Support for setting TLS version in `azurerm_kubernetes_cluster.addon_profile.ingress_application_gateway`

[torbendury]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Per default, when enabling ingress_application_gateway as an addon in an azurerm_kubernetes_cluster, weak ciphers are allowed (which make several attacks like this one possible). Customers can enforce stronger TLS policies in the Azure Portal which is kinda disturbing when you try to fully manage your Infrastructure as Code. Since the API seems to allow setting a TLS policy on the resource itself, one should also be able to set it via Terraform.

Side info: Setting a weak security-related configuration as a default does not feel production-ready.

New or Affected Resource(s)

• azurerm_kubernetes_cluster
  • more specific: The addon_profile.ingress_application_gateway

Potential Terraform Configuration

  addon_profile {
    ingress_application_gateway {
      enabled      = true
      gateway_name = "my-appgw"
      subnet_id    = azurerm_subnet.application-gateway.id
      tls_version  = "TLSv1_2"
    }
  }

References

• none so far

[philipp-hb]

instead of tls_version, specifying the policy would also be a good idea:

https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview

[tombuildsstuff]

@philipp-hb @torbendury thanks for opening this issue.

Do you happen to know the configuration key which AKS is using to configure this functionality? Since this is provisioned by AKS support needs to be available within the AKS API in either case.

Thanks!

[philipp-hb]

unfortunately, I don't know how it's done in AKS API

[ms-henglu]

Hi @philipp-hb ,

I not sure whether I understand this correctly, can this property solve the problem? It's used to configure ssl policy for application gateway. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway#ssl_policy

[torbendury]

Hi @ms-henglu, when we manually create the AppGW instance, afaik we can not use the "greenfield" AKS method of a fully-managed AppGW+AGIC.