Terraform Outdated Min Tls Version
Description
Detects Azure API Management services configured with outdated or insecure TLS protocol versions through Terraform. Using outdated TLS versions (like TLS 1.0/1.1) exposes the API endpoints to known security vulnerabilities and potential man-in-the-middle attacks.
Detection Strategy
• Check for Terraform resources of type 'azapi_resource' in the configuration files
• Examine the minimum TLS version specified in the resource configuration
• Report a vulnerability if the TLS version is not set to the secure minimum (TLS 1.2) or is explicitly set to an older version
• Flag configurations that allow deprecated TLS protocols (1.0/1.1) to be used in API Management endpoints
Vulnerable code example
resource "azurerm_storage_account" "example" {
name = "storageaccount"
resource_group_name = "mygroup"
location = "eastus"
min_tls_version = "TLS1_0" # Vulnerable: Uses outdated TLS 1.0 version
}
resource "azapi_resource" "api" {...✅ Secure code example
resource "azurerm_storage_account" "example" {
name = "storageaccount"
resource_group_name = "mygroup"
location = "eastus"
min_tls_version = "TLS1_2" # Required: Use TLS 1.2 for stronger security
}
resource "azapi_resource" "api" {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.