Terraform Missing Purge Protection
Description
Identifies Azure Key Vaults configured without purge protection enabled. When purge protection is disabled, deleted keys, secrets, and certificates can be permanently destroyed without the possibility of recovery, which could lead to irreversible data loss in case of accidental deletion or malicious actions.
Detection Strategy
• Identifies Terraform resource blocks defining Azure Key Vaults (azurerm_key_vault)
• Checks if the purge protection setting is explicitly set to false or missing in the resource configuration
• Reports a vulnerability for Key Vault resources that don't have purge protection properly enabled
Vulnerable code example
# Example of vulnerable Azure Key Vault configuration
resource "azurerm_key_vault" "vulnerable" {
name = "examplekeyvault"
location = "eastus"
resource_group_name = "example-rg"
tenant_id = "tenant-id"
sku_name = "standard"
# Vulnerable: Missing purge_protection_enabled setting defaults to false...✅ Secure code example
# Secure Azure Key Vault configuration
resource "azurerm_key_vault" "secure" {
name = "examplekeyvault"
location = "eastus"
resource_group_name = "example-rg"
tenant_id = "tenant-id"
sku_name = "standard"
purge_protection_enabled = true # Required to prevent permanent deletion of secrets...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.