secret-rotation-template.yaml

# In order to have a unique variable to call on for both the secret name and the actual value
# I've split the single parameter into two. The theory being that the value should be populated
# By the declared variableGroup.
parameters:
- name: libraryVariables
  type: object
  default:
      - variableName: var1
        variableValue: $(var1)
      - variableName: var2
        variableValue: $(var2)
      - variableName: var3
        variableValue: $(var3)

# template specific parameters
# If these are not included, the pipeline will give an error on main.yaml saying that they're unexpected parameters.
- name: variableGroup
  default: ''
- name: stageName
  default: ''
- name: stageDisplayName
  default: ''
- name: vaultName
  default: ''
- name: serviceConnectionName
  default: ''
- name: adoEnvironment
  default: ''

stages:
  - stage: ${{ parameters.stageName }}
    displayName: ${{ parameters.stageDisplayName }}
    variables:
    - group: ${{ parameters.variableGroup }}
    jobs:
    - deployment: 'approvalGate'
      displayName: 'Approval Gate'
      environment: ${{ parameters.adoEnvironment }}
      strategy:
        runOnce:
          deploy:
            steps:
              - script: echo 'Approval Granted, continuing'
    - job: rotateSecrets
      displayName: ${{ parameters.stageDisplayName }}
      steps:
      - ${{ each libraryVariables in parameters.libraryVariables }}:
        - task: AzureCLI@2
          displayName: 'Rotate Secrets'
          enabled: true
          inputs:
            azureSubscription: ${{ parameters.serviceConnectionName }}
            failOnStandardError: true
            scriptType: bash
            scriptLocation: inlineScript
            inlineScript: |
              if [[ -n "${{ libraryVariables.variableValue }}" ]]; then
                az keyvault secret set --vault-name "${{ parameters.vaultName }}" --name "${{ libraryVariables.variableName }}" --value "${{ libraryVariables.variableValue }}" --output none
              fi

    - job: getSecretNames
      displayName: 'Get Secret Names'
      steps:
      - task: AzureCLI@2
        displayName: 'Get Secret Names'
        inputs:
          azureSubscription: ${{ parameters.serviceConnectionName }}
          scriptType: bash
          scriptLocation: inlineScript
          inlineScript: |
            secrets=$(az keyvault secret list --vault-name "${{ parameters.vaultName }}" --query "[].name" -o tsv)
            echo "Secret Names: $secrets"