feat: add expire_at to doppler_service_token#170
Open
jfrantz-cw wants to merge 1 commit into
Open
Conversation
Adds an optional 'expire_at' argument (RFC3339 timestamp) on doppler_service_token that maps to the Doppler API's existing 'expire_at' field on POST /v3/configs/config/tokens. When omitted, behavior is unchanged (token never expires). The field is ForceNew because the Doppler API does not support updating a token's expiration after creation; rotation requires a new token. Closes DopplerHQ#62.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
TL;DR
Adds an optional
expire_atargument todoppler_service_tokenso authors can declare token expiration in IaC. The Doppler API already acceptsexpire_aton token create; the provider just wasn't exposing it. Closes #62.Why
doppler_service_tokencurrently produces tokens that live forever until manually revoked. The Doppler API has supported an optionalexpire_at(RFC3339 timestamp) onPOST /v3/configs/config/tokensfor some time, but the provider never wired it through. This forces operators to either trust never-expiring service tokens or build out-of-band rotation tooling. Neither is great when the IaC repo is the canonical owner of those tokens.Implementation
expire_atis an Optional, ForceNew string field validated as RFC3339. ForceNew because the Doppler API has no update path for token expiration; rotation requires a new token.expire_atcontinue to call the API exactly as before.ServiceToken.ExpiresAtis captured from the response (json:"expires_at,omitempty") for completeness, though the Read function does not currently set it back on state. The asymmetric API naming (expire_aton request,expires_aton response) means refreshing it could mask user-input drift; deferring that decision since the field is ForceNew anyway.Links