fix(vault-oidc): time conversion fix

Author: krzysztof-miemiec

modules/vault-oidc/example/main.tf

@@ -124,6 +124,6 @@ module "gitlab" {
   client_secret          = var.gitlab_client_secret
   default_token_policies = [vault_policy.default_user_policy.id]
   scopes                 = ["profile", "email"]
-  max_lease_ttl          = "12h"
-  default_lease_ttl      = "2h"
+  max_ttl                = 12 * 3600
+  default_ttl            = 2 * 3600
 }

modules/vault-oidc/main.tf

@@ -7,6 +7,28 @@
  * authorizing via GitLab or Google account.
  */
 
+locals {
+  time_units = ["d", "h", "m", "s"]
+
+  max_ttl_s     = var.max_ttl % 60
+  max_ttl_m     = ((var.max_ttl - local.max_ttl_s) / 60) % 60
+  max_ttl_h     = ((var.max_ttl - local.max_ttl_m * 60 - local.max_ttl_s) / 3600) % 24
+  max_ttl_d     = ((var.max_ttl - local.max_ttl_h * 3600 - local.max_ttl_m * 60 - local.max_ttl_s) / 24 * 3600)
+  max_ttl_parts = [local.max_ttl_d, local.max_ttl_h, local.max_ttl_m, local.max_ttl_s]
+  max_ttl = join("", [
+    for i in range(length(local.time_units)) : (local.max_ttl_parts[i] > 0 ? "${local.max_ttl_parts[i]}${local.time_units[i]}" : "")
+  ])
+
+  default_ttl_s     = var.default_ttl % 60
+  default_ttl_m     = ((var.default_ttl - local.default_ttl_s) / 60) % 60
+  default_ttl_h     = ((var.default_ttl - local.default_ttl_m * 60 - local.default_ttl_s) / 3600) % 24
+  default_ttl_d     = ((var.default_ttl - local.default_ttl_h * 3600 - local.default_ttl_m * 60 - local.default_ttl_s) / 24 * 3600)
+  default_ttl_parts = [local.default_ttl_d, local.default_ttl_h, local.default_ttl_m, local.default_ttl_s]
+  default_ttl = join("", [
+    for i in range(length(local.time_units)) : (local.default_ttl_parts[i] > 0 ? "${local.default_ttl_parts[i]}${local.time_units[i]}" : "")
+  ])
+}
+
 resource "vault_jwt_auth_backend" "this" {
   description        = var.description
   path               = var.path
@@ -19,8 +41,9 @@ resource "vault_jwt_auth_backend" "this" {
 
   tune {
     listing_visibility = "unauth"
-    default_lease_ttl  = var.default_lease_ttl
-    max_lease_ttl      = var.max_lease_ttl
+    default_lease_ttl  = local.default_ttl
+    max_lease_ttl      = local.max_ttl
+    token_type         = "default-service"
   }
 
   lifecycle {
@@ -43,9 +66,9 @@ resource "vault_jwt_auth_backend_role" "this" {
   token_policies = var.default_token_policies
   oidc_scopes    = var.scopes
 
-  token_ttl              = var.default_lease_ttl
-  token_max_ttl          = var.max_lease_ttl
-  token_explicit_max_ttl = var.max_lease_ttl
+  token_ttl              = var.default_ttl
+  token_max_ttl          = var.max_ttl
+  token_explicit_max_ttl = var.max_ttl
 
   bound_audiences       = [vault_jwt_auth_backend.this.oidc_client_id]
   allowed_redirect_uris = concat(local.vault_addresses, ["http://localhost:8250/oidc/callback"])

modules/vault-oidc/variables.tf

@@ -28,16 +28,16 @@ variable "default_token_policies" {
   description = "Default policy for everyone that's authorized using this method. I.e. this policies may allow access to cubbyhole and utilities."
 }
 
-variable "default_lease_ttl" {
-  type        = string
-  default     = "12h"
-  description = "Default Time-To-Live (in time unit format, i.e. 20m or 10h) for Vault tokens generated by this method. It should be set to a time comfortable for all users, yet still short enough to be safe in case of breach. It may be shorter than `max_lease_ttl`, as lease can be renewed."
+variable "default_ttl" {
+  type        = number
+  default     = 12 * 60 * 60
+  description = "Default Time-To-Live (in seconds) for Vault tokens generated by this method. It should be set to a time comfortable for all users, yet still short enough to be safe in case of breach. It may be shorter than `max_lease_ttl`, as lease can be renewed."
 }
 
-variable "max_lease_ttl" {
-  type        = string
-  default     = "12h"
-  description = "Maximum Time-To-Live (in time unit format, i.e. 20m or 10h) for Vault tokens generated by this method. It should be set to a time comfortable for all users, yet still short enough to be safe in case of breach. After this time passes, user needs to authenticate again."
+variable "max_ttl" {
+  type        = number
+  default     = 12 * 60 * 60
+  description = "Maximum Time-To-Live (in seconds) for Vault tokens generated by this method. It should be set to a time comfortable for all users, yet still short enough to be safe in case of breach. After this time passes, user needs to authenticate again."
 }
 
 variable "scopes" {

scripts/tf-exec.sh

@@ -10,7 +10,7 @@ TF_VERSION="${TF_VERSION:-13}"
 
 terraform="$(realpath "./bin/terraform-$TF_VERSION")"
 
-echo "Using Terraform $TF_VERSION binary at $terraform: $(terraform -v)"
+echo "Using Terraform $TF_VERSION binary at $terraform: $($terraform -v)"
 
 function retry_with_log() {
   $@ &>/dev/null || $@