feat(Token Rotation): Option to NOT revoke the old token
Problem Statement
When automatically rotating tokens, the old tokens are revoked and new ones are generated. There are cases where this is not what we want, especially in scenarios where access tokens are distributed to different services. In the second we rotate these services are potentially broken
Current workaround:
I currently just remove the tokens from the state, that will avoid revokation -> works, but is not so clean
echo "## removing group access tokens from state"
gitlab-terraform state list | grep "module.gitlab_token_rotation.gitlab_group_access_token." | while read -r line ; do
echo "gitlab-terraform state rm $line"
gitlab-terraform state rm $line
done
Idea
To avoid that we have to update ALL services immediately when rotating,
it would be nice to have an option revoke_old_token=false
when we specify the rotation and letting old tokens expire "gracefully"
resource "gitlab_project_access_token" "example" {
project = "25"
name = "Example project access token"
access_level = "reporter"
scopes = ["api"]
rotation_configuration {
duration_of_new_token = 30d
rotation_timeframe = 7d
+ revoke_old_token = false // to avoid revoking the old token
}
}
Edited by Julian Löffler