Allow azuread_application_password to append a new password when there is an active password

[par-texx]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

##Use Case
We are using azuread_application_password to generate client ID's and Secrets for applications and storing the created Client ID's and Secrets in Vault where applications can pull the credentials at run time. We would like to use the
rotate_when_changed = { rotation = time_rotating.example.id }
stanza to rotate the credentials before they expire so that applications can pull active credentials when they startup (either move to a new node, patching, etc. Why they restart isn't relevant), but we don't want to expire credentials that are in active use.
Using rotate_when_changed deletes the existing credential.

Ideally we would like azuread_application_password to append when there is a non-expired credential in place instead of delete then create.

New or Affected Resource(s)

• azuread_application_password (https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password)

Potential Terraform Configuration

resource "time_rotating" "example" {
  rotation_months = 1
}

resource "azuread_application_password" "example" {
  application_id = data.azuread_application.example.id
  end_date = timeadd(timestamp(),"1440h")
  rotate_when_changed = {
    rotation = time_rotating.example.id
  }
}

References

• #0000

[fleetwoodstack]

Agreed - we've just come to this conclusion too. When we rotate we don't want the applications using these credentials to stop working.

[bronhy]

We have the same issue.