From eee47207f91cb0a1bb957c7880d9a1e58f9de3bf Mon Sep 17 00:00:00 2001
From: Tom Bamford <tom@bamford.io>
Date: Tue, 13 Jul 2021 12:53:49 +0100
Subject: [PATCH] Support `keepers` for password resources, to enable triggered
 rotation

---
 docs/resources/application_password.md        | 21 +++++++++++++++
 docs/resources/service_principal_password.md  | 26 +++++++++++++++++++
 .../application_password_resource.go          | 22 +++++++++++-----
 .../service_principal_password_resource.go    | 10 +++++++
 4 files changed, 73 insertions(+), 6 deletions(-)

diff --git a/docs/resources/application_password.md b/docs/resources/application_password.md
index b9e1116b0d..a35e6d66e7 100644
--- a/docs/resources/application_password.md
+++ b/docs/resources/application_password.md
@@ -8,13 +8,34 @@ Manages a password credential associated with an application within Azure Active
 
 ## Example Usage
 
+*Basic example*
+
+```terraform
+resource "azuread_application" "example" {
+  display_name = "example"
+}
+
+resource "azuread_application_password" "example" {
+  application_object_id = azuread_application.example.object_id
+}
+```
+
+*Time-based rotation*
+
 ```terraform
 resource "azuread_application" "example" {
   display_name = "example"
 }
 
+resource "time_rotating" "example" {
+  rotation_days = 7
+}
+
 resource "azuread_application_password" "example" {
   application_object_id = azuread_application.example.object_id
+  keepers = {
+    rotation = time_rotating.example.id
+  }
 }
 ```
 
diff --git a/docs/resources/service_principal_password.md b/docs/resources/service_principal_password.md
index f88cfc4b8c..100042461a 100644
--- a/docs/resources/service_principal_password.md
+++ b/docs/resources/service_principal_password.md
@@ -8,6 +8,8 @@ Manages a password credential associated with a service principal within Azure A
 
 ## Example Usage
 
+*Basic example*
+
 ```terraform
 resource "azuread_application" "example" {
   display_name = "example"
@@ -22,6 +24,30 @@ resource "azuread_service_principal_password" "example" {
 }
 ```
 
+*Time-based rotation*
+
+```terraform
+resource "azuread_application" "example" {
+  display_name = "example"
+}
+
+resource "azuread_service_principal" "example" {
+  application_id = azuread_application.example.application_id
+}
+
+resource "time_rotating" "example" {
+  rotation_days = 7
+}
+
+resource "azuread_service_principal_password" "example" {
+  service_principal_id = azuread_service_principal.example.object_id
+  keepers = {
+    rotation = time_rotating.example.id
+  }
+}
+```
+
+
 ## Argument Reference
 
 The following arguments are supported:
diff --git a/internal/services/applications/application_password_resource.go b/internal/services/applications/application_password_resource.go
index 08ddb2dede..e3b7f7c71c 100644
--- a/internal/services/applications/application_password_resource.go
+++ b/internal/services/applications/application_password_resource.go
@@ -52,12 +52,6 @@ func applicationPasswordResource() *schema.Resource {
 				ValidateDiagFunc: validate.UUID,
 			},
 
-			"key_id": {
-				Description: "A UUID used to uniquely identify this password credential",
-				Type:        schema.TypeString,
-				Computed:    true,
-			},
-
 			"display_name": {
 				Description: "A display name for the password",
 				Type:        schema.TypeString,
@@ -94,6 +88,22 @@ func applicationPasswordResource() *schema.Resource {
 				ValidateDiagFunc: validate.NoEmptyStrings,
 			},
 
+			"keepers": {
+				Description: "Arbitrary map of values that, when changed, will trigger rotation of the password",
+				Type:        schema.TypeMap,
+				Optional:    true,
+				ForceNew:    true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+
+			"key_id": {
+				Description: "A UUID used to uniquely identify this password credential",
+				Type:        schema.TypeString,
+				Computed:    true,
+			},
+
 			"value": {
 				Description: "The password for this application, which is generated by Azure Active Directory",
 				Type:        schema.TypeString,
diff --git a/internal/services/serviceprincipals/service_principal_password_resource.go b/internal/services/serviceprincipals/service_principal_password_resource.go
index d16957c0ac..be423cb8b0 100644
--- a/internal/services/serviceprincipals/service_principal_password_resource.go
+++ b/internal/services/serviceprincipals/service_principal_password_resource.go
@@ -52,6 +52,16 @@ func servicePrincipalPasswordResource() *schema.Resource {
 				ValidateDiagFunc: validate.UUID,
 			},
 
+			"keepers": {
+				Description: "Arbitrary map of values that, when changed, will trigger rotation of the password",
+				Type:        schema.TypeMap,
+				Optional:    true,
+				ForceNew:    true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+
 			"key_id": {
 				Description: "A UUID used to uniquely identify this password credential",
 				Type:        schema.TypeString,