Terraform Failed Request Tracing Disabled

Description

Detects Azure App Service configurations where request tracing logging is disabled or not properly configured. Missing or disabled logging can hinder security incident investigations and compliance requirements by preventing the capture of important application diagnostic data.

Weakness:

402 - Traceability Loss - Azure

Category: Functionality Abuse

Detection Strategy

• Identifies Azure App Service resources (including Windows and Linux web apps) in Terraform configurations

• Checks if request tracing logging settings are explicitly disabled or missing required configurations

• Reports a security issue when logging features are not properly enabled for the App Service resource

• Validates logging configuration across azurerm_app_service, azurerm_windows_web_app, and azurerm_linux_web_app resource types

Vulnerable code example

resource "azurerm_linux_web_app" "example" {
  name                = "my-webapp"
  resource_group_name = "my-rg"
  location            = "westus"
  service_plan_id     = "plan-id"

  logs {
    failed_request_tracing_enabled = false  # Security: Disabling failed request tracing reduces ability to detect and investigate security incidents...

✅ Secure code example

resource "azurerm_linux_web_app" "example" {
  name                = "my-webapp"
  resource_group_name = "my-rg"
  location            = "westus"
  service_plan_id     = "plan-id"
  https_only          = true  # Security: Enforce HTTPS-only access to prevent insecure communications

  logs {...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.