From d36c47cf7bb87325c663743d678393d682148af0 Mon Sep 17 00:00:00 2001
From: Bruno Domenici <bruno.domenici@gmail.com>
Date: Wed, 18 Dec 2024 17:39:13 +0100
Subject: [PATCH] feat(api-key) support keepers for time rotating api keys

---
 .../main.tf                                     | 17 ++++++++++++++++-
 internal/provider/resource_api_key.go           |  7 +++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/examples/configurations/create-default-topic-and-return-kafka-api-keys-to-consume-and-produce/confluent_kafka_topic_api_keys_module/main.tf b/examples/configurations/create-default-topic-and-return-kafka-api-keys-to-consume-and-produce/confluent_kafka_topic_api_keys_module/main.tf
index fa3ff2e9..35259241 100644
--- a/examples/configurations/create-default-topic-and-return-kafka-api-keys-to-consume-and-produce/confluent_kafka_topic_api_keys_module/main.tf
+++ b/examples/configurations/create-default-topic-and-return-kafka-api-keys-to-consume-and-produce/confluent_kafka_topic_api_keys_module/main.tf
@@ -2,7 +2,11 @@ terraform {
   required_providers {
     confluent = {
       source  = "confluentinc/confluent"
-      version = "2.12.0"
+      version = "2.13.0"
+    }
+    time = {
+      source  = "hashicorp/time"
+      version = "0.12.1"
     }
   }
 }
@@ -49,6 +53,12 @@ resource "confluent_api_key" "app-manager-kafka-api-key" {
     environment {
       id = var.environment_id
     }
+
+    # BEWARE: this will rotate your api key, make sure to update your configuration accordingly and
+    # restart your clients, if needed.
+    keepers = {
+      rotation_time = time_rotating.mykey_rotation.rotation_rfc3339
+    }
   }
 
   # The goal is to ensure that confluent_role_binding.app-manager-kafka-cluster-admin is created before
@@ -63,6 +73,11 @@ resource "confluent_api_key" "app-manager-kafka-api-key" {
   ]
 }
 
+# note this requires the terraform to be run regularly
+resource "time_rotating" "mykey_rotation" {
+  rotation_days = 30
+}
+
 resource "confluent_service_account" "app-consumer" {
   display_name = "app-${var.topic_name}-consumer"
   description  = "Service account to consume from '${var.topic_name}' topic of ${var.kafka_id} Kafka cluster"
diff --git a/internal/provider/resource_api_key.go b/internal/provider/resource_api_key.go
index 292d8998..3ab2ceb1 100644
--- a/internal/provider/resource_api_key.go
+++ b/internal/provider/resource_api_key.go
@@ -34,6 +34,7 @@ const (
 	paramOwner               = "owner"
 	paramResource            = "managed_resource"
 	paramDisableWaitForReady = "disable_wait_for_ready"
+	paramKeepers             = "keepers"
 
 	serviceAccountKind   = "ServiceAccount"
 	userKind             = "User"
@@ -94,6 +95,12 @@ func apiKeyResource() *schema.Resource {
 				Default:  false,
 				ForceNew: true,
 			},
+			paramKeepers: {
+				Type:        schema.TypeMap,
+				Optional:    true,
+				ForceNew:    true,
+				Description: "Arbitrary map of values that, when changed, will trigger recreation of resource.",
+			},
 		},
 	}
 }