From d20e4c0efa7f3ad75cd884a38c7a3f972e4fc736 Mon Sep 17 00:00:00 2001
From: Howard Jones <howie@thingy.com>
Date: Wed, 20 Oct 2021 17:30:46 +0100
Subject: [PATCH] feat: Add expiry information for keyvaultsecrets

---
 plugins/modules/azure_rm_keyvaultsecret.py    | 30 +++++++++++++++++--
 .../azure_rm_keyvaultsecret/tasks/main.yml    |  6 ++++
 2 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/plugins/modules/azure_rm_keyvaultsecret.py b/plugins/modules/azure_rm_keyvaultsecret.py
index 81ffce4b5..9f877addd 100644
--- a/plugins/modules/azure_rm_keyvaultsecret.py
+++ b/plugins/modules/azure_rm_keyvaultsecret.py
@@ -3,6 +3,7 @@
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
 
 from __future__ import absolute_import, division, print_function
+
 __metaclass__ = type
 
 
@@ -31,6 +32,14 @@
     secret_value:
         description:
             - Secret to be secured by keyvault.
+    secret_expiry:
+        description:
+            - Optional expiry datetime for secret
+        type: str
+    secret_valid_from:
+        description:
+            - Optional valid-from datetime for secret
+        type: str
     state:
         description:
             - Assert the state of the subnet. Use C(present) to create or update a secret and C(absent) to delete a secret .
@@ -86,6 +95,8 @@
     from azure.common.credentials import ServicePrincipalCredentials
     from azure.keyvault.models.key_vault_error import KeyVaultErrorException
     from msrestazure.azure_active_directory import MSIAuthentication
+    import dateutil.parser
+    from azure.keyvault.models.secret_attributes import SecretAttributes
 except ImportError:
     # This is handled in azure_rm_common
     pass
@@ -99,6 +110,8 @@ def __init__(self):
         self.module_arg_spec = dict(
             secret_name=dict(type='str', required=True),
             secret_value=dict(type='str', no_log=True),
+            secret_valid_from=dict(type='str', no_log=True),
+            secret_expiry=dict(type='str', no_log=True),
             keyvault_uri=dict(type='str', no_log=True, required=True),
             state=dict(type='str', default='present', choices=['present', 'absent']),
             content_type=dict(type='str')
@@ -115,6 +128,8 @@ def __init__(self):
 
         self.secret_name = None
         self.secret_value = None
+        self.secret_valid_from = None
+        self.secret_expiry = None
         self.keyvault_uri = None
         self.state = None
         self.data_creds = None
@@ -155,10 +170,18 @@ def exec_module(self, **kwargs):
         self.results['changed'] = changed
         self.results['state'] = results
 
+        valid_from = self.secret_valid_from
+        if isinstance(valid_from, str) and len(valid_from) > 0:
+            valid_from = dateutil.parser.parse(valid_from)
+
+        expiry = self.secret_expiry
+        if isinstance(expiry, str) and len(expiry) > 0:
+            expiry = dateutil.parser.parse(expiry)
+
         if not self.check_mode:
             # Create secret
             if self.state == 'present' and changed:
-                results['secret_id'] = self.create_update_secret(self.secret_name, self.secret_value, self.tags, self.content_type)
+                results['secret_id'] = self.create_update_secret(self.secret_name, self.secret_value, self.tags, self.content_type, valid_from, expiry)
                 self.results['state'] = results
                 self.results['state']['status'] = 'Created'
             # Delete secret
@@ -214,9 +237,10 @@ def get_secret(self, name, version=''):
             return dict(secret_id=secret_id.id, secret_value=secret_bundle.value)
         return None
 
-    def create_update_secret(self, name, secret, tags, content_type):
+    def create_update_secret(self, name, secret, tags, content_type, valid_from, expiry):
         ''' Creates/Updates a secret '''
-        secret_bundle = self.client.set_secret(self.keyvault_uri, name, secret, tags=tags, content_type=content_type)
+        secret_attributes = SecretAttributes(expires=expiry, not_before=valid_from)
+        secret_bundle = self.client.set_secret(self.keyvault_uri, name, secret, tags=tags, content_type=content_type, secret_attributes=secret_attributes)
         secret_id = KeyVaultId.parse_secret_id(secret_bundle.id)
         return secret_id.id
 
diff --git a/tests/integration/targets/azure_rm_keyvaultsecret/tasks/main.yml b/tests/integration/targets/azure_rm_keyvaultsecret/tasks/main.yml
index 3f9d115ca..0a4226a0e 100644
--- a/tests/integration/targets/azure_rm_keyvaultsecret/tasks/main.yml
+++ b/tests/integration/targets/azure_rm_keyvaultsecret/tasks/main.yml
@@ -51,6 +51,8 @@
         secret_name: testsecret
         secret_value: 'mysecret'
         content_type: 'Content Type Secret'
+        secret_valid_from: 2000-01-02T010203Z 
+        secret_expiry: 2030-03-04T040506Z 
         tags:
           testing: test
           delete: on-exit
@@ -77,7 +79,11 @@
       - facts['secrets'][0]['secret']
       - facts['secrets'][0]['tags']
       - facts['secrets'][0]['version']
+      - facts['secrets'][0]['attributes']['expires']
+      - facts['secrets'][0]['attributes']['not_before']
       - facts['secrets'][0]['content_type'] == 'Content Type Secret'
+      - facts['secrets'][0]['attributes']['expires'] == "2030-03-04T04:05:06+00:00"
+      - facts['secrets'][0]['attributes']['not_before'] == "2000-01-02T01:02:03+00:00"
 
 - name: delete a kevyault secret
   azure_rm_keyvaultsecret: