hashicorp / terraform-provider-azuread

Terraform provider for Azure Active Directory
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs
Mozilla Public License 2.0
430 stars 295 forks source link

Allow azuread_application_password to append a new password when there is an active password #1549

Open par-texx opened 4 days ago

par-texx commented 4 days ago

Community Note

Description

Use Case

We are using azuread_application_password to generate client ID's and Secrets for applications and storing the created Client ID's and Secrets in Vault where applications can pull the credentials at run time. We would like to use the rotate_when_changed = { rotation = time_rotating.example.id } stanza to rotate the credentials before they expire so that applications can pull active credentials when they startup (either move to a new node, patching, etc. Why they restart isn't relevant), but we don't want to expire credentials that are in active use.
Using rotate_when_changed deletes the existing credential.

Ideally we would like azuread_application_password to append when there is a non-expired credential in place instead of delete then create.

New or Affected Resource(s)

Potential Terraform Configuration

resource "time_rotating" "example" {
  rotation_months = 1
}

resource "azuread_application_password" "example" {
  application_id = data.azuread_application.example.id
  end_date = timeadd(timestamp(),"1440h")
  rotate_when_changed = {
    rotation = time_rotating.example.id
  }
}

References

fleetwoodstack commented 17 hours ago

Agreed - we've just come to this conclusion too. When we rotate we don't want the applications using these credentials to stop working.