I have been able to get an App Registration secret to rotate and update the secret value into a keyvault, by following the following example: azuread_application_password
resource "time_rotating" "rotation_secret" {
rotation_day = 1
lifecycle {
create_before_destroy = true
}
}
resource "azuread_application_password" "client_secret" {
display_name = "terraformgenerated"
application_object_id = module.appreg.object_id
end_date_relative = "4320h" #180 days
rotate_when_changed = {
"rotation" = time_rotating.rotation_secret.id
}
lifecycle {
create_before_destroy = true
}
}
resource "azurerm_key_vault_secret" "client_secret" {
name = "clientsecret"
value = azuread_application_password.client_secret.value
key_vault_id = module.key_vault.kv_id
}
My code example above, will change the secret and update the Key Vault with the value if I run the Terraform code 1 day after the last time it runs. If I run the Terraform code within that day, then the secret doesn’t change.
However, if the Terraform doesn’t run, the secret within Azure on the App Registration will continue to be valid for 4320 hours (180 days), and the secret will continue to be in the keyvault.
According to the documentation for certificates, the way to rotate them is via the keyvault itself. azurerm_key_vault_certificate
resource "azurerm_key_vault_certificate" "certificate" {
name = "generated-cert"
key_vault_id = module.key_vault.id
certificate_policy {
issuer_parameters {
name = "Self"
}
key_properties {
exportable = true
key_size = 2048
key_type = "RSA"
reuse_key = "true"
}
lifetime_action {
action {
action_type = "AutoRenew"
}
trigger {
days_before_expiry = 27
}
}
secret_properties {
content_type = "application/x-pkcs12"
}
x509_certificate_properties {
extended_key_usage = ["1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"]
key_usage = [
"dataEncipherment",
"digitalSignature",
"keyAgreement",
"keyCertSign",
"keyEncipherment",
"cRLSign"
]
subject = "CN=${module.appreg.application_display_name}"
validity_in_months = 1
}
}
}
resource "azuread_application_certificate" "app_cert" {
application_object_id = module.appreg.object_id
type = "AsymmetricX509Cert"
encoding = "hex"
value = azurerm_key_vault_certificate.certificate.certificate_data
end_date = azurerm_key_vault_certificate.certificate.certificate_attribute[0].expires
start_date = azurerm_key_vault_certificate.certificate.certificate_attribute[0].not_before
}
My example code above creates a certificate valid for 1 month, with an auto renew 27 days before certificate expires.
However, this code puts the rotation in the hands of the Azure Key Vault. It will automatically rotate the certificate, but unless the Terraform is run again, it will not update App Registration. Meaning from the time the Key Vault rotates the certificate to the Terraform run to update the App Registration, the web applications using that app registration and certificate fail authentication.
Is there a way to get it to work like the secret, where it’s flagged for rotation, but only rotates when the Terraform is run again in a CI/CD pipeline on a cron trigger?