Commit 88962fa6 authored by Dzmitry_Paulouski (slb)'s avatar Dzmitry_Paulouski (slb) Committed by Daniel Scholl
Browse files

Disable TLS1.0, 1.1 on weak cyphers and fix AzureRM Terraform Provider version

parent 365f0f12
......@@ -181,6 +181,12 @@ resource "azurerm_application_gateway" "main" {
name = format("https-%s", local.backend_address_pool_name)
}
ssl_policy {
policy_type = var.ssl_policy_type
cipher_suites = var.ssl_policy_cipher_suites
min_protocol_version = var.ssl_policy_min_protocol_version
}
lifecycle {
ignore_changes = [
ssl_certificate,
......@@ -195,4 +201,4 @@ resource "azurerm_application_gateway" "main" {
url_path_map
]
}
}
\ No newline at end of file
}
......@@ -71,4 +71,22 @@ variable "ssl_certificate_name" {
description = "The Name of the SSL certificate that is unique within this Application Gateway"
type = string
default = "ssl-cert"
}
\ No newline at end of file
}
variable "ssl_policy_type" {
description = "The Type of the Policy. Possible values are Predefined and Custom."
type = string
default = "Custom"
}
variable "ssl_policy_cipher_suites" {
description = "A List of accepted cipher suites."
type = list(string)
default = ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"]
}
variable "ssl_policy_min_protocol_version" {
description = "The minimal TLS version. Possible values are TLSv1_0, TLSv1_1 and TLSv1_2"
type = string
default = "TLSv1_2"
}
......@@ -20,7 +20,7 @@ locals {
helm_keda_name = "keda"
helm_keda_ns = "keda"
helm_keda_repo = "https://kedacore.github.io/charts"
helm_keda_version = "1.4"
helm_keda_version = "1.4.2"
}
resource "kubernetes_namespace" "keda" {
......@@ -39,4 +39,4 @@ resource "helm_release" "keda" {
namespace = local.helm_keda_ns
depends_on = [kubernetes_namespace.keda]
}
\ No newline at end of file
}
......@@ -38,7 +38,7 @@ terraform {
# Providers
#-------------------------------
provider "azurerm" {
version = "=2.29.0"
version = "=2.33.0"
features {}
}
......@@ -281,11 +281,14 @@ module "appgateway" {
name = local.app_gw_name
resource_group_name = azurerm_resource_group.main.name
vnet_name = module.network.name
vnet_subnet_id = module.network.subnets.0
keyvault_id = data.terraform_remote_state.central_resources.outputs.keyvault_id
keyvault_secret_id = azurerm_key_vault_certificate.default.0.secret_id
ssl_certificate_name = local.ssl_cert_name
vnet_name = module.network.name
vnet_subnet_id = module.network.subnets.0
keyvault_id = data.terraform_remote_state.central_resources.outputs.keyvault_id
keyvault_secret_id = azurerm_key_vault_certificate.default.0.secret_id
ssl_certificate_name = local.ssl_cert_name
ssl_policy_type = var.ssl_policy_type
ssl_policy_cipher_suites = var.ssl_policy_cipher_suites
ssl_policy_min_protocol_version = var.ssl_policy_min_protocol_version
resource_tags = var.resource_tags
}
......
......@@ -244,4 +244,22 @@ variable "gitops_path" {
type = string
description = "(Optional) The path for flux to watch"
default = "providers/azure/hld-registry"
}
\ No newline at end of file
}
variable "ssl_policy_type" {
description = "The Type of the Policy. Possible values are Predefined and Custom."
type = string
default = "Custom"
}
variable "ssl_policy_cipher_suites" {
description = "A List of accepted cipher suites."
type = list(string)
default = ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"]
}
variable "ssl_policy_min_protocol_version" {
description = "The minimal TLS version. Possible values are TLSv1_0, TLSv1_1 and TLSv1_2"
type = string
default = "TLSv1_2"
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment