Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for minimalTlsVersion in azurerm_cosmosdb_account #21295

Open
1 task done
heller-tobias opened this issue Apr 5, 2023 · 14 comments · Fixed by #24966
Open
1 task done

Support for minimalTlsVersion in azurerm_cosmosdb_account #21295

heller-tobias opened this issue Apr 5, 2023 · 14 comments · Fixed by #24966
Labels
enhancement service/cosmosdb upstream/microsoft/blocking-api-issue This label is applicable when there is a bug on the Azure API that is blocking.

Comments

@heller-tobias
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I would like to request a new feature for the azurerm_cosmosdb_account in the Azure Resource Manager API. With the release of the 2022-11-15 API version of the Azure Cosmos DB Resource Provider API, it is now possible to set the minimum TLS version for Cosmos DB accounts.

Currently, the only way to set the minimum TLS version is through the Azure API. However, it would be beneficial for users to have the ability to set the minimum TLS value to 1.2 through the azurerm_cosmosdb_account resource.

Although it is a standard for new Cosmos DB accounts to have a minimum TLS version of 1.2 since April 1, 2023, this feature would still be useful for users who have existing Cosmos DB accounts and need to update the minimum TLS version.
Possible values for minimalTlsVersion could be:

  • Tls for setting the minimum version to TLS 1.0.
  • Tls11 for setting the minimum version to TLS 1.1.
  • Tls12 for setting the minimum version to TLS 1.1.

I believe that adding this feature to azurerm_cosmosdb_account would greatly improve the user experience for managing Cosmos DB accounts through the Azure Resource Manager API.

Thank you for considering my feature request.

New or Affected Resource(s)/Data Source(s)

azurerm_cosmosdb_account

Potential Terraform Configuration

resource "azurerm_cosmosdb_account" "db" {
  name                = "tfex-cosmos-db-${random_integer.ri.result}"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  offer_type          = "Standard"
  kind                = "MongoDB"

  minimalTlsVersion   = "Tls12"
}

References

Azure TLS version enforcement documentation: https://learn.microsoft.com/en-us/azure/cosmos-db/self-serve-minimum-tls-enforcement

@jfilburn
Copy link

jfilburn commented Apr 6, 2023

I just wanted to give an update that the Azure Portal now allows for this setting to be changed as a quick workaround unit TF supports it, if you want to skip using the Azure API.

The setting can be found here:
CosmosDB resource -> Networking -> Connectivity tab

@heller-tobias
Copy link
Author

Hi @jfilburn
Thank you for the input!
Unfortunately this is not really feasible if you have a lot of cosmos db accounts deployed,
Therefore I think it is still a good idea to implement it in tf.

@kkarballof
Copy link

Any updates on this. I am trying with the below no but luck so far:
`resource "azapi_update_resource" "qs101" {
type = "Microsoft.DocumentDB/databaseAccounts@2023-04-15"
name = "default"
parent_id = data.azurerm_cosmosdb_account.cosmos.id

body = jsonencode({
properties = {
minimalTlsVersion = "Tls12"

}

})
}`

@heller-tobias
Copy link
Author

Any updates on this. I am trying with the below no but luck so far: `resource "azapi_update_resource" "qs101" { type = "Microsoft.DocumentDB/databaseAccounts@2023-04-15" name = "default" parent_id = data.azurerm_cosmosdb_account.cosmos.id

body = jsonencode({ properties = { minimalTlsVersion = "Tls12"

}

}) }`

For me, this worked with the following code:

resource "azapi_update_resource" "azurerm_cosmosdb_account_update_tls_to_1_2" {
  type        = "Microsoft.DocumentDB/databaseAccounts@2023-03-15"
  resource_id = COSMOSDBACCOUNT_ID
  body = jsonencode({
    properties = {
      minimalTlsVersion = "Tls12"
    }
  })

  depends_on = [
    azurerm_cosmosdb_sql_container.container1
  ]
}

@kkarballof
Copy link

@heller-tobias
It does work!
thanks
C

@biodrone
Copy link

biodrone commented Jun 1, 2023

For me, this worked with the following code:

resource "azapi_update_resource" "azurerm_cosmosdb_account_update_tls_to_1_2" {
  type        = "Microsoft.DocumentDB/databaseAccounts@2023-03-15"
  resource_id = COSMOSDBACCOUNT_ID
  body = jsonencode({
    properties = {
      minimalTlsVersion = "Tls12"
    }
  })

  depends_on = [
    azurerm_cosmosdb_sql_container.container1
  ]
}

Appreciate the workaround, I'm still very much for your original idea of getting an official argument for it (especially as existing accounts seems to default to TLS1).

@dmdport
Copy link

dmdport commented Aug 23, 2023

When attempting the above solution, I get the error:
Could not retrieve the list of available versions for provider hashicorp/azureapi: provider registry registry.terraform.io does not have a provider named registry.terraform.io/hashicorp/azureapi
Any idea what could be causing this? My code is below:

resource "azapi_update_resource" "azurerm_cosmosdb_account_update_tls_to_1_2" {
  depends_on = [azurerm_cosmosdb_account.db]
  type        = "Microsoft.DocumentDB/databaseAccounts@2023-04-15"
  resource_id = azurerm_cosmosdb_account.db.id
  body = jsonencode({
    properties = {
      minimalTlsVersion = "Tls12"
    }
  })
  provider = azureapi.tlsfix
}

terraform {
  required_providers {
    azapi = {
      source  = "Azure/azapi"
    }
  }
}
provider "azapi" {
  alias           = "tlsfix"
  use_msi         = true
  tenant_id       = "************************************"
  subscription_id = "************************************"
}

@heller-tobias
Copy link
Author

When attempting the above solution, I get the error: Could not retrieve the list of available versions for provider hashicorp/azureapi: provider registry registry.terraform.io does not have a provider named registry.terraform.io/hashicorp/azureapi Any idea what could be causing this? My code is below:

resource "azapi_update_resource" "azurerm_cosmosdb_account_update_tls_to_1_2" {
  depends_on = [azurerm_cosmosdb_account.db]
  type        = "Microsoft.DocumentDB/databaseAccounts@2023-04-15"
  resource_id = azurerm_cosmosdb_account.db.id
  body = jsonencode({
    properties = {
      minimalTlsVersion = "Tls12"
    }
  })
  provider = azureapi.tlsfix
}

terraform {
  required_providers {
    azapi = {
      source  = "Azure/azapi"
    }
  }
}
provider "azapi" {
  alias           = "tlsfix"
  use_msi         = true
  tenant_id       = "************************************"
  subscription_id = "************************************"
}

Are you calling the azapi_update_resource within a module? If yes you need to add the provider inside of the module as well.

@dmdport
Copy link

dmdport commented Aug 24, 2023

When attempting the above solution, I get the error: Could not retrieve the list of available versions for provider hashicorp/azureapi: provider registry registry.terraform.io does not have a provider named registry.terraform.io/hashicorp/azureapi Any idea what could be causing this? My code is below:

resource "azapi_update_resource" "azurerm_cosmosdb_account_update_tls_to_1_2" {
  depends_on = [azurerm_cosmosdb_account.db]
  type        = "Microsoft.DocumentDB/databaseAccounts@2023-04-15"
  resource_id = azurerm_cosmosdb_account.db.id
  body = jsonencode({
    properties = {
      minimalTlsVersion = "Tls12"
    }
  })
  provider = azureapi.tlsfix
}

terraform {
  required_providers {
    azapi = {
      source  = "Azure/azapi"
    }
  }
}
provider "azapi" {
  alias           = "tlsfix"
  use_msi         = true
  tenant_id       = "************************************"
  subscription_id = "************************************"
}

Are you calling the azapi_update_resource within a module? If yes you need to add the provider inside of the module as well.

I was initially but had moved it out of my module to get around the for_each limitation when declaring providers in child modules. Above error happens even when inside the root module.

@jan-mrm
Copy link
Contributor

jan-mrm commented Aug 25, 2023

As far as I can see we would need an update of the provider's api version of the cosmos api to implement it into the azurerm_cosmosdb_account resource

@sehgalnamit
Copy link
Contributor

The reason that the account didn't default to TLS1.2 is that the API version used to submit the request was not the minimum required 2022-11-15 (in this case, it had 2021-10-15). If Terraform doesn't use consistent API versions then it could result in such behavior.

@michasacuer
Copy link

Any status of that?

@adamsba3
Copy link

adamsba3 commented Jan 24, 2024

Second check if this needs a PR created to fix. or if the global version of API not to be version: 2021-10-15

Basically does this need a PR to add the field when calling the azure api?

@jackofallops
Copy link
Member

Hi all, there's an upstream API issue tracking an API bug preventing the support of this property at this time: Azure/azure-rest-api-specs#27596 - When that's resolved, we can take another look.

Thanks!

@jackofallops jackofallops added the upstream/microsoft/blocking-api-issue This label is applicable when there is a bug on the Azure API that is blocking. label Jan 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement service/cosmosdb upstream/microsoft/blocking-api-issue This label is applicable when there is a bug on the Azure API that is blocking.
Projects
None yet