Support setting minTlsCipherSuite on App Service

camtittle commented 11 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

Azure app service supports specifying the minimum TLS cipher suite to allow for incoming traffic. This can be set via the update config API's minTlsCipherSuite field.

See the Azure App Service blog for more details.

It would be great to be able specify this field in Terraform configuration.

New or Affected Resource(s)/Data Source(s)

azurerm_linux_web_app, azurerm_windows_web_app

Potential Terraform Configuration

resource "azurerm_linux_web_app" "example" {
  name                = "example"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_service_plan.example.location
  service_plan_id     = azurerm_service_plan.example.id

  site_config {
    minTlsCipherSuite = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
  }
}

References

No response

xiaxyi commented 11 months ago

Thanks @camtittle for raising this request, let me check and add it to our backlog once confirmed.

xiaxyi commented 10 months ago

The property is available in next api version 2023-01-01, may not be able to put it with high priority, need to check.

rajeeshmenoth commented 10 months ago

This is crucial for cybersecurity weak cipher suite certification clearance, and we need this fix to be available immediately. We can't maintain this manually because whenever we execute Terraform, the manual changes will be overridden, creating a high risk to the production environment.

lzarus commented 10 months ago

thanks @camtittle @xiaxyi for this request, when will we be able to get this version, since it's not yet available? This problem now affects our entire platform, and we run the same risk as @rajeeshmenoth

joshfrias commented 6 months ago

The above PR doesn't cover azurerm_windows_web_app. I hope this issue isn't closed before that.

cleverer commented 6 months ago

@xiaxyi it looks like the new properties got never implemented/dropped (even though the API version got upgraded to 2023-01-01) when #24447 got superseded by #24483. Is that correct?

Is there anything I can help to get those implemented?

atsernouski commented 4 months ago

@xiaxyi any update here?

this is feature is really important, any pentest brings up the point with App Service TLS Cipher Suite

xiaxyi commented 4 months ago

Hi all, the property is added in the mentioned pr. Feel free to track it for any progress.

Tolbin400 commented 2 months ago

Any update on when the pr will be merged?

DempseySbaiz commented 1 month ago

Any updates on this please, our client is asking for this feature.

fabiostawinski commented 2 weeks ago

Meanwhile you may use azapi (1.15.0) for that

resource "azapi_update_resource" "minTlsCipherSuite" {
  type        = "Microsoft.Web/sites@2023-01-01"
  resource_id = azurerm_linux_web_app.linux_web_app.id
  body = jsonencode({
    properties = {
      siteConfig = {
        minTlsCipherSuite = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
      }
    }
  })

  response_export_values = ["properties"]
}

hashicorp / terraform-provider-azurerm