feat: added secret expiry alerts and switch action group email to pipeline variables

nc-shahidazim · nc-shahidazim · commit c8743c0f5be9 · 2026-01-29T09:14:57.000Z
diff --git a/infrastructure/tf-core/key_vault.tf b/infrastructure/tf-core/key_vault.tf
@@ -7,6 +7,10 @@ module "key_vault" {
   resource_group_name = azurerm_resource_group.core[each.key].name
   location            = each.key
 
+  enable_alerting                                  = var.features.alerts_enabled
+  action_group_id                                  = var.features.alerts_enabled ? module.monitor_action_group_performance[0].monitor_action_group.id : null
+  secret_near_expiry_alert                         = var.key_vault.secret_near_expiry_alert
+  secret_expired_alert                             = var.key_vault.secret_expired_alert
   log_analytics_workspace_id                       = data.terraform_remote_state.audit.outputs.log_analytics_workspace_id[local.primary_region]
   monitor_diagnostic_setting_keyvault_enabled_logs = local.monitor_diagnostic_setting_keyvault_enabled_logs
   monitor_diagnostic_setting_keyvault_metrics      = local.monitor_diagnostic_setting_keyvault_metrics
diff --git a/infrastructure/tf-core/monitor_action_group.tf b/infrastructure/tf-core/monitor_action_group.tf
@@ -18,11 +18,7 @@ module "monitor_action_group_performance" {
   email_receiver = {
     email = {
       name          = "email"
-      email_address = data.azurerm_key_vault_secret.monitoring_email_address[local.primary_region].value
+      email_address = var.MONITORING_EMAIL_ADDRESS
     }
   }
-
-  depends_on = [
-    module.key_vault
-  ]
 }
diff --git a/infrastructure/tf-core/variables.tf b/infrastructure/tf-core/variables.tf
@@ -48,6 +48,11 @@ variable "HUB_SUBSCRIPTION_ID" {
   type        = string
 }
 
+variable "MONITORING_EMAIL_ADDRESS" {
+  description = "The email address for monitoring alerts"
+  type        = string
+}
+
 variable "TARGET_SUBSCRIPTION_ID" {
   description = "ID of a subscription to deploy infrastructure"
   type        = string
@@ -359,6 +364,18 @@ variable "key_vault" {
     soft_del_ret_days = optional(number, 7)
     purge_prot        = optional(bool, false)
     sku_name          = optional(string, "standard")
+
+    secret_near_expiry_alert = optional(object({
+      evaluation_frequency = optional(string, "P1D") # every 24 hours
+      window_duration      = optional(string, "P1D") # last 24 hours
+      threshold            = optional(number, 1)
+    }), {})
+
+    secret_expired_alert = optional(object({
+      evaluation_frequency = optional(string, "PT15M") # every 15 mins
+      window_duration      = optional(string, "PT1H") # last 1 hour
+      threshold            = optional(number, 1)
+    }), {})
   })
 }
 

Original file line number	Diff line number	Diff line change
`@@ -18,11 +18,7 @@ module "monitor_action_group_performance" {`
`18`	`18`	`email_receiver = {`
`19`	`19`	`email = {`
`20`	`20`	`name = "email"`
`21`		`- email_address = data.azurerm_key_vault_secret.monitoring_email_address[local.primary_region].value`
	`21`	`+ email_address = var.MONITORING_EMAIL_ADDRESS`
`22`	`22`	`}`
`23`	`23`	`}`
`24`		`-`
`25`		`- depends_on = [`
`26`		`- module.key_vault`
`27`		`- ]`
`28`	`24`	`}`