The fn::rotate built-in function invokes a rotator to rotate secrets.
Some of a rotator’s inputs may only be evaluated when the environment containing the fn::rotate invocation is rotated. This can be combined with the environments built-in value to fetch managing credentials from other environments that may require additional permissions beyond those given to typical users of an environment. The exact inputs that are rotation-only are dependent on the rotator.
Declaration
fn::rotate:
provider: name
inputs: inputs
state: state
Short form
In addition to the long form syntax, fn::rotate can be invoked using the short form fn::rotate::name:
fn::rotate::name:
inputs: inputs
state: state
Parameters
| Property | Type | Description |
|---|---|---|
name | string | The name of the rotator to use. |
inputs | any | The inputs to the rotator. The exact type is rotator-dependent. |
state | any | The persistent state for the rotator. This value is managed by the rotator and should not be modified. |
Returns
The return value of fn::rotate is dependent on the rotator being invoked.
Example
Long form
values:
aws:
iam:
fn::rotate:
provider: aws-iam
inputs:
region: us-west-2
login: ${environments.admin.production.aws.login}
userArn: arn::aws:iam::012345678901:user/my-user
state:
current: ...
previous: ...
Short form
values:
aws:
iam:
fn::rotate::aws-iam:
inputs:
region: us-west-2
login: ${environments.admin.production.aws.login}
userArn: arn::aws:iam::012345678901:user/my-user
state:
current: ...
previous: ...
Evaluated result
{
"aws": {
"iam": {
"current": ...,
"previous": ...
}
}
}
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.
