feat(service-accounts): Add rotating token resource #2436
Conversation
|
In order to lower resource usage and have a faster runtime, PRs will not run Cloud tests automatically. |
volcanonoodle
force-pushed
the
volcanonoodle/sa-rotating-token
branch
from
4a34c32 to
40df264
Compare
volcanonoodle
requested review from
a team,
jtroy and
mgyongyosi
and removed request for
a team
cinaglia
left a comment
cinaglia
left a comment
There was a problem hiding this comment.
LGTM. I've been able to test this locally. One thing I'm not particularly in love with is how we're exposing ServiceAccountRotatingTokenNow, though I don't think there's a much better way to do this.
internal/resources/grafana/resource_service_account_rotating_token.go
Outdated
Show resolved
Hide resolved
@cinaglia I totally agree. It doesn't look very good but I couldn't come up with something better given that all the resources live under the same |
|
I just realized that a couple of tests were setting the time based on the time when the test started, rather than on the token's expiration time, when we actually want the latter because it's the expiration time that's used to determine if the token needs rotation and there could be a second difference between the 2 depending on how long the initial request to create the token took. I fixed it in d368bb8. |
|
I'll wait to merge this until #2445 has been approved, so that we can release both resources under the same minor version bump of the provider. |
2 participants
Related to #1705
Adds a rotating token resource for Service Account tokens like done with Cloud Access Policy tokens in #2390.
I think a concern here is that AFAIK we do not have an API in Grafana to fetch specific tokens by ID, but rather we have to list all the tokens that belong to a Service Account (endpoint) and we cannot filter out expired tokens either. This means that in the long term, as this new Terraform resource keeps rotating tokens, the list of expired tokens returned by Grafana on each TF plan will keep growing. I don't think we should worry about it for now, as it seems unlikely that someone will accumulate too many rotated tokens under one Service Account in the near future, but at some point we might need to consider adding a filter for expired tokens to the endpoint mentioned previously.