Disable TLS1.0, 1.1 on weak cyphers and fix AzureRM Terraform Provider version

88962fa6 · Dzmitry_Paulouski (slb) · Daniel Scholl · 365f0f12 · 88962fa6 · 88962fa6
Commit 88962fa6 authored Oct 27, 2020 by Dzmitry_Paulouski (slb) Committed by Daniel Scholl Oct 27, 2020
--- a/infra/modules/providers/azure/appgw/main.tf
+++ b/infra/modules/providers/azure/appgw/main.tf
@@ -181,6 +181,12 @@ resource "azurerm_application_gateway" "main" {
    name = format("https-%s", local.backend_address_pool_name)
  }

+  ssl_policy {
+    policy_type          = var.ssl_policy_type
+    cipher_suites        = var.ssl_policy_cipher_suites
+    min_protocol_version = var.ssl_policy_min_protocol_version
+  }
+
  lifecycle {
    ignore_changes = [
      ssl_certificate,
@@ -195,4 +201,4 @@ resource "azurerm_application_gateway" "main" {
      url_path_map
    ]
  }
-}
\ No newline at end of file
+}
--- a/infra/modules/providers/azure/appgw/variables.tf
+++ b/infra/modules/providers/azure/appgw/variables.tf
@@ -71,4 +71,22 @@ variable "ssl_certificate_name" {
  description = "The Name of the SSL certificate that is unique within this Application Gateway"
  type        = string
  default     = "ssl-cert"
-}
\ No newline at end of file
+}
+
+variable "ssl_policy_type" {
+  description = "The Type of the Policy. Possible values are Predefined and Custom."
+  type        = string
+  default     = "Custom"
+}
+
+variable "ssl_policy_cipher_suites" {
+  description = "A List of accepted cipher suites."
+  type        = list(string)
+  default     = ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"]
+}
+
+variable "ssl_policy_min_protocol_version" {
+  description = "The minimal TLS version. Possible values are TLSv1_0, TLSv1_1 and TLSv1_2"
+  type        = string
+  default     = "TLSv1_2"
+}
--- a/infra/templates/osdu-r3-mvp/service_resources/helm_keda.tf
+++ b/infra/templates/osdu-r3-mvp/service_resources/helm_keda.tf
@@ -20,7 +20,7 @@ locals {
  helm_keda_name    = "keda"
  helm_keda_ns      = "keda"
  helm_keda_repo    = "https://kedacore.github.io/charts"
-  helm_keda_version = "1.4"
+  helm_keda_version = "1.4.2"
 }

 resource "kubernetes_namespace" "keda" {
@@ -39,4 +39,4 @@ resource "helm_release" "keda" {
  namespace  = local.helm_keda_ns

  depends_on = [kubernetes_namespace.keda]
-}
\ No newline at end of file
+}
--- a/infra/templates/osdu-r3-mvp/service_resources/main.tf
+++ b/infra/templates/osdu-r3-mvp/service_resources/main.tf
@@ -38,7 +38,7 @@ terraform {
 # Providers
 #-------------------------------
 provider "azurerm" {
-  version = "=2.29.0"
+  version = "=2.33.0"
  features {}
 }

@@ -281,11 +281,14 @@ module "appgateway" {
  name                = local.app_gw_name
  resource_group_name = azurerm_resource_group.main.name

-  vnet_name            = module.network.name
-  vnet_subnet_id       = module.network.subnets.0
-  keyvault_id          = data.terraform_remote_state.central_resources.outputs.keyvault_id
-  keyvault_secret_id   = azurerm_key_vault_certificate.default.0.secret_id
-  ssl_certificate_name = local.ssl_cert_name
+  vnet_name                       = module.network.name
+  vnet_subnet_id                  = module.network.subnets.0
+  keyvault_id                     = data.terraform_remote_state.central_resources.outputs.keyvault_id
+  keyvault_secret_id              = azurerm_key_vault_certificate.default.0.secret_id
+  ssl_certificate_name            = local.ssl_cert_name
+  ssl_policy_type                 = var.ssl_policy_type
+  ssl_policy_cipher_suites        = var.ssl_policy_cipher_suites
+  ssl_policy_min_protocol_version = var.ssl_policy_min_protocol_version

  resource_tags = var.resource_tags
 }

--- a/infra/templates/osdu-r3-mvp/service_resources/variables.tf
+++ b/infra/templates/osdu-r3-mvp/service_resources/variables.tf
@@ -244,4 +244,22 @@ variable "gitops_path" {
  type        = string
  description = "(Optional) The path for flux to watch"
  default     = "providers/azure/hld-registry"
-}
\ No newline at end of file
+}
+
+variable "ssl_policy_type" {
+  description = "The Type of the Policy. Possible values are Predefined and Custom."
+  type        = string
+  default     = "Custom"
+}
+
+variable "ssl_policy_cipher_suites" {
+  description = "A List of accepted cipher suites."
+  type        = list(string)
+  default     = ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"]
+}
+
+variable "ssl_policy_min_protocol_version" {
+  description = "The minimal TLS version. Possible values are TLSv1_0, TLSv1_1 and TLSv1_2"
+  type        = string
+  default     = "TLSv1_2"
+}