Key Vault secrets content type undefined

This product is not supported for your selected Datadog site. ().

Metadata

Id: f8e08a38-fc6e-4915-abbe-a7aadf1d59ef

Cloud Provider: Azure

Platform: Terraform

Severity: Medium

Category: Best Practices

Learn More

Description

Key Vault secrets in Azure should explicitly set the content_type attribute to define the type and intended usage of the stored secret. Omitting content_type can lead to poor secret management practices, making it more difficult to identify and handle secrets correctly, which increases the risk of accidental misuse or disclosure. A secure Terraform configuration includes the content_type attribute, as shown below:

resource "azurerm_key_vault_secret" "example" {
  name         = "db-password"
  value        = "MySecurePassword123"
  key_vault_id = azurerm_key_vault.example.id
  content_type = "password"
}

Compliant Code Examples

resource "azurerm_key_vault_secret" "negative" {
  name         = "secret-sauce"
  value        = "szechuan"
  key_vault_id = azurerm_key_vault.example.id
  content_type = "password"
}

Non-Compliant Code Examples

resource "azurerm_key_vault_secret" "positive" {
  name         = "secret-sauce"
  value        = "szechuan"
  key_vault_id = azurerm_key_vault.example.id
}