Key vault secrets do not have content_type set
Description
Azure Key Vault is a service for Secrets management to securely store and control access to tokens, passwords, certificates, API keys, and other secrets. A content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets.
Code Example
go
resource "azurerm_key_vault" "example" {
name = "examplekeyvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
soft_delete_retention_days = 7
+ content_type = "text/plain"
}Remediation
Terraform
- Resource: azurerm_key_vault
- Arguments: content_type - (Optional) Specifies the content type for the Key Vault Secret.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0621 |
| Severity | LOW |
| IaC Type | arm |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AZURE_114 |