Hi everyone,
I've been working with Terraform to manage secrets in Azure Key Vault, and we're utilizing these secrets in our App Service with Key Vault references. Generally, it works well, but we've run into a significant issue: when we use versionless references, it can take up to 24 hours for the latest secret value to be fetched, which is actually a documented behavior. We managed to work around this by using versioned secrets, but that presents another problem: after updating a secret, I have to run Terraform apply twice—first to update the secret and then to update the App Service with the new secret reference.
I've read that we might be able to use versionless secrets and trigger a management API call to refresh the secrets in the App Service, but I'm unsure if this is a good practice. Is there a way to update both the secret and the reference in the App Service in a single Terraform run?
Thanks!
3 Answers
I ran into a similar issue before. A workaround I found was to stop and start the App Service, which oddly doesn't trigger a refresh on its own. Another method we used was flipping a dummy app setting from 0 to 1 to force a refresh. However, eventually, we went with a PowerShell script that made a REST call to refresh the secrets as needed.
It sounds like you might be able to accomplish this in one run! If you share your code for how you're declaring the secrets and their references, we can take a closer look. Normally, I'd expect both to update with one apply if set up correctly.
There's actually an API available for this—check out the Azure Key Vault documentation for App Service references. Ideally, you should update secrets before they expire so that both versions are valid which helps avoid the refresh issue.
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically