Terraform Insecure Tls Version Postgresql
Description
Detects Azure PostgreSQL servers configured with insecure TLS versions in Terraform configurations. Using outdated TLS versions (1.0/1.1) or having TLS disabled exposes the database to potential man-in-the-middle attacks and known cryptographic vulnerabilities.
Detection Strategy
• Identifies Azure PostgreSQL server resources (azurerm_postgresql_server) in Terraform configuration
• Checks if the 'ssl_minimal_tls_version_enforced' attribute is set to 'TLSEnforcementDisabled', 'TLS1_0', or 'TLS1_1'
• Reports a vulnerability when PostgreSQL servers are configured with disabled TLS or outdated TLS versions 1.0/1.1 instead of the recommended TLS 1.2 or higher
Vulnerable code example
resource "azurerm_postgresql_server" "example" {
name = "psql-server"
location = "eastus"
sku_name = "B_Gen5_1"
version = "11"
# Vulnerable: Using deprecated TLS 1.1 which has known security weaknesses
ssl_minimal_tls_version_enforced = "TLS1_1"...✅ Secure code example
resource "azurerm_postgresql_server" "example" {
name = "psql-server"
location = "eastus"
sku_name = "B_Gen5_1"
version = "11"
# Secure: Using TLS 1.2 which provides stronger encryption and security
ssl_minimal_tls_version_enforced = "TLS1_2"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.