For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-azure-function-app-client-certificates-unrequired.md. A documentation index is available at /llms.txt.

Function App client certificates not required

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-azure-function-app-client-certificates-unrequired

Provider: Azure

Platform: Terraform

Severity: Medium

Category: Insecure Configurations

Learn More

Description

Azure Function Apps should require client certificates for incoming requests by setting the client_cert_mode attribute to "Required". Without this setting, as seen below, the Function App allows unauthenticated traffic, increasing the risk of unauthorized access to sensitive business logic or data processed by the Function App:

resource "azurerm_function_app" "example" {
  // ... other configuration ...
  client_cert_mode = "Required"
}

Enforcing client certificate authentication ensures that only trusted clients can interact with the Function App, reducing the attack surface and protecting against various unauthorized access vectors.

Compliant Code Examples

resource "azurerm_function_app" "negative" {
  name                       = "test-azure-functions"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  app_service_plan_id        = azurerm_app_service_plan.example.id
  storage_account_name       = azurerm_storage_account.example.name
  storage_account_access_key = azurerm_storage_account.example.primary_access_key

  client_cert_mode = "Required"
}

Non-Compliant Code Examples

resource "azurerm_function_app" "positive1" {
  name                       = "test-azure-functions"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  app_service_plan_id        = azurerm_app_service_plan.example.id
  storage_account_name       = azurerm_storage_account.example.name
  storage_account_access_key = azurerm_storage_account.example.primary_access_key
}

resource "azurerm_function_app" "positive2" {
  name                       = "test-azure-functions"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  app_service_plan_id        = azurerm_app_service_plan.example.id
  storage_account_name       = azurerm_storage_account.example.name
  storage_account_access_key = azurerm_storage_account.example.primary_access_key

  client_cert_mode = "Optional"
}