Terraform module to deploy an azure runbook for rotating azure application client secrets, triggered from keyvault expired secret grid events. and configarable with tags on azure keyvault secrets.
- an automation account with a runbook is deployed with a webhook trigger
- an event grid subscription is deployed for keyvault expired secret events and new secret version created event to create the initial secret
- to use the auto rotation a keyvault secret needs to be created with the required tags
- the keyvault needs to be added to this modules keyvault subscriptions var
- the automation account needs to have the required permissions to the keyvault for updating the secret and chaning the ip firewall rules
the azure keyvault secret can be configured to autorotate with the following tags
"az_aa_client_secret_rotation.app_name" = "AZURE_APPLICATION_NAME_TO_ROTATE_CLIENT_SECRET"
"az_aa_client_secret_rotation.client_secret_display_name" = "auto_rotated_client_secret"
"az_aa_client_secret_rotation.enabled" = "true"
"az_aa_client_secret_rotation.expiration_in_days" = "90"
"az_aa_client_secret_rotation.notification_recipients" = "person1@mail.com,person2@mail.com"
"az_aa_client_secret_rotation.notification_sender" = "existing_sender_mail@mail.com"
to cleanup client secrets from an application the following tag can be used:
"az_aa_client_secret_rotation.delete_client_secret" = "true"
| Name | Version |
|---|---|
| azurerm | ~> 4.0 |
| Name | Version |
|---|---|
| azuread | n/a |
| Name | Source | Version |
|---|---|---|
| automation_account | cloudnationhq/aa/azure | ~> 2.6 |
| eventgrid | cloudnationhq/eg/azure | ~> 1.4 |
| naming | CloudNationHQ/naming/azure | ~> 0.23 |
| runbooks | cloudnationhq/aa/azure//modules/runbooks | ~> 2.6 |
| Name | Type |
|---|---|
| azuread_app_role_assignment.app_role_assignment | resource |
| azuread_application_published_app_ids.well_known | data source |
| azuread_service_principal.msgraph | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| environment | environment | string |
n/a | yes |
| keyvaults | list of keyvaults to add to the eventgrid subscription | list(object({ |
[] |
no |
| location | location code | string |
n/a | yes |
| location_code | location code | string |
n/a | yes |
| name_suffix | name suffix | string |
"asr-rb" |
no |
| resource_group_id | resource group id | string |
n/a | yes |
| resource_group_name | resource group name | string |
n/a | yes |
| tags | tags | map(string) |
{} |
no |
| webhook_expiration_end_year | webhook expiration in years | number |
2027 |
no |
| workload | workload | string |
n/a | yes |
| Name | Description |
|---|---|
| automation_account_name | automation account |
| webhook_endpoint | webhook url for the runbook to receive the keyvault grid events |
https://learn.microsoft.com/en-us/azure/key-vault/general/event-grid-tutorial