Created
February 21, 2021 14:56
-
-
Save justinyoo/948385359cc739a48ad5afdf07db932e to your computer and use it in GitHub Desktop.
Event-Driven KeyVault Secrets Rotation Management
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
func new --name DisableSecretHttpTrigger --template HttpTrigger --language C# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
public static class DisableSecretHttpTrigger | |
{ | |
[FunctionName("DisableSecretHttpTrigger")] | |
public static async Task<IActionResult> Run( | |
[HttpTrigger(AuthorizationLevel.Function, "POST", Route = "secrets/{name}/disable/{count:int?}")] HttpRequest req, | |
string name, int? count, | |
ILogger log) | |
{ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Get the KeyVault URI | |
var uri = Environment.GetEnvironmentVariable("KeyVault__Uri"); | |
// Get the tenant ID where the KeyVault lives | |
var tenantId = Environment.GetEnvironmentVariable("KeyVault__TenantId"); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Set the tenant ID, in case your account has multiple tenants logged in | |
var options = new DefaultAzureCredentialOptions() | |
{ | |
SharedTokenCacheTenantId = tenantId, | |
VisualStudioTenantId = tenantId, | |
VisualStudioCodeTenantId = tenantId, | |
}; | |
var client = new SecretClient(new Uri(uri), new DefaultAzureCredential(options)); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Get the all versions of the given secret | |
// Filter only enabled versions | |
// Sort by the created date in a reverse order | |
var versions = await client.GetPropertiesOfSecretVersionsAsync(name) | |
.WhereAwait(p => new ValueTask<bool>(p.Enabled.GetValueOrDefault() == true)) | |
.OrderByDescendingAwait(p => new ValueTask<DateTimeOffset>(p.CreatedOn.GetValueOrDefault())) | |
.ToListAsync() | |
.ConfigureAwait(false); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Do nothing if there is no version enabled | |
if (!versions.Any()) | |
{ | |
return new AcceptedResult(); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
if (!count.HasValue) | |
{ | |
count = 2; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Do nothing if there is only given number of versions enabled | |
if (versions.Count < count.Value + 1) | |
{ | |
return new AcceptedResult(); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Disable all versions except the first (latest) given number of versions | |
var candidates = versions.Skip(count.Value).ToList(); | |
var results = new List<SecretProperties>(); | |
results.AddRange(versions.Take(count.Value)); | |
foreach (var candidate in candidates) | |
{ | |
candidate.Enabled = false; | |
var response = await client.UpdateSecretPropertiesAsync(candidate).ConfigureAwait(false); | |
results.Add(response.Value); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var res = new ContentResult() | |
{ | |
Content = JsonConvert.SerializeObject(results, Formatting.Indented), | |
ContentType = "application/json", | |
StatusCode = (int)HttpStatusCode.OK, | |
}; | |
return res; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment