KeyVault Secrets Rotation Management

01-keyvault-reference.txt

@Microsoft.KeyVault(SecretUri=https://<keyvault_name>.vault.azure.net/secrets/<secret_name>)

02-add-nuget-packages.sh

dotnet add package Azure.Security.KeyVault.Secrets --version 4.2.0-beta.4
dotnet add package Azure.Identity --version 1.4.0-beta.3

03-add-nuget-packages.sh

dotnet add package System.Linq.Async --version 4.1.1

04-add-new-httptrigger.sh

func new --name BulkDisableSecretsHttpTrigger --template HttpTrigger --language C#

05-secrets-httptrigger-01.cs

public static class BulkDisableSecretsHttpTrigger
{
    [FunctionName("BulkDisableSecretsHttpTrigger")]
    public static async Task<IActionResult> Run(
        [HttpTrigger(AuthorizationLevel.Function, "POST", Route = "secrets/all/disable")] HttpRequest req,
        ILogger log)
    {

05-secrets-httptrigger-02.cs

        // Get the KeyVault URI
        var uri = Environment.GetEnvironmentVariable("KeyVault__Uri");

        // Get the tenant ID where the KeyVault lives
        var tenantId = Environment.GetEnvironmentVariable("KeyVault__TenantId");

05-secrets-httptrigger-03.cs

        // Set the tenant ID, in case your account has multiple tenants logged in
        var options = new DefaultAzureCredentialOptions()
        {
            SharedTokenCacheTenantId = tenantId,
            VisualStudioTenantId = tenantId,
            VisualStudioCodeTenantId = tenantId,
        };
        var client = new SecretClient(new Uri(uri), new DefaultAzureCredential(options));

05-secrets-httptrigger-04.cs

        // Get the all secrets
        var secrets = await client.GetPropertiesOfSecretsAsync()
                                  .ToListAsync()
                                  .ConfigureAwait(false);

        var utcNow = DateTimeOffset.UtcNow;
        var results = new Dictionary<string, object>();

05-secrets-httptrigger-05.cs

        foreach (var secret in secrets)
        {
            // Get the all versions of the given secret
            // Filter only enabled versions
            // Sort by the created date in a reverse order
            var versions = await client.GetPropertiesOfSecretVersionsAsync(secret.Name)
                                       .WhereAwait(p => new ValueTask<bool>(p.Enabled.GetValueOrDefault() == true))
                                       .OrderByDescendingAwait(p => new ValueTask<DateTimeOffset>(p.CreatedOn.GetValueOrDefault()))
                                       .ToListAsync()
                                       .ConfigureAwait(false);

05-secrets-httptrigger-06.cs

            // Do nothing if there is no version enabled
            if (!versions.Any())
            {
                continue;
            }

05-secrets-httptrigger-07.cs

            // Do nothing if there is only one version enabled
            if (versions.Count < 2)
            {
                continue;
            }

05-secrets-httptrigger-08.cs

            // Do nothing if the latest version was generated less than a day ago
            if (versions.First().CreatedOn.GetValueOrDefault() <= utcNow.AddDays(-1))
            {
                continue;
            }

05-secrets-httptrigger-09.cs

            // Disable all versions except the first (latest) one
            var candidates = versions.Skip(1).ToList();
            var result = new List<SecretProperties>() { versions.First() };
            foreach (var candidate in candidates)
            {
                candidate.Enabled = false;

                var response = await client.UpdateSecretPropertiesAsync(candidate).ConfigureAwait(false);

                result.Add(response.Value);
            }

            results.Add(secret.Name, result);
        }

05-secrets-httptrigger-10.cs

        var res = new ContentResult()
        {
            Content = JsonConvert.SerializeObject(results, Formatting.Indented),
            ContentType = "application/json",
        };

        return res;
    }
}