feat: add key rotation

Signed-off-by: Kevin Lefevre <[email protected]>

main.tf

@@ -102,4 +102,15 @@ resource "google_organization_iam_member" "organization_viewer" {
 resource "google_service_account_key" "keys" {
   for_each           = var.generate_keys ? local.names : toset([])
   service_account_id = google_service_account.service_accounts[each.value].email
+  keepers = {
+    rotation_time = var.key_rotation_days == null ? null : time_rotating.key_rotation["key_rotation_days"].rotation_rfc3339
+  }
+
+}
+
+resource "time_rotating" "key_rotation" {
+  for_each = var.key_rotation_days == null ? {} : {
+    "key_rotation_days" = var.key_rotation_days
+  }
+  rotation_days = var.key_rotation_days
 }

variables.tf

@@ -84,3 +84,9 @@ variable "descriptions" {
   description = "List of descriptions for the created service accounts (elements default to the value of `description`)"
   default     = []
 }
+
+variable "key_rotation_days" {
+  type        = number
+  description = "Number of days after which the service account key is rotated"
+  default     = null
+}

versions.tf

@@ -22,6 +22,10 @@ terraform {
       source  = "hashicorp/google"
       version = ">= 3.53, < 7"
     }
+    time = {
+      source  = "hashicorp/time"
+      version = "~> 0.12"
+    }
   }
 
   provider_meta "google" {