Open torbendury opened 2 years ago
instead of tls_version, specifying the policy would also be a good idea:
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview
@philipp-hb @torbendury thanks for opening this issue.
Do you happen to know the configuration key which AKS is using to configure this functionality? Since this is provisioned by AKS support needs to be available within the AKS API in either case.
Thanks!
unfortunately, I don't know how it's done in AKS API
Hi @philipp-hb ,
I not sure whether I understand this correctly, can this property solve the problem? It's used to configure ssl policy for application gateway. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway#ssl_policy
Hi @ms-henglu, when we manually create the AppGW instance, afaik we can not use the "greenfield" AKS method of a fully-managed AppGW+AGIC.
Community Note
Description
Per default, when enabling
ingress_application_gateway
as an addon in anazurerm_kubernetes_cluster
, weak ciphers are allowed (which make several attacks like this one possible). Customers can enforce stronger TLS policies in the Azure Portal which is kinda disturbing when you try to fully manage your Infrastructure as Code. Since the API seems to allow setting a TLS policy on the resource itself, one should also be able to set it via Terraform.Side info: Setting a weak security-related configuration as a default does not feel production-ready.
New or Affected Resource(s)
Potential Terraform Configuration
References