[Security] Key Vault secrets and keys should have an expiration date

[ashis-kar91]

A couple more for the list:

• Key Vault secrets should have an expiration date
• Authentication to Linux machines should require SSH keys

Originally posted by @jonnyry in #4303

Description

This issue is a sub-issue of the mentioned reference, to discuss the Security recommendation for having an expiry date for Key Vault secrets and keys. The goal is to discuss and come up with a solution for the secret rotation which satisfies the below acceptance criteria.

Acceptance criteria

• Key vault secrets and keys should have an expiry set
• Secret rotation should be automated with new expiry
• There should be minimum to no downtime during the rotation

[ashis-kar91]

@marrobi @jonnyry ,
Are there any solutions already discussed for this issue?
Not going too much in details of the implementation, I have some high-level ideas.
We may need a background worker to monitor the expiry in certain interval and update as needed. Or can we use Azure automation scripts to do this?
Another approach could be, we can create a wrapper to access the secret and check for expiry every time. If the secret is about to expire, we can either update it from the wrapper utility (if possible) or send alert for manual rotation.
Thoughts?

[marrobi]

I think the first step is to create a list of secrets that need rotating.

Then, are there standard "Azure" ways for this to be done, or do we need something TRE specific.

[marrobi]

Worth a read - https://2mas.github.io/blog/rotating-azure-app-registration-secrets-with-terraform/