support TLS 1.3 supported ciphers for ibm_cis_domain_settings

[hkantare]

Case Short Description: About the cis_domain_settings method

Case Description: The documentation explains:

https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cis_domain_settings

---

cipher - (Optional, String) Cipher setting values are ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES128-SHA, AES128-GCM-SHA256, AES128-SHA256, AES128-SHA, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES256-SHA, AES256-GCM-SHA384, AES256-SHA256, AES256-SHA, DES-CBC3-SHA.

min_tls_version - (Optional, String) The minimum TLS version that you want to allow. Allowed values are 1.1, 1.2, or 1.3.

Ciphers for TLS1.3 can not be set, but what do I do?

https://cloud.ibm.com/docs/cis?topic=cis-cis-tls-options&locale=en#cipher-suitesI

GitHub Issue Description:

The documentation explains:

https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cis_domain_settings

---

cipher - (Optional, String) Cipher setting values are ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES128-SHA, AES128-GCM-SHA256, AES128-SHA256, AES128-SHA, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES256-SHA, AES256-GCM-SHA384, AES256-SHA256, AES256-SHA, DES-CBC3-SHA.

min_tls_version - (Optional, String) The minimum TLS version that you want to allow. Allowed values are 1.1, 1.2, or 1.3.

Ciphers for TLS1.3 can not be set, but what do I do?

https://cloud.ibm.com/docs/cis?topic=cis-cis-tls-options&locale=en#cipher-suitesI

[gahlaut-rahul]

@hkantare .We are able to reproduce this issue (tried with TLS 1.3 and cipher "AES128-SHA256") and working on to fix it.

│ Error: Cipher suite selections are not supported for a minimum TLS version of 1.3 and vice versa. Please check your input and try again. │ │ with ibm_cis_domain_settings.test, │ on main.tf line 25, in resource "ibm_cis_domain_settings" "test": │ 25: resource "ibm_cis_domain_settings" "test" {

[hkantare]

@gahlaut-rahul Can you provide an ETA for this the support services are asking for updates

[gahlaut-rahul]

Hi @hkantare . We are in process of fixing. Considering UT, review and testing we would try to merge the fix by 10th May 2022.

[hkantare]

@gahlaut-rahul any update on this ...When can we expect a PR for this

[gahlaut-rahul]

@hkantare .We've found an underlying issue with APIs (it is just not terraform issue), team already working on pushing these changes. API fix will be pushed to prod by next week.

[hkantare]

@gahlaut-rahul Any approximate ETA?

[gahlaut-rahul]

Hi @hkantare It would be ready by last week of May.

[rkocheis]

A fix is currrently deployed in our test environment. It is planned to be deployed to production sometime this week.

[IgnazioT]

Hello team, customer is asking for the release schedule. Do you have any update to share with him? Thanks, Ignazio.

[IgnazioT]

Hi team, any news ? Thanks, Ignazio.

[gahlaut-rahul]

@IgnazioT It was an API issue (not a terraform issue). I think, fix was already merged last week. I'll re-check and re-confirm it with Rolf tonight.[CC: @rkocheis ]

[gahlaut-rahul]

@IgnazioT, I checked with CIS team. It is being deployed in prod and it will be completed by end of next week. cc : @rkocheis @kevinschr

[hkantare]

@gahlaut-rahul I think we need fix from Terraform side also to add that support in validation

[gahlaut-rahul]

@hkantare Checking again and will add if anything missing.

[kevinschr]

@hkantare Hello, While the TLSv1.3 ciphers have been added to the valid cipher list in the API, it is currently not possible to customize TLSv1.3 cipher suites in CIS, either blocklisting or allowlisting them is not supported. When using minimum TLSv1.3, CIS will restrict to the ciphers AEAD-AES128-GCM-SHA256, AEAD-AES256-GCM-SHA384, and AEAD-CHACHA20-POLY1305-SHA256 as per RFC 8446 9.1. Please let us know if you have a use case for customizing these ciphers.

[gahlaut-rahul]

Thanks @kevinschr for detailed explaination. @IgnazioT We've fixed issue from terraform side and API fix is also merged but note there are some restriction as Kevin mentioned in above comment.

Let us know if you have any further query.

[hkantare]

The fix is available in 1.43.0-beta0 release https://github.com/IBM-Cloud/terraform-provider-ibm/releases/tag/v1.43.0-beta0

[arpit-srivastava-ibm]

Customer is still facing issue, I am looking into this and will update once I have any update.

[arpit-srivastava-ibm]

@support As mentioned above, when using minimum TLS v1.3, it is currently not possible to customise which ciphers to use. We can not add or remove ciphers of our choice and the ciphers will be set by default only.

To set default ciphers, pass an empty list [] in the config. There are no fix needed in the TF code.

This was not very clear in the documentation, for which I am pushing a fix. Will update once this gets reflected in the docs.

[arpit-srivastava-ibm]

The documentation will be updated in 1.44.0-beta0 release.