Added initial version for key vault secrets expiry alerts.

Author: nc-shahidazim

infrastructure/modules/key-vault/alerts.tf

@@ -0,0 +1,73 @@
+# Secret Nearing Expiration Alert for Key Vault
+resource "azurerm_monitor_metric_alert" "kv_secret_near_expiry" {
+  count = var.enable_alerting == true ? 1 : 0
+
+  name                = "${azurerm_key_vault.keyvault.name}-secret-near-expiry"
+  resource_group_name = var.resource_group_name_monitoring != null ? var.resource_group_name_monitoring : var.resource_group_name
+  scopes              = [azurerm_key_vault.keyvault.id] # Point to your key vault
+  description         = "Action will be triggered when any Key Vault secret is nearing expiration."
+  window_size         = var.alert_window_size
+  frequency           = local.alert_frequency
+  severity            = 2 # Warning
+
+  criteria {
+    metric_namespace = "Microsoft.KeyVault/vaults"
+    metric_name      = "Secret Nearing Expiration"
+    aggregation      = "Total"
+    operator         = "GreaterThan"
+    threshold        = var.alert_secret_expiry_threshold
+
+    dimension {
+      name     = "SecretName"
+      operator = "Include"
+      values   = ["*"]
+    }
+  }
+
+  action {
+    action_group_id = var.action_group_id
+  }
+
+  lifecycle {
+    ignore_changes = [
+      tags
+    ]
+  }
+}
+
+# Secret Expired Alert for Key Vault
+resource "azurerm_monitor_metric_alert" "kv_secret_expired" {
+  count = var.enable_alerting == true ? 1 : 0
+
+  name                = "${azurerm_key_vault.keyvault.name}-secret-expired"
+  resource_group_name = var.resource_group_name_monitoring != null ? var.resource_group_name_monitoring : var.resource_group_name
+  scopes              = [azurerm_key_vault.keyvault.id] # Point to your key vault
+  description         = "Action will be triggered when any Key Vault secret is nearing expiration."
+  window_size         = var.alert_window_size
+  frequency           = local.alert_frequency
+  severity            = 2 # Warning
+
+  criteria {
+    metric_namespace = "Microsoft.KeyVault/vaults"
+    metric_name      = "Secret Expired"
+    aggregation      = "Total"
+    operator         = "GreaterThan"
+    threshold        = var.alert_secret_expiry_threshold
+
+    dimension {
+      name     = "SecretName"
+      operator = "Include"
+      values   = ["*"]
+    }
+  }
+
+  action {
+    action_group_id = var.action_group_id
+  }
+
+  lifecycle {
+    ignore_changes = [
+      tags
+    ]
+  }
+}

infrastructure/modules/key-vault/variables.tf

@@ -14,6 +14,10 @@ variable "disk_encryption" {
   default     = true
 }
 
+/* --------------------------------------------------------------------------------------------------
+  Monitoring and Diagnostics Variables
+-------------------------------------------------------------------------------------------------- */
+
 variable "log_analytics_workspace_id" {
   type        = string
   description = "id of the log analytics workspace to send resource logging to via diagnostic settings"
@@ -35,6 +39,41 @@ variable "monitor_diagnostic_setting_keyvault_metrics" {
   description = "Controls what metrics will be enabled for the keyvault"
 }
 
+variable "resource_group_name_monitoring" {
+  type        = string
+  description = "The name of the resource group in which to create the Monitoring resources for the Key Vault. Changing this forces a new resource to be created."
+  default     = null
+}
+
+variable "action_group_id" {
+  type        = string
+  description = "The ID of the Action Group to use for alerts."
+  default     = null
+}
+
+variable "enable_alerting" {
+  description = "Whether monitoring and alerting is enabled for the Key Vault."
+  type        = bool
+  default     = false
+}
+
+variable "alert_window_size" {
+  type     = string
+  nullable = false
+  default  = "PT5M"
+  validation {
+    condition     = contains(["PT1M", "PT5M", "PT15M", "PT30M", "PT1H", "PT6H", "PT12H"], var.alert_window_size)
+    error_message = "The alert_window_size must be one of: PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H"
+  }
+  description = "The period of time that is used to monitor alert activity e.g. PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H. The interval between checks is adjusted accordingly."
+}
+
+variable "alert_secret_expiry_threshold" {
+  type        = number
+  description = "The threshold for secrets to trigger the alert."
+  default     = 10
+}
+
 variable "name" {
   description = "The name of the Key Vault."
   type        = string
@@ -107,3 +146,15 @@ variable "tags" {
   description = "Resource tags to be applied throughout the deployment."
   default     = {}
 }
+
+locals {
+  alert_frequency_map = {
+    PT5M  = "PT1M"
+    PT15M = "PT1M"
+    PT30M = "PT1M"
+    PT1H  = "PT1M"
+    PT6H  = "PT5M"
+    PT12H = "PT5M"
+  }
+  alert_frequency = local.alert_frequency_map[var.alert_window_size]
+}