Service account key keepers (#4390) (#2860)

modular-magician · jwilner · web-flow · commit afffe5109c78 · 2021-01-12T12:45:03.000-08:00
Co-authored-by: Joe Wilner &lt;jhwilner1@gmail.com&gt;
Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;

Co-authored-by: Joe Wilner &lt;jhwilner1@gmail.com&gt;
diff --git a/.changelog/4390.txt b/.changelog/4390.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+serviceaccount: added a `keepers` field to `google_service_account_key` that recreates the field when it is modified
+```
diff --git a/google-beta/resource_google_service_account_key.go b/google-beta/resource_google_service_account_key.go
@@ -53,6 +53,12 @@ func resourceGoogleServiceAccountKey() *schema.Resource {
 				ConflictsWith: []string{"key_algorithm", "private_key_type"},
 				Description:   `A field that allows clients to upload their own public key. If set, use this public key data to create a service account key for given service account. Please note, the expected format for this field is a base64 encoded X509_PEM.`,
 			},
+			"keepers": {
+				Description: "Arbitrary map of values that, when changed, will trigger recreation of resource.",
+				Type:        schema.TypeMap,
+				Optional:    true,
+				ForceNew:    true,
+			},
 			// Computed
 			"name": {
 				Type:        schema.TypeString,
diff --git a/website/docs/r/google_service_account_key.html.markdown b/website/docs/r/google_service_account_key.html.markdown
@@ -25,6 +25,28 @@ resource "google_service_account_key" "mykey" {
 }
 ```
 
+## Example Usage, creating and regularly rotating a key pair
+
+```hcl
+resource "google_service_account" "myaccount" {
+  account_id   = "myaccount"
+  display_name = "My Service Account"
+}
+
+# note this requires the terraform to be run regularly
+resource "time_rotating" "mykey_rotation" {
+  rotate_days = 30
+}
+
+resource "google_service_account_key" "mykey" {
+  service_account_id = google_service_account.myaccount.name
+
+  keepers = {
+    rotation_time = time_rotating.mykey_rotation.rotation_rfc3339
+  }
+}
+```
+
 ## Example Usage, save key in Kubernetes secret - DEPRECATED
 
 ```hcl
@@ -69,6 +91,8 @@ Valid values are listed at
 
 * `public_key_data` (Optional) Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with `public_key_type` and `private_key_type`.
 
+* `keepers` (Optional) Arbitrary map of values that, when changed, will trigger a new key to be generated.
+
 ## Attributes Reference
 
 The following attributes are exported in addition to the arguments listed above:

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:enhancement
	`2`	+serviceaccount: added a `keepers` field to `google_service_account_key` that recreates the field when it is modified
	`3`	+```