Commit a54f8025 authored by Daniel Scholl's avatar Daniel Scholl
Browse files

Merge branch 'issue18_disable_old_tls_and_weak_cyphers' into 'master'

Disable TLS1.0, 1.1 on weak cyphers and fix AzureRM Terraform Provider version

See merge request osdu/platform/deployment-and-operations/infra-azure-provisioning!43
parents 15dd7fa5 88962fa6
...@@ -181,6 +181,12 @@ resource "azurerm_application_gateway" "main" { ...@@ -181,6 +181,12 @@ resource "azurerm_application_gateway" "main" {
name = format("https-%s", local.backend_address_pool_name) name = format("https-%s", local.backend_address_pool_name)
} }
ssl_policy {
policy_type = var.ssl_policy_type
cipher_suites = var.ssl_policy_cipher_suites
min_protocol_version = var.ssl_policy_min_protocol_version
}
lifecycle { lifecycle {
ignore_changes = [ ignore_changes = [
ssl_certificate, ssl_certificate,
...@@ -195,4 +201,4 @@ resource "azurerm_application_gateway" "main" { ...@@ -195,4 +201,4 @@ resource "azurerm_application_gateway" "main" {
url_path_map url_path_map
] ]
} }
} }
\ No newline at end of file
...@@ -71,4 +71,22 @@ variable "ssl_certificate_name" { ...@@ -71,4 +71,22 @@ variable "ssl_certificate_name" {
description = "The Name of the SSL certificate that is unique within this Application Gateway" description = "The Name of the SSL certificate that is unique within this Application Gateway"
type = string type = string
default = "ssl-cert" default = "ssl-cert"
} }
\ No newline at end of file
variable "ssl_policy_type" {
description = "The Type of the Policy. Possible values are Predefined and Custom."
type = string
default = "Custom"
}
variable "ssl_policy_cipher_suites" {
description = "A List of accepted cipher suites."
type = list(string)
default = ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"]
}
variable "ssl_policy_min_protocol_version" {
description = "The minimal TLS version. Possible values are TLSv1_0, TLSv1_1 and TLSv1_2"
type = string
default = "TLSv1_2"
}
...@@ -38,7 +38,7 @@ terraform { ...@@ -38,7 +38,7 @@ terraform {
# Providers # Providers
#------------------------------- #-------------------------------
provider "azurerm" { provider "azurerm" {
version = "=2.29.0" version = "=2.33.0"
features {} features {}
} }
...@@ -281,11 +281,14 @@ module "appgateway" { ...@@ -281,11 +281,14 @@ module "appgateway" {
name = local.app_gw_name name = local.app_gw_name
resource_group_name = azurerm_resource_group.main.name resource_group_name = azurerm_resource_group.main.name
vnet_name = module.network.name vnet_name = module.network.name
vnet_subnet_id = module.network.subnets.0 vnet_subnet_id = module.network.subnets.0
keyvault_id = data.terraform_remote_state.central_resources.outputs.keyvault_id keyvault_id = data.terraform_remote_state.central_resources.outputs.keyvault_id
keyvault_secret_id = azurerm_key_vault_certificate.default.0.secret_id keyvault_secret_id = azurerm_key_vault_certificate.default.0.secret_id
ssl_certificate_name = local.ssl_cert_name ssl_certificate_name = local.ssl_cert_name
ssl_policy_type = var.ssl_policy_type
ssl_policy_cipher_suites = var.ssl_policy_cipher_suites
ssl_policy_min_protocol_version = var.ssl_policy_min_protocol_version
resource_tags = var.resource_tags resource_tags = var.resource_tags
} }
......
...@@ -244,4 +244,22 @@ variable "gitops_path" { ...@@ -244,4 +244,22 @@ variable "gitops_path" {
type = string type = string
description = "(Optional) The path for flux to watch" description = "(Optional) The path for flux to watch"
default = "providers/azure/hld-registry" default = "providers/azure/hld-registry"
} }
\ No newline at end of file
variable "ssl_policy_type" {
description = "The Type of the Policy. Possible values are Predefined and Custom."
type = string
default = "Custom"
}
variable "ssl_policy_cipher_suites" {
description = "A List of accepted cipher suites."
type = list(string)
default = ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"]
}
variable "ssl_policy_min_protocol_version" {
description = "The minimal TLS version. Possible values are TLSv1_0, TLSv1_1 and TLSv1_2"
type = string
default = "TLSv1_2"
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment