Event-Driven KeyVault Secrets Rotation Management

01-func-new-http-trigger.sh

func new --name DisableSecretHttpTrigger --template HttpTrigger --language C#

02-disable-secret-http-trigger-01.cs

public static class DisableSecretHttpTrigger
{
    [FunctionName("DisableSecretHttpTrigger")]
    public static async Task<IActionResult> Run(
        [HttpTrigger(AuthorizationLevel.Function, "POST", Route = "secrets/{name}/disable/{count:int?}")] HttpRequest req,
        string name, int? count,
        ILogger log)
    {

02-disable-secret-http-trigger-02.cs

        // Get the KeyVault URI
        var uri = Environment.GetEnvironmentVariable("KeyVault__Uri");

        // Get the tenant ID where the KeyVault lives
        var tenantId = Environment.GetEnvironmentVariable("KeyVault__TenantId");

02-disable-secret-http-trigger-03.cs

        // Set the tenant ID, in case your account has multiple tenants logged in
        var options = new DefaultAzureCredentialOptions()
        {
            SharedTokenCacheTenantId = tenantId,
            VisualStudioTenantId = tenantId,
            VisualStudioCodeTenantId = tenantId,
        };
        var client = new SecretClient(new Uri(uri), new DefaultAzureCredential(options));

02-disable-secret-http-trigger-04.cs

        // Get the all versions of the given secret
        // Filter only enabled versions
        // Sort by the created date in a reverse order
        var versions = await client.GetPropertiesOfSecretVersionsAsync(name)
                                   .WhereAwait(p => new ValueTask<bool>(p.Enabled.GetValueOrDefault() == true))
                                   .OrderByDescendingAwait(p => new ValueTask<DateTimeOffset>(p.CreatedOn.GetValueOrDefault()))
                                   .ToListAsync()
                                   .ConfigureAwait(false);

02-disable-secret-http-trigger-05.cs

        // Do nothing if there is no version enabled
        if (!versions.Any())
        {
            return new AcceptedResult();
        }

02-disable-secret-http-trigger-06.cs

        if (!count.HasValue)
        {
            count = 2;
        }

02-disable-secret-http-trigger-07.cs

        // Do nothing if there is only given number of versions enabled
        if (versions.Count < count.Value + 1)
        {
            return new AcceptedResult();
        }

02-disable-secret-http-trigger-08.cs

        // Disable all versions except the first (latest) given number of versions
        var candidates = versions.Skip(count.Value).ToList();
        var results = new List<SecretProperties>();
        results.AddRange(versions.Take(count.Value));
        foreach (var candidate in candidates)
        {
            candidate.Enabled = false;

            var response = await client.UpdateSecretPropertiesAsync(candidate).ConfigureAwait(false);

            results.Add(response.Value);
        }

02-disable-secret-http-trigger-09.cs

        var res = new ContentResult()
        {
            Content = JsonConvert.SerializeObject(results, Formatting.Indented),
            ContentType = "application/json",
            StatusCode = (int)HttpStatusCode.OK,
        };

        return res;
    }
}