Setting minimum_tls_version on eventhub_namespace not upgrading from 1.0 to 1.2

[matthawley]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.6.6

AzureRM Provider Version

3.93.0

Affected Resource(s)/Data Source(s)

eventhub_namespace_resource

Terraform Configuration Files

# Initial run to create the resource using TLS 1.0
resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_eventhub_namespace" "example" {
  name                = "example-namespace"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  sku                 = "Standard"
  capacity            = 2
  minimum_tls_version = "1.0"
}

# Followed up by running this configuration updating TLS from 1.0 -> 1.2
resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_eventhub_namespace" "example" {
  name                = "example-namespace"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  sku                 = "Standard"
  capacity            = 2
  minimum_tls_version = "1.2"
}

Debug Output/Panic Output

https://gist.github.com/matthawley/ba1ebd2df0a5b02ed3b467b11604fb68

Expected Behaviour

When upgrading the TLS version from 1.0 to 1.2, it should affect the azure resource and be set to TLS 1.2

Actual Behaviour

After the apply, TLS 1.0 is still configured on the azure resource

Steps to Reproduce

1. Run terraform apply using the initial terraform configuration (using TLS 1.0)
2. Update the configuration to use TLS 1.2
3. Run terraform apply and note the update-in-place notice ~ minimum_tls_version = "1.0" -> "1.2"

Important Factoids

No response

References

Issue #17030

[xiaxyi]

Thanks @matthawley for raising this issue, let me try reproducing it and let you know about the progress.

[xiaxyi]

@matthawley I can successfully upgrade the tls version to 1.2 without any problems

Can you enable TF log and try the deployment again and share the logs of the deployment?

Enable TF log by setting the env:

export TF_LOG_PATH=D:/logs/debug.log
export TF_LOG=DEBUG

[matthawley]

@xiaxyi I captured the debug output already, it's in the gist link. I can retry again, though.

[matthawley]

@xiaxyi re-ran things again, while terraform did detect going from 1.0 -> 1.2, it did not update it.

Re-running the apply, again detected it should upgrade from 1.0 -> 1.2.

Updated debug log @ https://gist.github.com/matthawley/9d82e36c55633cfb2bf01870bcba912d

Looking at the logs, it does issue the request to set TLS to 1.2 and we get back a 200 OK from Azure, but the response is still stating TLS is 1.0. So this might be an issue with Azure?

[matthawley]

@xiaxyi My suspicion is that the rest api version being used (2022-01-01-preview) is old and potentially outdated (or not available for my sub)? I can't find documentation on it, but maybe it should be upgraded to use 2024-01-01 which does list minimumTlsVersion as a supported property.

https://learn.microsoft.com/en-us/rest/api/eventhub/namespaces/create-or-update?view=rest-eventhub-2024-01-01&tabs=HTTP#ehnamespace

[xiaxyi]

@matthawley are you able to update the property via azure portal?

[matthawley]

@xiaxyi yes - and once I do, 1.2 gets sent back and detected so no changes are necessary.

[xiaxyi]

@matthawley I checked the log but couldn't find any request relates to the eventhub namepsace creation/ update like PUT https://management.azure.com/subscriptions/XXX/resourceGroups/xxx/providers/Microsoft.EventHub/namespaces/xxx.

The property minimum_tls_version is available in api version 2022-01-01-preview and I can do the update without any problem.

Can you share the log that contains eventhub namespace creation and let me know the namespace id? Thanks

[matthawley]

@xiaxyi Pulled this from the gist log above

PUT /subscriptions/29948a76-6c12-48ea-a9ab-6b29236bb95c/resourceGroups/matthaw-ex/providers/Microsoft.EventHub/namespaces/matthaw-ex?api-version=2022-01-01-preview HTTP/1.1

{"identity":{"type":"None","userAssignedIdentities":null},"location":"westus2","properties":{"disableLocalAuth":false,"isAutoInflateEnabled":false,"minimumTlsVersion":"1.0","publicNetworkAccess":"Enabled","zoneRedundant":false},"sku":{"capacity":2,"name":"Standard","tier":"Standard"},"tags":{}}

and the update

PATCH /subscriptions/29948a76-6c12-48ea-a9ab-6b29236bb95c/resourceGroups/matthaw-ex/providers/Microsoft.EventHub/namespaces/matthaw-ex?api-version=2022-01-01-preview HTTP/1.1

{"identity":{"type":"None","userAssignedIdentities":null},"location":"westus2","properties":{"disableLocalAuth":false,"isAutoInflateEnabled":false,"minimumTlsVersion":"1.2","publicNetworkAccess":"Enabled","zoneRedundant":false},"sku":{"capacity":2,"name":"Standard","tier":"Standard"},"tags":{}}

[xiaxyi]

@matthawley Let me check with the Patch API and let you know