:
a. Commit your module: Ensure all changes to your Terraform module are committed to your local Git repository.
b. Push to GitHub: Push your committed changes to your GitHub repository. This makes the module available for use in other projects.
c. Add a Module Block: In the Terraform configuration where you want to use the module, add a module block. Inside this block, include the following:
Source: Reference the GitHub repository URL where your module is stored.
Version: Specify the appropriate branch, tag, or commit hash to ensure you’re using the correct version of the module.
d. Pass Input Variables: Within the same module block, pass the required input variables by defining them as key-value pairs:
Input Variable Variable Required Description confluent_api_keyYes Specifies the Confluent API Key (also referred as Cloud API ID) confluent_api_secretYes Specifies the Confluent API Secret day_countNo [Defaults to 30 days] Specifies how many day(s) should the API Key be rotated for number_of_api_keys_to_retainNo [Defaults to 2 API Keys] Specifies the number of API Keys to retain key_display_nameNo [Defaults to a display name with current date] Specifies the name of the human-readable name for the API Key ownerYes Specifies the API Key Owner. Refer to Confluent API Key Docs for more info resourceYes Specifies the API Key Resource associated with it. Refer to Confluent API Key Docs for more details e. Output Variables:
Output Variable Description active_api_keySpecifies the current active API Key to be used for new logins. Refer to confluent/confluent_api_key for the expected structure all_api_keysSpecifies all API Keys sorted by creation date. With the current active API Key being the 1st in the collection
Best Practices for Using API Keys on Confluent Cloud
Nikoleta Verbeck shows how to use Terraform to rotate Confluent API Key(s)