TLS 1.2 Default

[ruandersMSFT]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform AzureRM Provider v2.44.0

Affected Resource(s)

Full Terraform AzureRM Provider Resources TBD

• azurerm_storeage_account

Expected Behaviour

Preparing for TLS 1.2 in Microsoft Azure was announced in March 2020. Today, one or more Terraform object(s) still default to a TLS Version that is lower than 1.2. Terraform objects that do not meet default value of 1.2 need to increase their security level to this standard.

The scope of this task is a phase 1 of 2 effort. This phase (phase 1) is focused on a Terraform code review to identify the Terraform objects that do not meet default minimum of 1.2 and to add WARNING only output (temporarily / advanced warning) of upcoming suspense date at which point (phase 2) the default TLS value will be raised to 1.2 standards to help drive increased security standards. Terraform users will still be able to explicitly define use of a lower TLS version at their discretion (until deprecation), but at the same time TLS default standard in Terraform must raised to meet new security baselines.

Azure Active Directory will deprecate TLS 1.0 and 1.1 by June 31, 2021.
Azure Active Directory TLS 1.0, TLS 1.1, and 3DES Deprecation in US Gov Cloud - March 31, 2021
Azure Active Directory Registration Service is ending support for TLS 1.0 and 1.1 - October 30, 2020

Terraform Warning output will be implemented with a warning when using a default output that is lower than TLS 1.2 of near term increase to TLS 1.2 default (unless specific lower value explicitly specified).

Increasing the default value to TLS 1.2 should not linger for more than a handful of Terraform AzureRM Provider releases.

• #0000

[ruandersMSFT]

@tombuildsstuff When is v3.0.0? Increase in values that align with higher call for security should be able to occur over x number of iterations, not only at annual or so "major" releases.

[favoretti]

I'm not sure why this is a breaking change either. Changing TLS levers on storage account doesn't recreate them or anything, why not to just up the default?

[ruandersMSFT]

Definitely not a breaking change. The need to increase security levels can and should happen at any given time (i.e. v2.45.0 or v3.00.0 or v19.492.0).

I've done a further test -- An Azure storage account can be reverted back (i.e. a customer can move it from 1.2 to 1.0, although not recommended). As such, this is not a breaking change and should be considered immediately with respect to custom security posture should not default to an unrecommended version.

My further observation is that other Terraform objects do not default the TLS variable and actually require users to specify what version of TLS they want. That is my recommended approach here, to make the parameter no longer optional, rather require users to specify what version of TLS they want configured.

I'll submit a PR to make the TLS parameter required, which will resolve this.

Again, this is not a breaking change, and is absolutely an increase in security posture by requiring users to say what version of TLS they want configured on the Azure Storage Account.

[favoretti]

Making this parameter required will, in fact, make it a breaking change :)
I'd go 2-step here, default it to v2 in the next release, make it required (aka breaking change) in release N+1 (or 3.0 or whatever).

[johnmart82]

Where are things with this discussion and potential for having this included in a future release? As has been mentioned here, switching to 1.2 by default should not be a breaking change while retaining the optional nature of the parameter.

It should also be noted that this default of 1.0 is different to the default behaviour when creating the storage accounts via the Azure portal is default to 1.2.

It seems strange that the default is the least secure option given the ease with which TLS 1.0 can be compromised by at attacker.

[github-actions]

This functionality has been released in v3.0.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.