Skip to content

Commit dc9cb6b

Browse files
Update API key expiry docs
1 parent 09d6f18 commit dc9cb6b

1 file changed

Lines changed: 16 additions & 12 deletions

File tree

website/docs/r/apikey.html.markdown

Lines changed: 16 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -30,29 +30,33 @@ output "api_key_secret" {
3030
}
3131
```
3232

33-
### API Key with Automatic Secret Rotation
33+
### API Key with Secret Expiration
3434

3535
```hcl
36-
resource "ns1_apikey" "rotating" {
37-
name = "Rotating API Key"
36+
resource "ns1_apikey" "expiring" {
37+
name = "Expiring API Key"
3838
39-
# Enable automatic secret rotation
40-
# Secrets will expire and rotate every 30 days
41-
# Valid values: "10d", "30d", "90d"
39+
# Set secret expiration period to 30 days
40+
# Secrets will expire after this period and must be manually rotated
41+
# Accepts any duration in '<number>d' format (e.g., "10d", "30d", "90d")
4242
expiry_duration = "30d"
4343
4444
# Configure permissions
4545
dns_view_zones = true
4646
dns_manage_zones = true
4747
}
4848
49-
# Access secret information (metadata only, not the actual secret key)
49+
# Access secret metadata (not the actual secret key values)
5050
output "secret_info" {
51-
value = ns1_apikey.rotating.secrets
51+
value = ns1_apikey.expiring.secrets
5252
sensitive = true
5353
}
5454
```
5555

56+
## Important Notes
57+
58+
~> **Changing expiry_duration forces recreation.** When you modify the `expiry_duration` field of an existing API key, Terraform will destroy the old key and create a new one. This means the API key ID and all secrets will change. Any external references to the old key will break. Plan your migrations carefully and update dependent systems before changing this value.
59+
5660
## Permissions
5761
An API key will inherit permissions from the teams it is assigned to.
5862
If a key is assigned to a team and also has individual permissions set on the key, the individual permissions
@@ -73,7 +77,7 @@ The following arguments are supported:
7377
* `teams` - (Optional) The teams that the apikey belongs to.
7478
* `ip_whitelist` - (Optional, default: `[]`) Array of IP addresses/networks to which to grant the API key access.
7579
* `ip_whitelist_strict` - (Optional, default: `false`) Set to true to restrict access to only those IP addresses and networks listed in the **ip_whitelist** field.
76-
* `expiry_duration` - (Optional) Duration for automatic secret rotation. Valid values are `"10d"`, `"30d"`, or `"90d"`. When set, the API key will use rotating secrets that expire after the specified duration. The API key can have up to 2 active secrets at a time to allow for graceful rotation. If not set, a legacy API key with a permanent secret (stored in the `key` attribute) is created.
80+
* `expiry_duration` - (Optional) Duration for secret expiration in `<number>d` format (e.g., `"10d"`, `"30d"`, `"90d"`). When set, API key secrets will expire after the specified period and must be manually rotated using the NS1 API or Portal. The API key can have up to 2 active secrets at a time to allow for graceful rotation without service interruption. If not set, a legacy API key with a permanent secret (stored in the `key` attribute) is created. Changing this value will force recreation of the API key.
7781
* `dns_view_zones` - (Optional, default: `false`) Whether the apikey can view the accounts zones.
7882
* `dns_manage_zones` - (Optional, default: `false`) Whether the apikey can modify the accounts zones.
7983
* `dns_zones_allow_by_default` - (Optional, default: `false`) If true, enable the `dns_zones_allow` list, otherwise enable the `dns_zones_deny` list.
@@ -109,14 +113,14 @@ The following arguments are supported:
109113

110114
In addition to all arguments above, the following attributes are exported:
111115

112-
* `key` - (Computed) The API key authentication token. Only populated for legacy API keys (when `expiry_duration` is not set). For rotating API keys, use the secret keys from the `secrets` attribute instead.
113-
* `secrets` - (Computed) List of rotating secrets for this API key. Only populated when `expiry_duration` is set. Each secret contains:
116+
* `key` - (Computed) The API key authentication token. Only populated for legacy API keys (when `expiry_duration` is not set). For API keys with expiration, use the secret keys from the `secrets` attribute instead.
117+
* `secrets` - (Computed) List of secrets for this API key. Only populated when `expiry_duration` is set. Each secret contains:
114118
* `id` - The unique identifier for the secret.
115119
* `expires_at` - The expiration date/time of the secret in ISO 8601 format.
116120
* `last_access` - The last time this secret was used for authentication.
117121
* `enabled` - Whether this secret is currently enabled for authentication.
118122

119-
**Note:** The actual secret key values (starting with `nss_`) are only returned when a secret is first created and are not stored in Terraform state for security reasons. You must save these values when they are first created, as they cannot be retrieved later.
123+
**Note:** The actual secret key values (starting with `nss_`) are only returned when a secret is first created and are not stored in Terraform state for security reasons. You must save these values when they are first created, as they cannot be retrieved later. To rotate secrets (generate new ones), use the NS1 API or Portal - Terraform does not manage secret rotation.
120124

121125
## Import
122126

0 commit comments

Comments
 (0)