Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Password Rotation #134

Open
bloudraak opened this issue Jan 13, 2024 · 1 comment
Open

Feature Request: Password Rotation #134

bloudraak opened this issue Jan 13, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@bloudraak
Copy link

Summary

Support invalidating passwords and regenerating them on a regular cadence similar to application_password

Use cases

Some requirements you'd encounter in most security-aware organizations:

  1. Company policy requires passwords of "privileged" users/systems/accounts to be changed regularly.
  2. Shared accounts are required to have their passwords changed whenever someone with access to it leaves or their account is suspended (for example, a precaution their laptop/phone got stolen)
  3. Emergency (break the glass) accounts must have their password "rotated" at a regular cadence.

Proposed solution

One option would be to introduce a new resource, onepassword_item_password. This allows the password to have a distinct lifecycle from the item. Note rotate_when_changed. This method will enable us to use anything to trigger a password regeneration.

resource "onepassword_item" "example" {
  title = "Example"
  username = "bob"
}

resource "time_rotating" "example" {
  rotation_days = 1
}

resource "onepassword_item_password" "example" {
  item = onepassword_item.example.uuid
  rotate_when_changed = {
    rotation = time_rotating.example.id
  }
}

resource "dummy_user" "example" {
    hostname = "dummy.example.net"
    username = "dummy"
    password = onepassword_item_password.example.value
}

Another option would be to have a data block to generate a password like this:

resource "time_rotating" "example" {
  rotation_days = 1
}

# trying to be as close to the random_password provided by Hashicorp
data "onepassword_password" "example" {
   length           = 48
  special          = true
  rotate_when_changed = {
    rotation = time_rotating.example.id
  }
}

resource "onepassword_item" "example" {
  title = "Example"
  username = "bob"
  password = data.onepassword_password.example.value
}

resource "dummy_user" "example" {
    hostname = "dummy.example.net"
    username = "dummy"
    password = onepassword_item.example.password
}

A third would be to have rotate_when_changed on the onepassword_item resource, but this would complicate matters whenever there is more than one password in the resource.

A fourth option would be to add rotate_when_changed to the password recipe.

Is there a workaround to accomplish this today?

Resort to writing your code or scripts; call it from Terraform, which is less than ideal.

References & Prior Work

The best example of this behavior would be the application_password
of Azure Active Directory.
@volodymyrZotov
Copy link
Collaborator

Thanks for raising!👍 We'll consider this for future releases!

@volodymyrZotov volodymyrZotov added the enhancement New feature or request label Jan 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bloudraak @volodymyrZotov