Terraform Missing Expiration Date
Description
Detects Azure Key Vault secrets that are configured without an expiration date. Secrets without expiration dates remain valid indefinitely, which violates security best practices and could lead to unauthorized access if the secret is compromised.
Detection Strategy
• Identifies Terraform resource blocks defining Azure Key Vault secrets (azurerm_key_vault_secret)
• Checks if the secret resource configuration is missing expiration_date attribute
• Reports a vulnerability when a Key Vault secret is found without a defined expiration date
Vulnerable code example
resource "azurerm_key_vault_secret" "vulnerable" { # Vulnerable: Secret value stored without content encryption
name = "example"
value = var.value_azsqlrevapp
key_vault_id = data.azurerm_key_vault.kv.id
}✅ Secure code example
resource "azurerm_key_vault_secret" "secure" {
name = "example"
value = var.value_azsqlrevapp
key_vault_id = data.azurerm_key_vault.kv.id
content_type = "password" # Added content type for better secret management
expiration_date = "2024-12-31T23:59:59Z" # Added expiration for security compliance
tags = {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.