Skip to content

Renew Service Principal Secret or Certificate

Go to Automation: (Add Job Template URL here)

View in GitLab

Description

Renews an existing credential (secret or certificate) for an Entra ID Application / Service Principal. The playbook: 1. Validates that at least one of AppID or AppDisplayName is provided. 2. Retrieves operating credentials from PasswordState (environment-aware). 3. For secrets: Validates a PasswordState entry exists, generates a new secret, updates PasswordState, and records outcome notes (Ivanti integration logic partly truncated). 4. For certificates: Loads existing certificate metadata, optionally renews via d09.certificates.pki_certificate, updates the App Registration with new cert (PowerShell logic truncated), and captures results. 5. Adds success/failure notes to an Ivanti task when task provided.

Credentials

  • Production: Sys_Azure_AppRegs_PR
  • Onderwijs: Sys_Azure_OND_Admin

Inputs

Variable Description
AppDisplayName Friendly name of App Registration (used if AppID absent).
AppID Explicit AppId.
SecretType Secret or Certificaat (case-sensitive vs. comparisons).
SecretID (Optional) Specific secret key ID (not required for creation path; may be used in certificate flows).
task Ivanti Task number for status updates.
onderwijs 'yes' to switch tenant/subscription.

Outputs

Output Description
secret_renewal Parsed object from renewal script (success, error, taskNote, etc.).
secret_renewal_success Boolean summarizing final success state.
pws_password_update Result of PasswordState update (secret renewal).
cert_renew Certificate renewal script output (when Certificaat).

Workflow Differences

Secret Renewal: - Ensures PasswordState entry exists; aborts with note if missing. - Runs PowerShell (script content truncated, expected to create a new client secret & gather metadata). - Updates PasswordState record and logs Ivanti notes.

Certificate Renewal: - Gathers existing certificate details from PasswordState (list 6691). - Uses PKI role to issue/renew certificate. - Invokes a large PowerShell script to attach certificate to App Registration.

Dependencies / Modules

Component Purpose
d09.passwordstate.passwordstate_password_fact Retrieve application and PKI credentials.
d09.passwordstate.passwordstate_password Update PasswordState entries.
d09.certificates.pki_certificate Certificate issuance / renewal.
ansible.windows.win_powershell Renewal logic via Graph (script truncated).
d09.ivanti_itsm.add_note Post status notes to Ivanti tasks.
d09.ivanti_itsm.close_task Close task on success.

Example (Secret Renewal)

AppDisplayName: Sys_Azure_MyBusinessAPI_PR
SecretType: Secret
task: TSK123456
onderwijs: 'no'

Example (Certificate Renewal)

AppDisplayName: Sys_Azure_MyBusinessAPI_PR
SecretType: Certificaat
task: TSK123457
onderwijs: 'no'

Notes

  • Play uses two different flows distinguished strictly by SecretType equality checks: Secret vs Certificaat (capitalization matters per original YAML). Ensure consistent input.
  • Ivanti note creation on success uses condition when: secret_renewal_success == false for both success and failure blocks in source—this appears to be a logic bug; consider adjusting success note condition to secret_renewal_success == true.
  • Add hardening by normalizing SecretType | lower in conditionals to reduce user error.