Terraform Client Certificate Disabled
Description
Detects when Azure resources are configured without client certificate authentication enabled in Terraform configurations. Missing client certificate authentication can allow unauthorized access to Azure resources since an important authentication mechanism is disabled.
Detection Strategy
• Inspect Terraform resource blocks that configure Azure services
• Check if client_certificate_enabled or similar certificate authentication settings are present and enabled
• Report a vulnerability if the certificate authentication settings are disabled or missing
• Only examine Azure-specific resource types that support client certificate authentication
Vulnerable code example
# Vulnerable: client_certificate_enabled not set (defaults to false)
resource "azurerm_linux_web_app" "vulnerable" {
name = "example-app-service"
service_plan_id = "plan_id"
location = "eastus"
resource_group_name = "example-rg"
https_only = true
...✅ Secure code example
resource "azurerm_linux_web_app" "secure" {
name = "example-app-service"
service_plan_id = "plan_id"
location = "eastus"
resource_group_name = "example-rg"
https_only = true
client_certificate_enabled = true # Enable client certificate authentication for secure access
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.