Terraform Feature Request for AWS Provider - Allow iam_access_key resource to output the keypair age

[jd4883]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I am developing a terraform based IAM keypair rotation framework for my organization. I found that the boto3 calls to the AWS API provide a few more details than the terraform state tracks for an aws_iam_access_key resource block. My automation framework will be using terraform with the aws and vault.

The current aws_iam_access_key resource block does not have matching functionality to the AWS API. Using the API, it is possible to get the age of an IAM access key, which for the purpose of creating tooling to rotate these, is a must. Since terraform supports creation / destruction of these via a resource block, it would be really awesome if we can get outputs that match the AWS API capabilities.

It would be awesome if there were more native terraform features related to key rotation here as well, but the main part I see as a barrier to moving forward with my project. The intended goal is to be able to use the keypair age against a user defined variable to determine when the key should be rotated (my exact technical implementation here is still to be determined). Any additional features / adjustments that could allow for easier key rotation automation would be appreciated but are not strictly what this feature request is intended for.

New or Affected Resource(s)

• aws_iam_access_key

Potential Terraform Configuration

Example state file entry for a keypair with redacted sensitive details:

{
	"module": "XXXXXXXX",
	"mode": "managed",
	"type": "aws_iam_access_key",
	"name": "keys",
	"provider": "provider[\"registry.terraform.io/hashicorp/aws\"].platform",
	"instances": [{
			"index_key": 0,
			"schema_version": 0,
			"attributes": {
				"encrypted_secret": null,
				"id": "XXXXXXXX",
				"key_fingerprint": null,
				"pgp_key": null,
				"secret": "XXXXXXXX",
				"ses_smtp_password": "XXXXXXXX",
				"status": "Active",
				"user": "test-user"
			}]
	}

References

• IAM Keypair terraform - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key#status
• IAM Keypair boto3 - https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#accesskey

[bflad]

Hi @jd4883 👋 Thank you for raising this.

Adding a create_date attribute to match the CreateDate field from the IAM API is certainly a valid feature request. Submitted this here: #17318

It would be awesome if there were more native terraform features related to key rotation here as well, but the main part I see as a barrier to moving forward with my project. The intended goal is to be able to use the keypair age against a user defined variable to determine when the key should be rotated (my exact technical implementation here is still to be determined). Any additional features / adjustments that could allow for easier key rotation automation would be appreciated but are not strictly what this feature request is intended for.

The Terraform AWS Provider maintainers are not able to provide too much guidance here since that is outside our general scope, however you may want to check out the time_rotating resource which can provide a naive rotation implementation within Terraform assuming that Terraform is run on a schedule or some of the other Terraform Time Provider resources. Asking in the HashiCorp Community Forums, where there are far more people than the GitHub issues here, may provide better answers though.

[ghost]

This has been released in version 3.27.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!