You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: website/docs/r/apikey.html.markdown
+16-12Lines changed: 16 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -30,29 +30,33 @@ output "api_key_secret" {
30
30
}
31
31
```
32
32
33
-
### API Key with Automatic Secret Rotation
33
+
### API Key with Secret Expiration
34
34
35
35
```hcl
36
-
resource "ns1_apikey" "rotating" {
37
-
name = "Rotating API Key"
36
+
resource "ns1_apikey" "expiring" {
37
+
name = "Expiring API Key"
38
38
39
-
# Enable automatic secret rotation
40
-
# Secrets will expire and rotate every 30 days
41
-
# Valid values: "10d", "30d", "90d"
39
+
# Set secret expiration period to 30 days
40
+
# Secrets will expire after this period and must be manually rotated
41
+
# Accepts any duration in '<number>d' format (e.g., "10d", "30d", "90d")
42
42
expiry_duration = "30d"
43
43
44
44
# Configure permissions
45
45
dns_view_zones = true
46
46
dns_manage_zones = true
47
47
}
48
48
49
-
# Access secret information (metadata only, not the actual secret key)
49
+
# Access secret metadata (not the actual secret key values)
50
50
output "secret_info" {
51
-
value = ns1_apikey.rotating.secrets
51
+
value = ns1_apikey.expiring.secrets
52
52
sensitive = true
53
53
}
54
54
```
55
55
56
+
## Important Notes
57
+
58
+
~> **Changing expiry_duration forces recreation.** When you modify the `expiry_duration` field of an existing API key, Terraform will destroy the old key and create a new one. This means the API key ID and all secrets will change. Any external references to the old key will break. Plan your migrations carefully and update dependent systems before changing this value.
59
+
56
60
## Permissions
57
61
An API key will inherit permissions from the teams it is assigned to.
58
62
If a key is assigned to a team and also has individual permissions set on the key, the individual permissions
@@ -73,7 +77,7 @@ The following arguments are supported:
73
77
*`teams` - (Optional) The teams that the apikey belongs to.
74
78
*`ip_whitelist` - (Optional, default: `[]`) Array of IP addresses/networks to which to grant the API key access.
75
79
*`ip_whitelist_strict` - (Optional, default: `false`) Set to true to restrict access to only those IP addresses and networks listed in the **ip_whitelist** field.
76
-
*`expiry_duration` - (Optional) Duration for automatic secret rotation. Valid values are `"10d"`, `"30d"`, or `"90d"`. When set, the API key will use rotating secrets that expire after the specified duration. The API key can have up to 2 active secrets at a time to allow for graceful rotation. If not set, a legacy API key with a permanent secret (stored in the `key` attribute) is created.
80
+
*`expiry_duration` - (Optional) Duration for secret expiration in `<number>d` format (e.g., `"10d"`, `"30d"`, `"90d"`). When set, API key secrets will expire after the specified period and must be manually rotated using the NS1 API or Portal. The API key can have up to 2 active secrets at a time to allow for graceful rotation without service interruption. If not set, a legacy API key with a permanent secret (stored in the `key` attribute) is created. Changing this value will force recreation of the API key.
77
81
*`dns_view_zones` - (Optional, default: `false`) Whether the apikey can view the accounts zones.
78
82
*`dns_manage_zones` - (Optional, default: `false`) Whether the apikey can modify the accounts zones.
79
83
*`dns_zones_allow_by_default` - (Optional, default: `false`) If true, enable the `dns_zones_allow` list, otherwise enable the `dns_zones_deny` list.
@@ -109,14 +113,14 @@ The following arguments are supported:
109
113
110
114
In addition to all arguments above, the following attributes are exported:
111
115
112
-
*`key` - (Computed) The API key authentication token. Only populated for legacy API keys (when `expiry_duration` is not set). For rotating API keys, use the secret keys from the `secrets` attribute instead.
113
-
*`secrets` - (Computed) List of rotating secrets for this API key. Only populated when `expiry_duration` is set. Each secret contains:
116
+
*`key` - (Computed) The API key authentication token. Only populated for legacy API keys (when `expiry_duration` is not set). For API keys with expiration, use the secret keys from the `secrets` attribute instead.
117
+
*`secrets` - (Computed) List of secrets for this API key. Only populated when `expiry_duration` is set. Each secret contains:
114
118
*`id` - The unique identifier for the secret.
115
119
*`expires_at` - The expiration date/time of the secret in ISO 8601 format.
116
120
*`last_access` - The last time this secret was used for authentication.
117
121
*`enabled` - Whether this secret is currently enabled for authentication.
118
122
119
-
**Note:** The actual secret key values (starting with `nss_`) are only returned when a secret is first created and are not stored in Terraform state for security reasons. You must save these values when they are first created, as they cannot be retrieved later.
123
+
**Note:** The actual secret key values (starting with `nss_`) are only returned when a secret is first created and are not stored in Terraform state for security reasons. You must save these values when they are first created, as they cannot be retrieved later. To rotate secrets (generate new ones), use the NS1 API or Portal - Terraform does not manage secret rotation.
0 commit comments