Technical Blog

Automating Secret Rotation in Terraform

DevOps

Managing secrets securely is a critical aspect of modern infrastructure management. Automating their rotation enhances security by reducing the risk of stale or compromised credentials. This post demonstrates how to implement automatic secret rotation in Terraform using Azure Entra ID (Azure AD) resources.

Key Components of the Terraform Code

Below is the Terraform code snippet that automates secret rotation for an Entra ID application. The example sets up an Azure AD application for ArgoCD, configures its redirect URIs, defines required permissions, and automates password rotation.

resource "azuread_application" "argocd" {
  display_name     = "argocd-${var.product_shortcut}-${var.product_environment}"
  sign_in_audience = "AzureADMyOrg"

  web {
    redirect_uris = [
      "http://localhost:8080/api/dex/callback"
    ]
  }

  public_client {
    redirect_uris = [
      "http://localhost:8085/auth/callback"
    ]
  }

  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
    resource_access {
      id   = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read
      type = "Scope"
    }
  }

  group_membership_claims = ["ApplicationGroup"]
}

resource "time_rotating" "argocd_password_rotation" {
  rotation_months = 6
}

resource "azuread_application_password" "argocd" {
  application_id = azuread_application.argocd.id
  display_name   = "Secret for argocd - managed by terraform"
  end_date       = timeadd(time_rotating.argocd_password_rotation.rotation_rfc3339, "${24 * 365}h")
  rotate_when_changed = {
    rotation = time_rotating.argocd_password_rotation.id
  }
}

Breaking Down the Implementation

1. Azure AD Application Resource

The azuread_application resource defines the ArgoCD application registration in Azure AD. This is just an example and can be any Azure Ad Application or Service Principal. The principle of secret rotation works with any kind of secret or password.

2. Time-Based Rotation Trigger

The time_rotating resource schedules a rotation event every six months (rotation_months = 6). This resource acts as the trigger for secret rotation.

The rotation_rfc3339 attribute generates an ISO 8601-compliant timestamp, ensuring compatibility with other Terraform resources.

3. Azure AD Application Password

The azuread_application_password resource manages the application’s secret:

application_id: Links the password to the Azure AD application.
end_date: Ensures the secret remains valid beyond the rotation period (1 year), giving Terraform time to process the rotation.
rotate_when_changed: Tracks changes in the time_rotating resource and triggers rotation.

This setup allows Terraform to automatically replace the secret when the rotation trigger changes, ensuring consistent and secure secret management.

Why This Approach Works

Everytime a terraform plan is generated it will check if the rotation period has expired. If this is the case it will generate a new secret and replace the AzureAD Application password with the new one. You can adjust the rotation period and password expiry to your needs, but you need to make sure that the expiry is longer than the rotation period because you need to make sure that you will run terraform apply in the meantime – otherwise you will face authentication issues or downtimes because of an expired secret.

Best Practices for Secret Rotation

Apply for every secret: Do not use static secrets, use rotating secrets as much as possible and rotate them as often as possible
Monitor Expiry Dates: Ensure the end_date always exceeds the rotation period to prevent unintentional downtime.
Deploy Regularly: Schedule Terraform deployments to enforce rotations on time.
Audit Rotations: Use logging and monitoring tools to track secret updates and access patterns.

Conclusion

Automating secret rotation in Terraform not only simplifies credential management but also enhances your infrastructure’s security posture. The above approach integrates seamlessly with Azure AD and ensures your secrets are always up-to-date. As with any infrastructure as code practice, regular testing and monitoring are essential to maintain reliability and security.