add automation to rotate cert on terraform apply

reduce app certificate expiration significantly

Author: jacdavi

.gitignore

@@ -6,7 +6,5 @@
 *.secrets
 *.pfx
 *.pem
-*.tfvars
-!example.tfvars
-**/tenants/*
-!**/tenants/myorg.onmicrosoft.com.yaml
+**/env/*
+!**/env/example

m365/terraform/main.tf

@@ -34,6 +34,7 @@ module "app" {
   create_app          = var.create_app
   contact_email       = var.contact_email
   allowed_access_ips  = var.vnet.allowed_access_ip_list
+  certificate_rotation_period_days = var.certificate_rotation_period_days
 }
 
 module "networking" {

m365/terraform/modules/app/main.tf

@@ -57,9 +57,15 @@ resource "azurerm_key_vault" "vault" {
   }
 }
 
+# note this requires terraform to be run regularly
+resource "time_rotating" "cert_rotation" {
+  rotation_days = var.certificate_rotation_period_days
+}
+
 # Generate the app registration certificate
 resource "azurerm_key_vault_certificate" "cert" {
-  name         = "${var.app_name}-app-cert"
+  # Name change forces recreating certificate
+  name         = "${var.resource_prefix}-app-cert-${formatdate("YYYY-MM-DD", time_rotating.cert_rotation.rfc3339)}"
   key_vault_id = azurerm_key_vault.vault.id
 
   certificate_policy {
@@ -80,7 +86,7 @@ resource "azurerm_key_vault_certificate" "cert" {
       }
 
       trigger {
-        days_before_expiry = 30
+        days_before_expiry = max(3, ceil(var.certificate_rotation_period_days / 6))
       }
     }
 
@@ -98,7 +104,8 @@ resource "azurerm_key_vault_certificate" "cert" {
       ]
 
       subject            = "CN=${var.app_name}"
-      validity_in_months = 24
+      # min 1 month; approx. twice length of rotation period
+      validity_in_months = max(1, ceil(var.certificate_rotation_period_days * 2 / 30))
     }
   }
 }

m365/terraform/modules/app/variables.tf

@@ -23,6 +23,16 @@ variable "contact_email" {
   type        = string
 }
 
+variable "certificate_rotation_period_days" {
+  type        = number
+  description = "How many days between when the certificate key should be rotated. Note: rotation requires running terraform"
+  default = 30
+  validation {
+    condition = var.certificate_rotation_period_days <= 60 && var.certificate_rotation_period_days >= 3
+    error_message = "Rotation period must be between 3 and 60 days"
+  }
+}
+
 variable "image_path" {
   type        = string
   description = "Path to image used for app logo. Displayed in Azure console on installed tenants. Only needed when create_app=true"

m365/terraform/variables.tf

@@ -27,6 +27,16 @@ variable "contact_email" {
   type        = string
 }
 
+variable "certificate_rotation_period_days" {
+  type        = number
+  description = "How many days between when the certificate key should be rotated. Note: rotation requires running terraform"
+  default = 30
+  validation {
+    condition = var.certificate_rotation_period_days <= 60 && var.certificate_rotation_period_days >= 3
+    error_message = "Rotation period must be between 3 and 60 days"
+  }
+}
+
 variable "resource_group_name" {
   type        = string
   description = "Resource group to create and build resources in"