Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_cosmosdb_account add minimal_tls_version #24966

Merged
merged 87 commits into from
Feb 27, 2024
Merged

azurerm_cosmosdb_account add minimal_tls_version #24966

Show file tree
Hide file tree
Changes from 86 commits
Commits
Show all changes
87 commits
Select commit Hold shift + click to select a range
1c9050c
upd: added minimal_tls_version to CosmosDB docs
rizkybiz Feb 21, 2024
ab3fdc4
upd: adding functionality to support minimal TLS version
rizkybiz Feb 21, 2024
e8bb996
upd: added tests for minimal tls version
rizkybiz Feb 21, 2024
9ff23ad
azurerm_data_factory - allow the git_url to be blank/empty (#24879)
katbyte Feb 14, 2024
9803cee
Update CHANGELOG.md #24879
katbyte Feb 14, 2024
01bcf16
Including #24830
WodansSon Feb 15, 2024
55aceb6
Updating to include #24830
WodansSon Feb 15, 2024
1d45589
update go-azure-sdk to v0.20240214.1142753 (#24889)
catriona-m Feb 15, 2024
1a0a550
Update CHANGELOG.md #24889
catriona-m Feb 15, 2024
45e9a54
#24282: Support additional_unattend_content part of azurerm_orchestra…
harshavmb Feb 15, 2024
71acbe2
Update CHANGELOG.md #24292
katbyte Feb 15, 2024
7c9bad6
feat: add tag maps to azurerm_key_vault_secrets and azurerm_key_vault…
arylatt Feb 15, 2024
18a7147
Update CHANGELOG.md #24857
katbyte Feb 15, 2024
59f8cab
`kubernetes_cluster_*` - fix tests with ctx deadline (#24886)
catriona-m Feb 15, 2024
ae0dd8b
`azurerm_log_analytics_workspace_table` - Update total_retention_in_d…
mikemadeja Feb 15, 2024
bf4e418
Docs/psql_flexible_server_configuration: update extensions list link …
jhirvioja Feb 15, 2024
9c86ac5
azurerm_log_analytics_workspace_table - set correct max integer value…
WilliamVannuffelen Feb 15, 2024
8eb73d7
`azurerm_vpn_gateway_connection` - Setting sa_data_size_kb to allow 0…
mikemadeja Feb 15, 2024
b985d8b
`azurerm_search_service` - fix error when updating various fields (#2…
mbfrahry Feb 15, 2024
15fa666
Update CHANGELOG.md for #24903
mbfrahry Feb 15, 2024
0a819f3
#24358: Support vm_template for azurerm_virtual_desktop_host_pool res…
harshavmb Feb 16, 2024
8045592
Update CHANGELOG.md #24369
katbyte Feb 16, 2024
340b548
`azurerm_cost_anomaly_alert` - Support for scoping alert to a specifi…
daniel-edwards-nz Feb 16, 2024
3780c81
Update CHANGELOG.md #24258
katbyte Feb 16, 2024
3f153ac
Update CHANGELOG.md
katbyte Feb 16, 2024
62e4f4f
v3.92.0
katbyte Feb 16, 2024
fac827b
r/key_vault: conditionally polling the Data Plane endpoint when `publ…
tombuildsstuff Feb 16, 2024
f62f607
Update CHANGELOG.md #23823
katbyte Feb 16, 2024
0d650c1
Update postgresql_flexible_server_database info text about naming con…
jhirvioja Feb 16, 2024
d10b679
dependencies: updating to v0.20240215.1143935 of `github.com/hashicor…
catriona-m Feb 16, 2024
1ce8844
Update CHANGELOG.md #24912
catriona-m Feb 16, 2024
b30bcd5
#24317: Support preferred_data_persistence_auth_method for azurerm_re…
harshavmb Feb 16, 2024
35c6066
Update CHANGELOG.md #24370
catriona-m Feb 16, 2024
bebfaab
`azurerm_kusto_cluster` - update `optimized_auto_scale `after `sku` h…
mbfrahry Feb 16, 2024
c316f92
Update CHANGELOG.md for #24906
mbfrahry Feb 16, 2024
787f259
#24910: Use ParseFirewallPolicyIDInsensitively for parsing API respon…
harshavmb Feb 17, 2024
67cc29b
Result of tsccr-helper -log-level=info gha update . (#24925)
hashicorp-tsccr[bot] Feb 19, 2024
e466940
Move code examples azurerm_sql_server -> azurerm_mssql_server (#24917)
codycodes Feb 19, 2024
ac6f11e
`azurerm_storage_account` - CMK allows `SystemAssigned, UserAssigned`…
magodo Feb 19, 2024
d673b25
Update CHANGELOG.md #24923
catriona-m Feb 19, 2024
0c3459d
`azurerm_spring_cloud_configuration_service` - switch to pandora sdk …
ms-henglu Feb 19, 2024
1fdaaa7
Update CHANGELOG.md #24918
catriona-m Feb 19, 2024
3ce1f01
`azurerm_cognitive_deployment` - Make `version_upgrade_option` updata…
lonegunmanb Feb 20, 2024
b90ff89
Update CHANGELOG.md #24922
katbyte Feb 20, 2024
787f22a
`azurerm_data_protection_backup_vault` : support `soft_delete` and `r…
sinbai Feb 20, 2024
c3cfff6
Update CHANGELOG.md #24775
katbyte Feb 20, 2024
bf22d8e
`azurerm_servicebus_namespace` - support for the `premium_messaging_p…
xiaxyi Feb 20, 2024
63b6b44
Update CHANGELOG.md #24676
katbyte Feb 20, 2024
0b200ca
`azurerm_storage_account` - Fix acctest `TestAccAzureRMStorageAccount…
magodo Feb 20, 2024
7be7e69
`azurerm_storage_account` - Refactoring the `Update` function to be G…
magodo Feb 20, 2024
a8cd578
Update CHANGELOG.md #23935
katbyte Feb 20, 2024
155fb35
New Resource: `azurerm_dev_center_catalog` (#24833)
jiaweitao001 Feb 20, 2024
3289b87
Update CHANGELOG.md #24833
katbyte Feb 20, 2024
3d9f023
`azurerm_security_center_setting` - fix a bug when name `SENTINEL` (#…
ziyeqf Feb 20, 2024
c88058d
Update CHANGELOG.md #24497
katbyte Feb 20, 2024
71b01f5
New Resource: `azurerm_system_center_virtual_machine_manager_server` …
neil-yechenwei Feb 20, 2024
e31c633
Update CHANGELOG.md #24278
katbyte Feb 20, 2024
e8aaa9c
`azurerm_storage_account` - improve validation around the `immutabili…
magodo Feb 20, 2024
6981988
Update CHANGELOG.md #24938
katbyte Feb 20, 2024
605644f
#24902: disk_size_gb and lun parameters of data_disks are optional no…
harshavmb Feb 20, 2024
381fe4f
Update CHANGELOG.md #24944
katbyte Feb 20, 2024
fe0c063
`azurerm_cosmosdb_account` - support new property `backup.tier` (#24595)
neil-yechenwei Feb 20, 2024
34b0aa4
Update CHANGELOG.md #24595
katbyte Feb 20, 2024
98b1d7f
`azurerm_linux_virtual_machine_scale_set`, `azurerm_windows_virtual_m…
ms-zhenhua Feb 20, 2024
5a2b3c8
Update CHANGELOG.md #24939
katbyte Feb 20, 2024
ec0c09b
`azurerm_key_vault_certificate`: do not create a new certificate vers…
wuxu92 Feb 20, 2024
acf73e0
Update CHANGELOG.md #24755
katbyte Feb 20, 2024
e6a5c40
`azurerm_data_factory_pipeline`: fix `headers` acceptable value (#24921)
ziyeqf Feb 20, 2024
5635fac
Update CHANGELOG.md #24921
katbyte Feb 20, 2024
2985be8
azurerm_nginx_deployment - changing sku now creates a new resource (#…
puneetsarna Feb 20, 2024
76f7c61
Update CHANGELOG.md #24905
katbyte Feb 20, 2024
eefec1c
New feature flag `reimage_on_manual_upgrade` for `virtual_machine_sca…
myc2h6o Feb 20, 2024
a85f7ab
Update CHANGELOG.md #22975
katbyte Feb 20, 2024
2201135
`azurerm_linux_virtual_machine`,`azurerm_windows_virtual_machine` - S…
ms-zhenhua Feb 20, 2024
0a3f809
Update CHANGELOG.md #24768
katbyte Feb 20, 2024
07a2466
`azurerm_container_registry_token_password` - Document update for `ex…
magodo Feb 21, 2024
5685dea
`azurerm_system_center_virtual_machine_manager_server` - update NewCl…
neil-yechenwei Feb 21, 2024
19b8e8c
Merge branch 'hashicorp:main' into minimal-tls-version
rizkybiz Feb 21, 2024
dead4d6
upd: fix linting for azurerm_cosmosdb_account tests
rizkybiz Feb 21, 2024
a5d3f32
upd: fixing the restore test for newer versions of mongodb
rizkybiz Feb 22, 2024
212a96b
upd: trying to get everything working
rizkybiz Feb 22, 2024
3fe589b
upd: undoing some changes with poor choices
rizkybiz Feb 22, 2024
fd5816d
Merge branch 'main' into minimal-tls-version
bruceharrison1984 Feb 27, 2024
1d08aca
add todo
bruceharrison1984 Feb 27, 2024
1fc55a3
add some fixes
bruceharrison1984 Feb 27, 2024
db01d50
ignore index values within test
bruceharrison1984 Feb 27, 2024
6ea8757
restore original value
bruceharrison1984 Feb 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 22 additions & 1 deletion internal/services/cosmos/cosmosdb_account_resource.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -242,6 +242,15 @@ func resourceCosmosDbAccount() *pluginsdk.Resource {
},
},

// TODO: 4.0 - set the default to Tls12
// per Microsoft's documentation, as of April 1 2023 the default minimal TLS version for all new accounts is 1.2
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add a todo for 4.0 to add this in as a default?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

"minimal_tls_version": {
Type: pluginsdk.TypeString,
Optional: true,
Computed: true,
ValidateFunc: validation.StringInSlice(cosmosdb.PossibleValuesForMinimalTlsVersion(), false),
},

"create_mode": {
Type: pluginsdk.TypeString,
Optional: true,
Expand Down Expand Up @@ -852,6 +861,7 @@ func resourceCosmosDbAccountCreate(d *pluginsdk.ResourceData, meta interface{})
ConsistencyPolicy: expandAzureRmCosmosDBAccountConsistencyPolicy(d),
Locations: geoLocations,
Capabilities: capabilities,
MinimalTlsVersion: pointer.To(cosmosdb.MinimalTlsVersion(d.Get("minimal_tls_version").(string))),
VirtualNetworkRules: expandAzureRmCosmosDBAccountVirtualNetworkRules(d),
EnableMultipleWriteLocations: utils.Bool(enableMultipleWriteLocations),
EnablePartitionMerge: pointer.To(partitionMergeEnabled),
Expand Down Expand Up @@ -929,6 +939,15 @@ func resourceCosmosDbAccountCreate(d *pluginsdk.ResourceData, meta interface{})
return fmt.Errorf("creating %s: %+v", id, err)
}

// NOTE: this is to work around the issue here: https://github.com/Azure/azure-rest-api-specs/issues/27596
// Once the above issue is resolved we shouldn't need this check and update anymore
if d.Get("create_mode").(string) == string(cosmosdb.CreateModeRestore) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it easy to add a test for this? I think it might be better to pull this out into it's own PR

Copy link
Contributor

@bruceharrison1984 bruceharrison1984 Feb 27, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be difficult to pull out into it's own PR because it requires minimal_tls_version to be implemented first, otherwise the check wouldn't have purpose. The check just re-sends the original payload so that the TLS version is set correctly on the backend.

It's kind of a chicken/egg scenario, since without Minimal TLS, there's no action to be taken because the value won't be in the state.

So far as writing a test, I believe might it is possible(checking state twice within a single action?) , but we would be checking for the presence of a bug. It would just be checking that the TLS version was first incorrectly set, then correctly set. This might work, but as soon as MS fixes it on their end, that test would break.

err = resourceCosmosDbAccountApiCreateOrUpdate(client, ctx, id, account, d)
if err != nil {
return fmt.Errorf("updating %s: %+v", id, err)
}
}

d.SetId(id.ID())

return resourceCosmosDbAccountRead(d, meta)
Expand Down Expand Up @@ -1051,7 +1070,7 @@ func resourceCosmosDbAccountUpdate(d *pluginsdk.ResourceData, meta interface{})
"capacity", "create_mode", "restore", "key_vault_key_id", "mongo_server_version",
"public_network_access_enabled", "ip_range_filter", "offer_type", "is_virtual_network_filter_enabled",
"kind", "tags", "enable_free_tier", "enable_automatic_failover", "analytical_storage_enabled",
"local_authentication_disabled", "partition_merge_enabled") {
"local_authentication_disabled", "partition_merge_enabled", "minimal_tls_version") {
updateRequired = true
}

Expand Down Expand Up @@ -1085,6 +1104,7 @@ func resourceCosmosDbAccountUpdate(d *pluginsdk.ResourceData, meta interface{})
IsVirtualNetworkFilterEnabled: isVirtualNetworkFilterEnabled,
EnableFreeTier: enableFreeTier,
EnableAutomaticFailover: enableAutomaticFailover,
MinimalTlsVersion: pointer.To(cosmosdb.MinimalTlsVersion(d.Get("minimal_tls_version").(string))),
Capabilities: capabilities,
ConsistencyPolicy: expandAzureRmCosmosDBAccountConsistencyPolicy(d),
Locations: cosmosLocations,
Expand Down Expand Up @@ -1381,6 +1401,7 @@ func resourceCosmosDbAccountRead(d *pluginsdk.ResourceData, meta interface{}) er
d.Set("analytical_storage_enabled", props.EnableAnalyticalStorage)
d.Set("public_network_access_enabled", pointer.From(props.PublicNetworkAccess) == cosmosdb.PublicNetworkAccessEnabled)
d.Set("default_identity_type", props.DefaultIdentity)
d.Set("minimal_tls_version", pointer.From(props.MinimalTlsVersion))
d.Set("create_mode", pointer.From(props.CreateMode))
d.Set("partition_merge_enabled", pointer.From(props.EnablePartitionMerge))

Expand Down
65 changes: 64 additions & 1 deletion internal/services/cosmos/cosmosdb_account_resource_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,28 @@ func TestAccCosmosDBAccount_updateTagsWithUserAssignedDefaultIdentity(t *testing
})
}

func TestAccCosmosDBAccount_minimalTlsVersion(t *testing.T) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This value is update-able so we should test update in this test

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a test for updates

data := acceptance.BuildTestData(t, "azurerm_cosmosdb_account", "test")
r := CosmosDBAccountResource{}

data.ResourceTest(t, r, []acceptance.TestStep{
{
Config: r.basicMinimalTlsVersion(data, cosmosdb.MinimalTlsVersionTls),
Check: acceptance.ComposeAggregateTestCheckFunc(
check.That(data.ResourceName).Key("minimal_tls_version").HasValue("Tls"),
),
},
data.ImportStep(),
{
Config: r.basicMinimalTlsVersion(data, cosmosdb.MinimalTlsVersionTlsOneOne),
Check: acceptance.ComposeAggregateTestCheckFunc(
check.That(data.ResourceName).Key("minimal_tls_version").HasValue("Tls11"),
),
},
data.ImportStep(),
})
}

func TestAccCosmosDBAccount_updateDefaultIdentity(t *testing.T) {
data := acceptance.BuildTestData(t, "azurerm_cosmosdb_account", "test")
r := CosmosDBAccountResource{}
Expand Down Expand Up @@ -1295,6 +1317,7 @@ func TestAccCosmosDBAccount_restoreCreateMode(t *testing.T) {
Config: r.restoreCreateMode(data, cosmosdb.DatabaseAccountKindMongoDB, cosmosdb.DefaultConsistencyLevelSession),
Check: acceptance.ComposeAggregateTestCheckFunc(
checkAccCosmosDBAccount_basic(data, cosmosdb.DefaultConsistencyLevelSession, 1),
check.That(data.ResourceName).Key("minimal_tls_version").HasValue("Tls12"),
),
},
data.ImportStep(),
Expand Down Expand Up @@ -1452,6 +1475,37 @@ resource "azurerm_cosmosdb_account" "test" {
`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, string(kind), string(consistency))
}

func (CosmosDBAccountResource) basicMinimalTlsVersion(data acceptance.TestData, tls cosmosdb.MinimalTlsVersion) string {
return fmt.Sprintf(`
provider "azurerm" {
features {}
}

resource "azurerm_resource_group" "test" {
name = "acctestRG-cosmos-%d"
location = "%s"
}

resource "azurerm_cosmosdb_account" "test" {
name = "acctest-ca-%d"
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
offer_type = "Standard"
kind = "GlobalDocumentDB"
minimal_tls_version = "%s"

consistency_policy {
consistency_level = "Eventual"
}

geo_location {
location = azurerm_resource_group.test.location
failover_priority = 0
}
}
`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, string(tls))
}

func (CosmosDBAccountResource) basicMongoDB(data acceptance.TestData, consistency cosmosdb.DefaultConsistencyLevel) string {
return fmt.Sprintf(`
provider "azurerm" {
Expand Down Expand Up @@ -4133,6 +4187,7 @@ resource "azurerm_cosmosdb_account" "test1" {
resource_group_name = azurerm_resource_group.test.name
offer_type = "Standard"
kind = "MongoDB"
minimal_tls_version = "Tls12"

capabilities {
name = "EnableMongo"
Expand Down Expand Up @@ -4166,7 +4221,15 @@ resource "azurerm_cosmosdb_mongo_collection" "test" {

index {
keys = ["_id"]
unique = true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you share why this was flipped from true to false? It looks like the following is needed but I'm wondering why this needed to be flipped in the first place

 // indices can cause test to be inconsistent
  // I believe there is a bug within the azurerm_cosmosdb_mongo_collection that causes inconsistent results on read
  lifecycle {
    ignore_changes = [
      index
    ]

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My mistake for altering the original value.

In the context of the test, it doesn't make a difference. The test itself fails due toazurerm_cosmosdb_mongo_collection flagging changes on the indices during the import phase. This occurs whether set to true or false.

        Terraform will perform the following actions:
        
          # azurerm_cosmosdb_mongo_collection.test will be updated in-place
          ~ resource "azurerm_cosmosdb_mongo_collection" "test" {
                id                     = "/subscriptions/...."
                name                   = "acctest-mongodb-coll-240227125500374571"
                # (6 unchanged attributes hidden)
        
              - index {
                  - keys   = [
                      - "_id",
                    ] -> null
                  - unique = true -> null
                }
              + index {
                  + keys   = [
                      + "_id",
                    ]
                  + unique = false
                }
            }

I known @rizkybiz as well as @katbyte both ran into issues on this particular test as well.

Risking this PR becoming stuck due to another resource misbehaving, I opted to ignore the changing property.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So weird! But it does look it's not failing because of these changes! Thanks for following up!

unique = false
}

// indices can cause test to be inconsistent
// I believe there is a bug within the azurerm_cosmosdb_mongo_collection that causes inconsistent results on read
lifecycle {
ignore_changes = [
index
]
}
}

Expand Down
2 changes: 2 additions & 0 deletions website/docs/r/cosmosdb_account.html.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,8 @@ The following arguments are supported:

* `tags` - (Optional) A mapping of tags to assign to the resource.

* `minimal_tls_version` - (Optional) Specifies the minimal TLS version for the CosmosDB account. Possible values are: `Tls`, `Tls11`, and `Tls12`. Defaults to `Tls12`.

* `offer_type` - (Required) Specifies the Offer Type to use for this CosmosDB Account; currently, this can only be set to `Standard`.

* `analytical_storage` - (Optional) An `analytical_storage` block as defined below.
Expand Down
Loading