terraform-azurerm-automation-runbook-app-secret-rotation

Terraform module to deploy an azure runbook for rotating azure application client secrets, triggered from keyvault expired secret grid events. and configarable with tags on azure keyvault secrets.

High Level Design

1. an automation account with a runbook is deployed with a webhook trigger
2. an event grid subscription is deployed for keyvault expired secret events and new secret version created event to create the initial secret
3. to use the auto rotation a keyvault secret needs to be created with the required tags
4. the keyvault needs to be added to this modules keyvault subscriptions var
5. the automation account needs to have the required permissions to the keyvault for updating the secret and chaning the ip firewall rules

Usage/keyvault secret tags

the azure keyvault secret can be configured to autorotate with the following tags

    "az_aa_client_secret_rotation.app_name"                   = "AZURE_APPLICATION_NAME_TO_ROTATE_CLIENT_SECRET"
    "az_aa_client_secret_rotation.client_secret_display_name" = "auto_rotated_client_secret"
    "az_aa_client_secret_rotation.enabled"                    = "true"
    "az_aa_client_secret_rotation.expiration_in_days"         = "90"
    "az_aa_client_secret_rotation.notification_recipients"    = "person1@mail.com,person2@mail.com"
    "az_aa_client_secret_rotation.notification_sender"        = "existing_sender_mail@mail.com"

to cleanup client secrets from an application the following tag can be used:

"az_aa_client_secret_rotation.delete_client_secret" = "true"

Requirements

Name	Version
azurerm	~> 4.0

Providers

Name	Version
azuread	n/a

Modules

Name	Source	Version
automation_account	cloudnationhq/aa/azure	~> 2.6
eventgrid	cloudnationhq/eg/azure	~> 1.4
naming	CloudNationHQ/naming/azure	~> 0.23
runbooks	cloudnationhq/aa/azure//modules/runbooks	~> 2.6

Resources

Name	Type
azuread_app_role_assignment.app_role_assignment	resource
azuread_application_published_app_ids.well_known	data source
azuread_service_principal.msgraph	data source

Inputs

Name	Description	Type	Default	Required
environment	environment	string	n/a	yes
keyvaults	list of keyvaults to add to the eventgrid subscription	list(object({ name = string id = string }))	[]	no
location	location code	string	n/a	yes
location_code	location code	string	n/a	yes
name_suffix	name suffix	string	"asr-rb"	no
resource_group_id	resource group id	string	n/a	yes
resource_group_name	resource group name	string	n/a	yes
tags	tags	map(string)	{}	no
webhook_expiration_end_year	webhook expiration in years	number	2027	no
workload	workload	string	n/a	yes

Outputs

Name	Description
automation_account_name	automation account
webhook_endpoint	webhook url for the runbook to receive the keyvault grid events

references

https://learn.microsoft.com/en-us/azure/key-vault/general/event-grid-tutorial