azuread_application_password 'rotate_when_changed' ignores the way App Service caches is working

[SavaNDragos]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Azure Functions will grab a keyvault secret change after a period of time that could take up to 24 hours.
So if we generate an 'azuread_application_password' and keep it in the keyvault and use it in an Azure Function, the reference will point to the previous version for a time that could be 24 hours (the maximum ammount).
It will help if we can get the old secret to remain alive for an extra 24 hours and not get replaced.

New or Affected Resource(s)

An extra option to keep the old secret for up to X hours would help avoid a scenario where:

• you need to pass over each Azure Function and force it to get the reference to the keyvault updated.

Think the problem is mostly a unique problem,
You will have it only if you are using in a keyvault an application secret (and you save/retrieve from a keyvault)

References

https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-cli#rotation

[manicminer]

Thanks for requesting this @SavaNDragos, it's good to know about rotation scenarios even if they are challenging to support in a robust way!

Thinking about this the other way round, is it possible to trigger a re-read of the client secret by the Function app? If so, maybe this would be a feasible approach as this can be modelled easily in Terraform assuming we can support it in the azurerm_*_function_app resources?