Open heller-tobias opened 1 year ago
jfilburn
commented
1 year ago I just wanted to give an update that the Azure Portal now allows for this setting to be changed as a quick workaround unit TF supports it, if you want to skip using the Azure API.
The setting can be found here: CosmosDB resource -> Networking -> Connectivity tab
heller-tobias
commented
1 year ago Hi @jfilburn Thank you for the input! Unfortunately this is not really feasible if you have a lot of cosmos db accounts deployed, Therefore I think it is still a good idea to implement it in tf.
kkarballof
commented
1 year ago Any updates on this. I am trying with the below no but luck so far: `resource "azapi_update_resource" "qs101" { type = "Microsoft.DocumentDB/databaseAccounts@2023-04-15" name = "default" parent_id = data.azurerm_cosmosdb_account.cosmos.id
body = jsonencode({ properties = { minimalTlsVersion = "Tls12"
}}) }`
heller-tobias
commented
1 year ago Any updates on this. I am trying with the below no but luck so far: `resource "azapi_update_resource" "qs101" { type = "Microsoft.DocumentDB/databaseAccounts@2023-04-15" name = "default" parent_id = data.azurerm_cosmosdb_account.cosmos.id
body = jsonencode({ properties = { minimalTlsVersion = "Tls12"
}}) }`
For me, this worked with the following code:
resource "azapi_update_resource" "azurerm_cosmosdb_account_update_tls_to_1_2" {
type = "Microsoft.DocumentDB/databaseAccounts@2023-03-15"
resource_id = COSMOSDBACCOUNT_ID
body = jsonencode({
properties = {
minimalTlsVersion = "Tls12"
}
})
depends_on = [
azurerm_cosmosdb_sql_container.container1
]
}@heller-tobias It does work! thanks C
biodrone
commented
1 year ago For me, this worked with the following code:
resource "azapi_update_resource" "azurerm_cosmosdb_account_update_tls_to_1_2" { type = "Microsoft.DocumentDB/databaseAccounts@2023-03-15" resource_id = COSMOSDBACCOUNT_ID body = jsonencode({ properties = { minimalTlsVersion = "Tls12" } }) depends_on = [ azurerm_cosmosdb_sql_container.container1 ] }
Appreciate the workaround, I'm still very much for your original idea of getting an official argument for it (especially as existing accounts seems to default to TLS1).
dmdport
commented
1 year ago When attempting the above solution, I get the error: Could not retrieve the list of available versions for provider hashicorp/azureapi: provider registry registry.terraform.io does not have a provider named registry.terraform.io/hashicorp/azureapi Any idea what could be causing this? My code is below:
resource "azapi_update_resource" "azurerm_cosmosdb_account_update_tls_to_1_2" {
depends_on = [azurerm_cosmosdb_account.db]
type = "Microsoft.DocumentDB/databaseAccounts@2023-04-15"
resource_id = azurerm_cosmosdb_account.db.id
body = jsonencode({
properties = {
minimalTlsVersion = "Tls12"
}
})
provider = azureapi.tlsfix
}
terraform {
required_providers {
azapi = {
source = "Azure/azapi"
}
}
}
provider "azapi" {
alias = "tlsfix"
use_msi = true
tenant_id = "************************************"
subscription_id = "************************************"
}When attempting the above solution, I get the error: Could not retrieve the list of available versions for provider hashicorp/azureapi: provider registry registry.terraform.io does not have a provider named registry.terraform.io/hashicorp/azureapi Any idea what could be causing this? My code is below:
resource "azapi_update_resource" "azurerm_cosmosdb_account_update_tls_to_1_2" { depends_on = [azurerm_cosmosdb_account.db] type = "Microsoft.DocumentDB/databaseAccounts@2023-04-15" resource_id = azurerm_cosmosdb_account.db.id body = jsonencode({ properties = { minimalTlsVersion = "Tls12" } }) provider = azureapi.tlsfix } terraform { required_providers { azapi = { source = "Azure/azapi" } } } provider "azapi" { alias = "tlsfix" use_msi = true tenant_id = "************************************" subscription_id = "************************************" }
Are you calling the azapi_update_resource within a module? If yes you need to add the provider inside of the module as well.
dmdport
commented
1 year ago When attempting the above solution, I get the error: Could not retrieve the list of available versions for provider hashicorp/azureapi: provider registry registry.terraform.io does not have a provider named registry.terraform.io/hashicorp/azureapi Any idea what could be causing this? My code is below:
resource "azapi_update_resource" "azurerm_cosmosdb_account_update_tls_to_1_2" { depends_on = [azurerm_cosmosdb_account.db] type = "Microsoft.DocumentDB/databaseAccounts@2023-04-15" resource_id = azurerm_cosmosdb_account.db.id body = jsonencode({ properties = { minimalTlsVersion = "Tls12" } }) provider = azureapi.tlsfix } terraform { required_providers { azapi = { source = "Azure/azapi" } } } provider "azapi" { alias = "tlsfix" use_msi = true tenant_id = "************************************" subscription_id = "************************************" }Are you calling the azapi_update_resource within a module? If yes you need to add the provider inside of the module as well.
I was initially but had moved it out of my module to get around the for_each limitation when declaring providers in child modules. Above error happens even when inside the root module.
jan-mrm
commented
1 year ago As far as I can see we would need an update of the provider's api version of the cosmos api to implement it into the azurerm_cosmosdb_account resource
sehgalnamit
commented
1 year ago The reason that the account didn't default to TLS1.2 is that the API version used to submit the request was not the minimum required 2022-11-15 (in this case, it had 2021-10-15). If Terraform doesn't use consistent API versions then it could result in such behavior.
michasacuer
commented
10 months ago Any status of that?
adamsba3
commented
8 months ago Second check if this needs a PR created to fix. or if the global version of API not to be version: 2021-10-15
Basically does this need a PR to add the field when calling the azure api?
jackofallops
commented
8 months ago Hi all, there's an upstream API issue tracking an API bug preventing the support of this property at this time: https://github.com/Azure/azure-rest-api-specs/issues/27596 - When that's resolved, we can take another look.
Thanks!
Is there an existing issue for this?
Community Note
Description
I would like to request a new feature for the azurerm_cosmosdb_account in the Azure Resource Manager API. With the release of the 2022-11-15 API version of the Azure Cosmos DB Resource Provider API, it is now possible to set the minimum TLS version for Cosmos DB accounts.
Currently, the only way to set the minimum TLS version is through the Azure API. However, it would be beneficial for users to have the ability to set the minimum TLS value to 1.2 through the azurerm_cosmosdb_account resource.
Although it is a standard for new Cosmos DB accounts to have a minimum TLS version of 1.2 since April 1, 2023, this feature would still be useful for users who have existing Cosmos DB accounts and need to update the minimum TLS version. Possible values for
minimalTlsVersioncould be:Tlsfor setting the minimum version to TLS 1.0.Tls11for setting the minimum version to TLS 1.1.Tls12for setting the minimum version to TLS 1.1.I believe that adding this feature to
azurerm_cosmosdb_accountwould greatly improve the user experience for managing Cosmos DB accounts through the Azure Resource Manager API.Thank you for considering my feature request.
New or Affected Resource(s)/Data Source(s)
azurerm_cosmosdb_account
Potential Terraform Configuration
References
Azure TLS version enforcement documentation: https://learn.microsoft.com/en-us/azure/cosmos-db/self-serve-minimum-tls-enforcement