Update Vault Azure Secrets docs for permanent deletion feature (#17045)

* Update Vault Azure Secrets docs for permanent deletion feature * Add changelog for vault azure doc update * Update CL based on PR feedback Co-authored-by: Devon Powley <dpowley@users.noreply.github.com>
2022-09-13 19:25:19 -04:00 · 2022-09-13 19:25:19 -04:00 · bb0f93044f
parent 3163309130
commit bb0f93044f
3 changed files with 24 additions and 0 deletions
--- a/changelog/17045.txt
+++ b/changelog/17045.txt
@ -0,0 +1,3 @@
+```release-note:improvement
+secrets/azure: Adds option to permanently delete AzureAD objects created by Vault.
+```
--- a/website/content/api-docs/secret/azure.mdx
+++ b/website/content/api-docs/secret/azure.mdx
@ -241,6 +241,8 @@ information about roles.
  Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
 - `max_ttl` (`string: ""`) – Specifies the maximum TTL for service principals generated using this role. Accepts time
  suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
+- `permanently_delete` (`bool: false`) - Specifies whether to permanently delete Applications and Service Principals that are dynamically
+  created by Vault. If `application_object_id` is present, `permanently_delete` must be `false`.

 ### Sample Payload

--- a/website/content/docs/secrets/azure.mdx
+++ b/website/content/docs/secrets/azure.mdx
@ -183,6 +183,25 @@ $ cat az_groups.json
 ]
 ```

+### Permanently Delete Azure Objects
+If dynamic service principals are used, the option to permanently delete the applications and service principals created by Vault may be configured on the Vault role.
+When this option is enabled and a lease is expired or revoked, the application and service principal associated with the lease will be [permanently deleted](https://docs.microsoft.com/en-us/graph/api/directory-deleteditems-delete) from the Azure Active Directory.
+As a result, these objects will not count toward the [quota](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#active-directory-limits) of total resources in an Azure tenant. When this option is not enabled
+and a lease is expired or revoked, the application and service principal associated with the lease will be deleted, but not permanently. These objects will be available to restore for 30 days from deletion. 
+
+Example of role configuration:
+
+```shell-session
+$ vault write azure/roles/my-role permanently_delete=true ttl=1h azure_roles=-<<EOF
+    [
+        {
+            "role_name": "Contributor",
+            "scope":  "/subscriptions/<uuid>/resourceGroups/Website"
+        }
+    ]
+EOF
+```
+
 ## Authentication

 The Azure secrets backend must have sufficient permissions to read Azure role information and manage