Skip to main content

App Registration Secret Automation

Automating App Registration Secret Management

This document outlines the automated process for managing secrets for Azure AD app registrations. The automation ensures that secrets are securely created, rotated, and stored without manual intervention. It supports the DCS tenant and the Crime Non-Prod and Prod environments.

Key Features:

  • Automated Secret Creation: Secrets for app registrations are generated automatically using Terraform.
  • Secure Storage: Secrets are securely stored in Azure Key Vault and HashiCorp Vault (optional).
  • Periodic Rotation: Secrets are rotated periodically to enhance security.

How to Add a New Secret

To create a new secret, refer to the detailed steps in the GitHub pull request.

Secret Storage

Secrets are stored in both Azure Key Vault and HashiCorp Vault (optional). The storage paths are as follows:

Key Vault Location:

  • Non-Live: KV-MDV-CCM-0
  • Live: KV-MPD-CCM-01

HashiCorp Vault Paths:

  • Non-Live: secret/terraform/mdv/serviceaccounts/secret
  • Live: secret/terraform/mpd/serviceaccounts/secret

More details can be found on the repo here.

Create New Secrets

Creating a new secret for an app registration can be done by adding a new block in the Terraform configuration in the tfvars file for the respective environment. See this example that shows the rotation configuration for an existing app registration.

Below is an example configuration for creating a new secret:

{
  name                       = "test"
  create_secret              = true
  write_secret_to_hashivault = false
  secret_end_date_relative   = "8760h"
  enable_rotation            = true
}

Create Secret for Existing App Registration

To create a secret for an existing app registration, reference the client_id (object ID) variable for the new secret. Below is an example configuration:

{
  client_id                   = "existing-app-registration-object_id"
  name                        = "new-secret-name"
  create_secret               = true
  write_secret_to_hashivault  = true
  secret_end_date_relative    = "8760h" # 1 year
  enable_rotation             = true
}

For more details on importing existing app registrations, refer to the Example PR.

Once the Terraform configuration is updated, the pipeline will be triggered automatically every Monday at 7 PM to create or rotate secrets as per the configuration.

Secret Expiry

We recommend setting the secret duration to 1 year (8760h) to ensure regular rotation and enhanced security. Adjust the secret_end_date_relative value as needed, using hourly increments.

This page was last reviewed on 4 December 2025. It needs to be reviewed again on 4 December 2026 by the page owner platops-build-notices .
This page was set to be reviewed before 4 December 2026 by the page owner platops-build-notices. This might mean the content is out of date.