bcgov
diff --git a/‎.github/skills/api-management/SKILL.md‎
Lines changed: 1 addition & 1 deletion b/‎.github/skills/api-management/SKILL.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/skills/api-management/SKILLS.md‎
Lines changed: 1 addition & 1 deletion b/‎.github/skills/api-management/SKILLS.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/_pages/apim-internal-endpoints.html‎
Lines changed: 6 additions & 6 deletions b/‎docs/_pages/apim-internal-endpoints.html‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎infra-ai-hub/modules/key-rotation-function/main.tf‎
Lines changed: 1 addition & 1 deletion b/‎infra-ai-hub/modules/key-rotation-function/main.tf‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎infra-ai-hub/params/apim/api_policy.xml.tftpl‎
Lines changed: 18 additions & 11 deletions b/‎infra-ai-hub/params/apim/api_policy.xml.tftpl‎
Lines changed: 18 additions & 11 deletions
diff --git a/‎infra-ai-hub/params/test/shared.tfvars‎
Lines changed: 1 addition & 1 deletion b/‎infra-ai-hub/params/test/shared.tfvars‎
Lines changed: 1 addition & 1 deletion
@@ -62,7 +62,7 @@ All routes live inside a single `<choose>` block in the inbound section. Routes
 
 | Route | Path condition | Feature flag |
 |---|---|---|
-| Key rotation internal endpoint | path ends with `internal/apim-keys` | `key_rotation_enabled` |
+| APIM keys internal endpoint | path ends with `internal/apim-keys` | `apim_keys_endpoint_enabled` |
 | Tenant info internal endpoint | path ends with `internal/tenant-info` | `tenant_info_enabled` (always `true`) |
 | Document Intelligence | path contains `documentintelligence`, `formrecognizer`, or `documentmodels` | `document_intelligence_enabled` |
 | OpenAI | path contains `openai` | `openai_enabled` (auto-set when `model_deployments` is non-empty) |
 
@@ -77,7 +77,7 @@ All routes live inside a single `<choose>` block in the inbound section. Routes
 
 | Route | Path condition | Feature flag |
 |---|---|---|
-| Key rotation internal endpoint | path ends with `internal/apim-keys` | `key_rotation_enabled` |
+| APIM keys internal endpoint | path ends with `internal/apim-keys` | `apim_keys_endpoint_enabled` |
 | Tenant info internal endpoint | path ends with `internal/tenant-info` | `tenant_info_enabled` (always `true`) |
 | Document Intelligence | path contains `documentintelligence`, `formrecognizer`, or `documentmodels` | `document_intelligence_enabled` |
 | OpenAI | path contains `openai` | `openai_enabled` (auto-set when `model_deployments` is non-empty) |
 
@@ -19,7 +19,7 @@ <h1>APIM Internal Endpoints</h1>
     <div class="card">
         <h3 style="margin-top:0;"><code>/internal/apim-keys</code></h3>
         <p>Returns both subscription keys and rotation metadata sourced from the centralized hub Key Vault at request time.</p>
-        <p><strong>Requires:</strong> key rotation enabled (<code>rotation_enabled = true</code> in <code>shared.tfvars</code>).</p>
+        <p><strong>Requires:</strong> APIM enabled with subscription-key auth. Available for <strong>all</strong> tenants (not gated on per-tenant key rotation).</p>
         <a href="#apim-keys">View reference &darr;</a>
     </div>
     <div class="card">
@@ -51,8 +51,8 @@ <h3>Authentication</h3>
     <h3>How It Works</h3>
     <ol>
         <li>APIM validates the incoming subscription key (standard APIM behavior).</li>
-        <li>APIM policy uses its <strong>system-assigned managed identity</strong> to read three secrets from the centralized hub Key Vault: <code>{tenant}-apim-primary-key</code>, <code>{tenant}-apim-secondary-key</code>, and <code>{tenant}-apim-rotation-metadata</code>.</li>
-        <li>Secrets are assembled into a JSON response and returned directly &mdash; no backend service is called.</li>
+        <li>APIM policy uses its <strong>system-assigned managed identity</strong> to read secrets from the centralized hub Key Vault: <code>{tenant}-apim-primary-key</code> and <code>{tenant}-apim-secondary-key</code> (always), plus <code>{tenant}-apim-rotation-metadata</code> (only for tenants with <code>key_rotation_enabled = true</code>).</li>
+        <li>Secrets are assembled into a JSON response and returned directly &mdash; no backend service is called. Tenants without rotation enabled receive a default <code>rotation</code> object indicating rotation is not active.</li>
     </ol>
 </div>
 
@@ -104,7 +104,7 @@ <h3>Error Responses</h3>
         </thead>
         <tbody>
             <tr><td><code>401</code></td><td>Missing or invalid subscription key.</td><td>Standard APIM 401</td></tr>
-            <tr><td><code>404</code></td><td>Key rotation is disabled for this environment (<code>rotation_enabled = false</code>); route not present in policy.</td><td><code>NotFound</code></td></tr>
+            <tr><td><code>404</code></td><td>Tenant does not use subscription-key auth mode; endpoint not present in policy.</td><td><code>NotFound</code></td></tr>
             <tr><td><code>405</code></td><td>Non-GET method used.</td><td><code>MethodNotAllowed</code></td></tr>
             <tr><td><code>502</code></td><td>APIM managed identity could not read one or more secrets from the hub Key Vault.</td><td><code>KeyVaultReadFailed</code></td></tr>
         </tbody>
@@ -113,8 +113,8 @@ <h3>Error Responses</h3>
 
 <div class="card">
     <h3>Infrastructure</h3>
-    <p>Implemented purely in APIM policy. APIM's system-assigned managed identity holds a single <code>Key Vault Secrets User</code> RBAC assignment on the centralized hub Key Vault &mdash; one assignment scales to all tenants. Enabled only when <code>shared.tfvars</code> has <code>key_rotation.rotation_enabled = true</code>.</p>
-    <p>Source: <code>infra-ai-hub/params/apim/api_policy.xml.tftpl</code> (<code>key_rotation_enabled</code> block).</p>
+    <p>Implemented purely in APIM policy. APIM's system-assigned managed identity holds a single <code>Key Vault Secrets User</code> RBAC assignment on the centralized hub Key Vault &mdash; one assignment scales to all tenants. Available for all subscription-key tenants when APIM is enabled. Rotation metadata is included only for tenants with <code>key_rotation_enabled = true</code>; other tenants receive a default rotation object indicating rotation is not active.</p>
+    <p>Source: <code>infra-ai-hub/params/apim/api_policy.xml.tftpl</code> (<code>apim_keys_endpoint_enabled</code> block).</p>
 </div>
 
 <!-- ============================================================ -->
 
@@ -30,7 +30,7 @@ resource "terraform_data" "image_refresh" {
 # Container App Job (cron-triggered)
 # ---------------------------------------------------------------------------
 resource "azurerm_container_app_job" "rotation" {
-  name                         = "${var.name_prefix}-rotation-job"
+  name                         = "${var.name_prefix}rotnjob"
   resource_group_name          = var.resource_group_name
   location                     = var.location
   container_app_environment_id = var.container_app_environment_id
 
@@ -78,9 +78,10 @@
 
         <!-- Path-based routing to appropriate backend service -->
         <choose>
-%{ if key_rotation_enabled ~}
+%{ if apim_keys_endpoint_enabled ~}
             <!-- Internal endpoint: fetch APIM subscription keys from Key Vault -->
             <!-- Returns both primary and secondary keys + rotation metadata as JSON -->
+            <!-- Available for ALL subscription-key tenants (keys stored in KV for all) -->
             <when condition="@(context.Request.Url.Path.ToLower().EndsWith(&quot;internal/apim-keys&quot;))">
                 <!-- Only allow GET -->
                 <choose>
@@ -112,20 +113,21 @@
                         <value>@("Bearer " + (string)context.Variables["kv-token"])</value>
                     </set-header>
                 </send-request>
-                <!-- Fetch rotation metadata from hub Key Vault -->
+%{ if key_rotation_enabled ~}
+                <!-- Fetch rotation metadata from hub Key Vault (only for rotation-opted tenants) -->
                 <send-request mode="new" response-variable-name="kvMetadataResp" timeout="10" ignore-error="true">
                     <set-url>@($"${keyvault_uri}secrets/${tenant_name}-apim-rotation-metadata?api-version=7.4")</set-url>
                     <set-method>GET</set-method>
                     <set-header name="Authorization" exists-action="override">
                         <value>@("Bearer " + (string)context.Variables["kv-token"])</value>
                     </set-header>
                 </send-request>
-                <!-- Return explicit error if any Key Vault call failed -->
+%{ endif ~}
+                <!-- Return explicit error if primary or secondary Key Vault reads failed -->
                 <choose>
                     <when condition="@(
                         ((IResponse)context.Variables[&quot;kvPrimaryResp&quot;]) == null || ((IResponse)context.Variables[&quot;kvPrimaryResp&quot;]).StatusCode &gt;= 400 ||
-                        ((IResponse)context.Variables[&quot;kvSecondaryResp&quot;]) == null || ((IResponse)context.Variables[&quot;kvSecondaryResp&quot;]).StatusCode &gt;= 400 ||
-                        ((IResponse)context.Variables[&quot;kvMetadataResp&quot;]) == null || ((IResponse)context.Variables[&quot;kvMetadataResp&quot;]).StatusCode &gt;= 400
+                        ((IResponse)context.Variables[&quot;kvSecondaryResp&quot;]) == null || ((IResponse)context.Variables[&quot;kvSecondaryResp&quot;]).StatusCode &gt;= 400
                     )">
                         <return-response>
                             <set-status code="502" reason="Bad Gateway" />
@@ -135,16 +137,14 @@
                             <set-body>@{
                                 var primaryResp = ((IResponse)context.Variables["kvPrimaryResp"]);
                                 var secondaryResp = ((IResponse)context.Variables["kvSecondaryResp"]);
-                                var metadataResp = ((IResponse)context.Variables["kvMetadataResp"]);
 
                                 var result = new JObject(
                                     new JProperty("error", new JObject(
                                         new JProperty("code", "KeyVaultReadFailed"),
-                                        new JProperty("message", "Failed to read one or more APIM key secrets from Key Vault."),
+                                        new JProperty("message", "Failed to read APIM key secrets from Key Vault."),
                                         new JProperty("details", new JObject(
                                             new JProperty("primary_status", primaryResp == null ? 0 : primaryResp.StatusCode),
-                                            new JProperty("secondary_status", secondaryResp == null ? 0 : secondaryResp.StatusCode),
-                                            new JProperty("metadata_status", metadataResp == null ? 0 : metadataResp.StatusCode)
+                                            new JProperty("secondary_status", secondaryResp == null ? 0 : secondaryResp.StatusCode)
                                         ))
                                     ))
                                 );
@@ -162,15 +162,22 @@
                     <set-body>@{
                         var primaryBody = ((IResponse)context.Variables["kvPrimaryResp"])?.Body?.As<JObject>(preserveContent: true);
                         var secondaryBody = ((IResponse)context.Variables["kvSecondaryResp"])?.Body?.As<JObject>(preserveContent: true);
-                        var metadataBody = ((IResponse)context.Variables["kvMetadataResp"])?.Body?.As<JObject>(preserveContent: true);
 
                         var primaryKey = primaryBody?["value"]?.ToString() ?? "";
                         var secondaryKey = secondaryBody?["value"]?.ToString() ?? "";
-                        var metadataRaw = metadataBody?["value"]?.ToString() ?? "{}";
 
+%{ if key_rotation_enabled ~}
+                        var metadataBody = ((IResponse)context.Variables["kvMetadataResp"])?.Body?.As<JObject>(preserveContent: true);
+                        var metadataRaw = metadataBody?["value"]?.ToString() ?? "{}";
                         JObject metadata;
                         try { metadata = JObject.Parse(metadataRaw); }
                         catch { metadata = new JObject(); }
+%{ else ~}
+                        var metadata = new JObject(
+                            new JProperty("key_rotation_enabled", false),
+                            new JProperty("message", "Automatic key rotation is not enabled for this tenant")
+                        );
+%{ endif ~}
 
                         var result = new JObject(
                             new JProperty("tenant", "${tenant_name}"),
 
@@ -66,7 +66,7 @@ shared_config = {
     # Subscription key rotation (runs as Container App Job — see stacks/key-rotation)
     key_rotation = {
       rotation_enabled       = true # Global toggle on; per-tenant opt-in via key_rotation_enabled
-      rotation_interval_days = 60   # Must be less than 90 days (APIM max key lifetime)
+      rotation_interval_days = 2    # Must be less than 90 days (APIM max key lifetime)
     }
   }
Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ shared_config = {`
`66`	`66`	`# Subscription key rotation (runs as Container App Job — see stacks/key-rotation)`
`67`	`67`	`key_rotation = {`
`68`	`68`	`rotation_enabled = true # Global toggle on; per-tenant opt-in via key_rotation_enabled`
`69`		`- rotation_interval_days = 60 # Must be less than 90 days (APIM max key lifetime)`
	`69`	`+ rotation_interval_days = 2 # Must be less than 90 days (APIM max key lifetime)`
`70`	`70`	`}`
`71`	`71`	`}`
`72`	`72`