Rotate password with grace period for an Entra App use case

Hi there,

I’m seeking some help for a specific use case.

I’m trying to do this only using terraform, but i cant manage to find a way.

On Azure, i have an Application for which i want to rotate Client Secrets, but the default behavior offered by the time_rotating resource basically destroys the secret to create another. What i need to implement is some sort of grace period in order to give some time for the application to retrieve the secret. For example, if the application retrieves its password at deployment, and it redeploys like twice a month, it would be useful to rotate the password like every three months, but create a new one one month before expiration, and so on.

If i try to manage two azuread_application_password resources with terraform, i always stumble on Cycle errors, and theres always some king of mutual dependency when i try to evaluate the expiration of one secret to trigger the renewal of the other.

I tried many variations but without success until now.

m = months (or days/minutes/years)
m1 - secret1 creation
m2 -
m3 - secret 2 creation
m4 - secret 1 deletion
m5 - 
m6 - secret 3 creation
m7 - secret 2 deletion
m8 - 
m9 - secret4 creation
m10 - secret3 deletion and so on

I’m gonna try playing around time_static ad null provisionners…

I was overcomplicating