jonnyry
commented
6 months ago The Azure App Gateway does not specify a TLS policy version explicitly:
https://github.com/microsoft/AzureTRE/blob/main/core/terraform/appgateway/appgateway.tf
And so relies on the default:
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview
Defaults:
- 20150501 for API version < 2023-02-01
- 20220101 for API version >= 2023-02-01
Given Azure resources are created by terraform, we are reliant on the Azure API version used by the Terraform Azure Provider to determine the above default.
See Terraform Azure Provider ticket relating to this exact issue: https://github.com/hashicorp/terraform-provider-azurerm/issues/23995#issuecomment-1840538128
Therefore, suggest we explicitly set the TLS policy version in Terraform, to prevent picking up the default.
TLS 1.0 and 1.1 are considered insecure and should be removed from internet exposed web endpoints (managed by the App Gateway), leaving TLS 1.2 and above available.
App Gateway TLS config documentation: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview
By default, the TRE is using 20150501 and should move to at least 20220101
Currently status scanning the TRE web portal: