jonnyry
commented
2 months ago View from the App Gateway in the Azure Portal:
Closed jonnyry closed 2 months ago
jonnyry
commented
2 months ago View from the App Gateway in the Azure Portal:
tim-allen-ck
commented
2 months ago @jonnyry are you able to do a PR, if not we will get the work scheduled. Thanks.
jonnyry
commented
2 months ago @tim-allen-ck Happy to do a PR if you are in agreement that AppGwSslPolicy20220101 would be appropriate?
tim-allen-ck
commented
2 months ago Yes AppGwSslPolicy20220101 is fine
jonnyry
commented
2 months ago @tim-allen-ck PR tested & submitted
Scanning the Azure TRE web portal shows TLS1.0 & 1.1 are enabled:
TLS 1.0 and 1.1 are generally considered insecure and should be removed from internet exposed web endpoints (managed by the App Gateway), leaving TLS 1.2 and above available.
App Gateway TLS config documentation: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview
By default, the TRE is using 20150501 and should move to at least 20220101
The Azure App Gateway does not specify a TLS policy version explicitly:
https://github.com/microsoft/AzureTRE/blob/main/core/terraform/appgateway/appgateway.tf
And so relies on the default:
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview
Defaults:
Given Azure resources are created by terraform, we are reliant on the Azure API version used by the Terraform Azure Provider to determine the above default. Terraform does not easily reveal which API version it is using under the hood.
See Terraform Azure Provider ticket relating to this exact issue: https://github.com/hashicorp/terraform-provider-azurerm/issues/23995#issuecomment-1840538128
Therefore, suggest we explicitly set the TLS policy version in Terraform, to prevent picking up the default.