Updating Key Vault Secret values and their dependent resources

Crilde · June 22, 2022, 1:14pm

I’ve been tasked with automating secret rotation within a serverless application deployed by Terraform. I was hoping that I could leverage Terraforms refresh functionality to detect when a tracked sensitive value (i.e. Storage Account SAS Key deployed by terraform) has changed, update the associated Key Vault secret value, then update resources dependent on that secret value (i.e. an APIM Named Value).

I’ve had limited success, but the best I can achieve is having to run Terraform Apply twice, once to fetch the new sensitive value, commit it to state and update the KV Secret, and another to update the dependent resource with the new Secret ID.

Is there any way to get this to work in one Terraform Apply? Is this possibly a bug or just a result of how Terraform works?

ferimy · December 8, 2022, 2:27pm

This is the bug and it basically makes KeyVault secrets management useless. There’s a bunch of bug reports created but for some reason all of them were closed by Terraform Azure provider developers. See here for example: Change to KeyVault secret does not update dependency · Issue #6743 · hashicorp/terraform-provider-azurerm · GitHub. If you dig further you’ll find more.
There’s no other way to deal with it other than just create a new bug report and mention all previous reports that were closed without any solution.

Topic		Replies	Views
Using updated attributes during planning phase Plugin Development	3	425	September 9, 2021
Terraform - Securing the values in KeyVault Secret Azure	0	452	July 10, 2020
Add subscription id parameter to azurerm_key_vault_secret Terraform	6	1027	April 15, 2020
Confused about aws-secretsmanager-secret-version resource behaviour AWS	1	4443	March 29, 2023
Azurerm postgresql flexible server customer_managed_key rotation Azure	1	229	June 19, 2024

Updating Key Vault Secret values and their dependent resources

Related topics