Skip to content

Comments

feat: [DTOSS-12086] set the secret and certificate‑expiry alert defaults to null#280

Merged
nc-shahidazim merged 1 commit intomainfrom
feat/DTOSS-12086-alert-secrets-expiry-v2
Feb 20, 2026
Merged

feat: [DTOSS-12086] set the secret and certificate‑expiry alert defaults to null#280
nc-shahidazim merged 1 commit intomainfrom
feat/DTOSS-12086-alert-secrets-expiry-v2

Conversation

@nc-shahidazim
Copy link
Contributor

@nc-shahidazim nc-shahidazim commented Feb 20, 2026
edited
Loading

Description

This PR updates the alert configuration by setting both secret‑expiry and certificate‑expiry alert defaults to null. This prevents unnecessary alerts from being created when the functionality is not explicitly enabled.

Context

Previously, default values caused the module to create expiry alerts even when not required. Making the defaults null restores expected behaviour and enables consumers to opt-in explicitly.

Terraform Plan (sandbox environment)

  # module.key_vault["uksouth"].azurerm_monitor_scheduled_query_rules_alert_v2.kv_secret_expired[0] will be created
  + resource "azurerm_monitor_scheduled_query_rules_alert_v2" "kv_secret_expired" {
      + auto_mitigation_enabled                = false
      + created_with_api_version               = (known after apply)
      + description                            = "The Key Vault secret has expired."
      + enabled                                = true
      + evaluation_frequency                   = "PT15M"
      + id                                     = (known after apply)
      + is_a_legacy_log_analytics_rule         = (known after apply)
      + is_workspace_alerts_storage_configured = (known after apply)
      + location                               = "uksouth"
      + name                                   = "<key-vault-name>-secret-expired"
      + resource_group_name                    = "<resource-group>"
      + scopes                                 = [
          + "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<key-vault-name>",
        ]
      + severity                               = 2
      + window_duration                        = "PT1H"
      + workspace_alerts_storage_enabled       = false

      + action {
          + action_groups = [
              + "/subscriptions/<subscription-id>/resourceGroups/<resource-group>-monitoring/providers/Microsoft.Insights/actionGroups/<action-group-name>",
            ]
        }

      + criteria {
          + metric_measure_column   = "Events"
          + operator                = "GreaterThanOrEqual"
          + query                   = <<-EOT
                AzureDiagnostics
                | where ResourceProvider == "MICROSOFT.KEYVAULT"
                | where OperationName contains "SecretExpired"
                | project
                    SecretName = column_ifexists("eventGridEventProperties_data_ObjectName_s","")
                | summarize Events=count() by SecretName
            EOT
          + resource_id_column      = "SecretName"
          + threshold               = 1
          + time_aggregation_method = "Total"

          + dimension {
              + name     = "SecretName"
              + operator = "Include"
              + values   = [
                  + "*",
                ]
            }
        }
    }


  # module.key_vault["uksouth"].azurerm_monitor_scheduled_query_rules_alert_v2.kv_secret_near_expiry[0] will be created
  + resource "azurerm_monitor_scheduled_query_rules_alert_v2" "kv_secret_near_expiry" {
      + auto_mitigation_enabled                = false
      + created_with_api_version               = (known after apply)
      + description                            = "The Key Vault secret is nearing expiration."
      + enabled                                = true
      + evaluation_frequency                   = "P1D"
      + id                                     = (known after apply)
      + is_a_legacy_log_analytics_rule         = (known after apply)
      + is_workspace_alerts_storage_configured = (known after apply)
      + location                               = "uksouth"
      + name                                   = "<key-vault-name>-secret-near-expiry"
      + resource_group_name                    = "<resource-group>"
      + scopes                                 = [
          + "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<key-vault-name>",
        ]
      + severity                               = 2
      + window_duration                        = "P1D"
      + workspace_alerts_storage_enabled       = false

      + action {
          + action_groups = [
              + "/subscriptions/<subscription-id>/resourceGroups/<resource-group>-monitoring/providers/Microsoft.Insights/actionGroups/<action-group-name>",
            ]
        }

      + criteria {
          + metric_measure_column   = "Events"
          + operator                = "GreaterThanOrEqual"
          + query                   = <<-EOT
                AzureDiagnostics
                | where ResourceProvider == "MICROSOFT.KEYVAULT"
                | where OperationName contains "SecretNearExpiry"
                | project
                    SecretName = column_ifexists("eventGridEventProperties_data_ObjectName_s","")
                | summarize Events=count() by SecretName

            EOT
          + resource_id_column      = "SecretName"
          + threshold               = 1
          + time_aggregation_method = "Total"

          + dimension {
              + name     = "SecretName"
              + operator = "Include"
              + values   = [
                  + "*",
                ]
            }
        }
    }

Type of changes

  • Refactoring (non-breaking change)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would change existing functionality)
  • Bug fix (non-breaking change which fixes an issue)

Checklist

  • I am familiar with the contributing guidelines
  • I have followed the code style of the project
  • I have added tests to cover my changes
  • I have updated the documentation accordingly
  • This PR is a result of pair or mob programming

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

  • I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.

MacMur85
MacMur85 approved these changes Feb 20, 2026
View reviewed changes
Copy link
Contributor

@MacMur85 MacMur85 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@nc-shahidazim nc-shahidazim added this pull request to the merge queue Feb 20, 2026
Merged via the queue into main with commit 8d93231 Feb 20, 2026
26 checks passed
@nc-shahidazim nc-shahidazim deleted the feat/DTOSS-12086-alert-secrets-expiry-v2 branch February 20, 2026 12:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MacMur85 MacMur85 MacMur85 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nc-shahidazim @MacMur85