Azuread_application_password rotation

I am using terraform to manage azure AD credentials as follows -

resource "time_rotating" "password_rotate" {
  rotation_days = 60
}

resource "azuread_application_password" "password" {
  application_object_id = azuread_application.application.object_id
  end_date_relative     = "2400h"
  rotate_when_changed = {
    rotation = time_rotating.password_rotate.id
  }
}

When the rotation is triggered, it deletes the existing password and creates a new one. This behavior is undesirable for me because the deletion of the existing passwords causes the application to break. I want the old password to be still valid while the new secret is being deployed. Is there a way to achieve this?

You could create a second secret (in the same way) with a different rotation period, and then ensure you deploy the correct on to your applications.

1 Like