Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azurerm_storage_account - Support for min_tls_version #7879

Merged
merged 13 commits into from
Aug 6, 2020
Merged

azurerm_storage_account - Support for min_tls_version #7879

merged 13 commits into from
Aug 6, 2020

Conversation

giotab
Copy link
Contributor

@giotab giotab commented Jul 23, 2020

set the min_tls_version when creating a storage account.

This closes #7778, closes #7966.

Copy link
Collaborator

@magodo magodo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @giotab Thanks for this PR!
I've taken a look through and left some comments inline, but this is mostly looking good to me 👍

@ghost ghost added size/M and removed size/L labels Jul 31, 2020
@magodo
Copy link
Collaborator

magodo commented Aug 6, 2020

Hey @giotab
The change is LGTM now. Whilst there seems to be some test failures:

=== RUN   TestAccAzureRMStorageAccount_writeLock
=== PAUSE TestAccAzureRMStorageAccount_writeLock
=== CONT  TestAccAzureRMStorageAccount_writeLock
--- FAIL: TestAccAzureRMStorageAccount_writeLock (71.81s)
=== RUN   TestAccAzureRMStorageAccount_minTLSVersion
=== PAUSE TestAccAzureRMStorageAccount_minTLSVersion
=== CONT  TestAccAzureRMStorageAccount_minTLSVersion
--- FAIL: TestAccAzureRMStorageAccount_minTLSVersion (204.07s)

Once that is addressed, we shall be ready to merge it 🚀

@giotab
Copy link
Contributor Author

giotab commented Aug 6, 2020

Hey @giotab
The change is LGTM now. Whilst there seems to be some test failures:

=== RUN   TestAccAzureRMStorageAccount_writeLock
=== PAUSE TestAccAzureRMStorageAccount_writeLock
=== CONT  TestAccAzureRMStorageAccount_writeLock
--- FAIL: TestAccAzureRMStorageAccount_writeLock (71.81s)
=== RUN   TestAccAzureRMStorageAccount_minTLSVersion
=== PAUSE TestAccAzureRMStorageAccount_minTLSVersion
=== CONT  TestAccAzureRMStorageAccount_minTLSVersion
--- FAIL: TestAccAzureRMStorageAccount_minTLSVersion (204.07s)

Once that is addressed, we shall be ready to merge it 🚀

Turns out typos in the tests :)

$ make acctests SERVICE='storage' TESTARGS='-run=TestAccAzureRMStorageAccount' TESTTIMEOUT='60m'
==> Checking that code complies with gofmt requirements...
==> Checking that Custom Timeouts are used...
==> Checking that acceptance test packages are used...
TF_ACC=1 go test -v ./azurerm/internal/services/storage/tests/ -run=TestAccAzureRMStorageAccount -timeout 60m -ldflags="-X=github.com/terraform-providers/terraform-provider-azurerm/version.ProviderVersion=acc"
=== RUN   TestAccAzureRMStorageAccountCustomerManagedKey_basic
=== PAUSE TestAccAzureRMStorageAccountCustomerManagedKey_basic
=== RUN   TestAccAzureRMStorageAccountCustomerManagedKey_requiresImport
=== PAUSE TestAccAzureRMStorageAccountCustomerManagedKey_requiresImport
=== RUN   TestAccAzureRMStorageAccountCustomerManagedKey_updateKey
=== PAUSE TestAccAzureRMStorageAccountCustomerManagedKey_updateKey
=== RUN   TestAccAzureRMStorageAccountNetworkRules_basic
=== PAUSE TestAccAzureRMStorageAccountNetworkRules_basic
=== RUN   TestAccAzureRMStorageAccountNetworkRules_update
=== PAUSE TestAccAzureRMStorageAccountNetworkRules_update
=== RUN   TestAccAzureRMStorageAccountNetworkRules_empty
=== PAUSE TestAccAzureRMStorageAccountNetworkRules_empty
=== RUN   TestAccAzureRMStorageAccount_basic
=== PAUSE TestAccAzureRMStorageAccount_basic
=== RUN   TestAccAzureRMStorageAccount_requiresImport
=== PAUSE TestAccAzureRMStorageAccount_requiresImport
=== RUN   TestAccAzureRMStorageAccount_tagCount
=== PAUSE TestAccAzureRMStorageAccount_tagCount
=== RUN   TestAccAzureRMStorageAccount_writeLock
=== PAUSE TestAccAzureRMStorageAccount_writeLock
=== RUN   TestAccAzureRMStorageAccount_premium
=== PAUSE TestAccAzureRMStorageAccount_premium
=== RUN   TestAccAzureRMStorageAccount_disappears
=== PAUSE TestAccAzureRMStorageAccount_disappears
=== RUN   TestAccAzureRMStorageAccount_blobConnectionString
=== PAUSE TestAccAzureRMStorageAccount_blobConnectionString
=== RUN   TestAccAzureRMStorageAccount_enableHttpsTrafficOnly
=== PAUSE TestAccAzureRMStorageAccount_enableHttpsTrafficOnly
=== RUN   TestAccAzureRMStorageAccount_minTLSVersion
=== PAUSE TestAccAzureRMStorageAccount_minTLSVersion
=== RUN   TestAccAzureRMStorageAccount_allowBlobPublicAccess
=== PAUSE TestAccAzureRMStorageAccount_allowBlobPublicAccess
=== RUN   TestAccAzureRMStorageAccount_isHnsEnabled
=== PAUSE TestAccAzureRMStorageAccount_isHnsEnabled
=== RUN   TestAccAzureRMStorageAccount_blobStorageWithUpdate
=== PAUSE TestAccAzureRMStorageAccount_blobStorageWithUpdate
=== RUN   TestAccAzureRMStorageAccount_blockBlobStorage
=== PAUSE TestAccAzureRMStorageAccount_blockBlobStorage
=== RUN   TestAccAzureRMStorageAccount_fileStorageWithUpdate
=== PAUSE TestAccAzureRMStorageAccount_fileStorageWithUpdate
=== RUN   TestAccAzureRMStorageAccount_storageV2WithUpdate
=== PAUSE TestAccAzureRMStorageAccount_storageV2WithUpdate
=== RUN   TestAccAzureRMStorageAccount_storageV1ToV2Update
=== PAUSE TestAccAzureRMStorageAccount_storageV1ToV2Update
=== RUN   TestAccAzureRMStorageAccount_NonStandardCasing
=== PAUSE TestAccAzureRMStorageAccount_NonStandardCasing
=== RUN   TestAccAzureRMStorageAccount_enableIdentity
=== PAUSE TestAccAzureRMStorageAccount_enableIdentity
=== RUN   TestAccAzureRMStorageAccount_updateResourceByEnablingIdentity
=== PAUSE TestAccAzureRMStorageAccount_updateResourceByEnablingIdentity
=== RUN   TestAccAzureRMStorageAccount_networkRules
=== PAUSE TestAccAzureRMStorageAccount_networkRules
=== RUN   TestAccAzureRMStorageAccount_networkRulesDeleted
=== PAUSE TestAccAzureRMStorageAccount_networkRulesDeleted
=== RUN   TestAccAzureRMStorageAccount_blobProperties
=== PAUSE TestAccAzureRMStorageAccount_blobProperties
=== RUN   TestAccAzureRMStorageAccount_queueProperties
=== PAUSE TestAccAzureRMStorageAccount_queueProperties
=== RUN   TestAccAzureRMStorageAccount_staticWebsiteEnabled
=== PAUSE TestAccAzureRMStorageAccount_staticWebsiteEnabled
=== RUN   TestAccAzureRMStorageAccount_staticWebsiteProperties
=== PAUSE TestAccAzureRMStorageAccount_staticWebsiteProperties
=== RUN   TestAccAzureRMStorageAccount_replicationTypeGZRS
=== PAUSE TestAccAzureRMStorageAccount_replicationTypeGZRS
=== CONT  TestAccAzureRMStorageAccountCustomerManagedKey_basic
=== CONT  TestAccAzureRMStorageAccount_blobStorageWithUpdate
=== CONT  TestAccAzureRMStorageAccount_networkRules
=== CONT  TestAccAzureRMStorageAccount_replicationTypeGZRS
--- PASS: TestAccAzureRMStorageAccount_blobStorageWithUpdate (116.79s)
=== CONT  TestAccAzureRMStorageAccount_staticWebsiteProperties
--- PASS: TestAccAzureRMStorageAccount_replicationTypeGZRS (119.59s)
=== CONT  TestAccAzureRMStorageAccount_staticWebsiteEnabled
--- PASS: TestAccAzureRMStorageAccount_networkRules (157.24s)
=== CONT  TestAccAzureRMStorageAccount_queueProperties
--- PASS: TestAccAzureRMStorageAccount_staticWebsiteProperties (119.92s)
=== CONT  TestAccAzureRMStorageAccount_blobProperties
--- PASS: TestAccAzureRMStorageAccountCustomerManagedKey_basic (245.01s)
=== CONT  TestAccAzureRMStorageAccount_networkRulesDeleted
=== CONT  TestAccAzureRMStorageAccount_storageV1ToV2Update
--- PASS: TestAccAzureRMStorageAccount_staticWebsiteEnabled (146.08s)
--- PASS: TestAccAzureRMStorageAccount_queueProperties (123.50s)
=== CONT  TestAccAzureRMStorageAccount_updateResourceByEnablingIdentity
--- PASS: TestAccAzureRMStorageAccount_blobProperties (118.46s)
=== CONT  TestAccAzureRMStorageAccount_enableIdentity
--- PASS: TestAccAzureRMStorageAccount_storageV1ToV2Update (115.16s)
=== CONT  TestAccAzureRMStorageAccount_NonStandardCasing
--- PASS: TestAccAzureRMStorageAccount_networkRulesDeleted (157.44s)
=== CONT  TestAccAzureRMStorageAccount_writeLock
--- PASS: TestAccAzureRMStorageAccount_updateResourceByEnablingIdentity (129.86s)
=== CONT  TestAccAzureRMStorageAccount_isHnsEnabled
--- PASS: TestAccAzureRMStorageAccount_enableIdentity (93.37s)
=== CONT  TestAccAzureRMStorageAccount_allowBlobPublicAccess
--- PASS: TestAccAzureRMStorageAccount_NonStandardCasing (107.15s)
=== CONT  TestAccAzureRMStorageAccount_minTLSVersion
--- PASS: TestAccAzureRMStorageAccount_writeLock (115.96s)
=== CONT  TestAccAzureRMStorageAccount_enableHttpsTrafficOnly
--- PASS: TestAccAzureRMStorageAccount_isHnsEnabled (138.76s)
=== CONT  TestAccAzureRMStorageAccount_blobConnectionString
--- PASS: TestAccAzureRMStorageAccount_allowBlobPublicAccess (140.94s)
=== CONT  TestAccAzureRMStorageAccount_disappears
--- PASS: TestAccAzureRMStorageAccount_enableHttpsTrafficOnly (122.30s)
=== CONT  TestAccAzureRMStorageAccount_premium
--- PASS: TestAccAzureRMStorageAccount_blobConnectionString (91.38s)
=== CONT  TestAccAzureRMStorageAccountNetworkRules_empty
--- PASS: TestAccAzureRMStorageAccount_disappears (96.28s)
=== CONT  TestAccAzureRMStorageAccount_tagCount
--- PASS: TestAccAzureRMStorageAccount_minTLSVersion (198.18s)
=== CONT  TestAccAzureRMStorageAccount_requiresImport
--- PASS: TestAccAzureRMStorageAccount_premium (94.02s)
=== CONT  TestAccAzureRMStorageAccount_basic
--- PASS: TestAccAzureRMStorageAccountNetworkRules_empty (103.86s)
=== CONT  TestAccAzureRMStorageAccountNetworkRules_basic
--- PASS: TestAccAzureRMStorageAccount_tagCount (95.71s)
=== CONT  TestAccAzureRMStorageAccountNetworkRules_update
--- PASS: TestAccAzureRMStorageAccount_requiresImport (101.43s)
=== CONT  TestAccAzureRMStorageAccount_fileStorageWithUpdate
--- PASS: TestAccAzureRMStorageAccount_basic (121.26s)
=== CONT  TestAccAzureRMStorageAccount_storageV2WithUpdate
--- PASS: TestAccAzureRMStorageAccountNetworkRules_basic (118.30s)
=== CONT  TestAccAzureRMStorageAccountCustomerManagedKey_updateKey
--- PASS: TestAccAzureRMStorageAccount_fileStorageWithUpdate (110.44s)
=== CONT  TestAccAzureRMStorageAccountCustomerManagedKey_requiresImport
--- PASS: TestAccAzureRMStorageAccount_storageV2WithUpdate (115.70s)
=== CONT  TestAccAzureRMStorageAccount_blockBlobStorage
--- PASS: TestAccAzureRMStorageAccountNetworkRules_update (253.99s)
--- PASS: TestAccAzureRMStorageAccount_blockBlobStorage (98.78s)
--- PASS: TestAccAzureRMStorageAccountCustomerManagedKey_updateKey (262.99s)
--- PASS: TestAccAzureRMStorageAccountCustomerManagedKey_requiresImport (230.19s)
PASS
ok      github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/storage/tests       1128.908s

@magodo magodo changed the title Minimum TLS version for storage account azurerm_storage_account - Support for min_tls_version Aug 6, 2020
@magodo magodo merged commit 861dc48 into hashicorp:master Aug 6, 2020
magodo added a commit that referenced this pull request Aug 6, 2020
@ghost
Copy link

ghost commented Aug 7, 2020

This has been released in version 2.22.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.22.0"
}
# ... other configuration ...

@SebastianAtWork
Copy link

Unfortunately, this PR produces changes in already existing infrastructure. Shouldnt this be optional? If i upgrade the provider from 2.21 to 2.22 it shows this as a needed change for every storage account.

@rmcolbert
Copy link

rmcolbert commented Aug 11, 2020

The PR should only produces changes in existing infrastructure if you manually updated the storage account to use a different min_tls_version before Terraform started being able to track it. It should be documented as a change that requires remediation of existing storage account resource definitions that were manually updated outside of Terraform though.

@SebastianAtWork
Copy link

SebastianAtWork commented Aug 11, 2020

Its a storage account that i imported i.e. it existed and was created in azure and was imported via the import command. And this is an example of the current plan output :

# module.epaz_databases.azurerm_storage_account.backupStorage will be updated in-place
 ~ resource "azurerm_storage_account" "backupStorage" {
     + min_tls_version                  = "TLS1_0"

I dont want to apply these changes, since i dont know their effect, should i add this attribute to the ignore_changes or reimport the resource? Or is there a better way?

PS: I dont see min_tls_version as an attribute in the azure resource explorer for any of the storage accounts.

@rmcolbert
Copy link

Honestly, I would re-import the resource so you are consistent w/ the provider. The provider should pull the min_tls_version of the storage account and put it in the state file.

If you look in the Azure Portal for the storage account under Configuration, the option should appear there above "Access tier (default)" and below "Allow Blob public access". I haven't been able to find where that setting is surfaced through other clients (Azure CLI, PowerShell or Resource Explorer) yet.

@SebastianAtWork
Copy link

Unfortunatly, even after removing and importing the state of the storage account, min_tls_version is only written empty ( "min_tls_version": "",) and terraform plan still shows it as an addition

@SebastianAtWork
Copy link

I even tried to directly set the empty values into the state but as soon as the state refreshes, it gets emptied again. For now i will ignore changes to this attribute but that sounds like a strange behavior / bug

@magodo
Copy link
Collaborator

magodo commented Aug 15, 2020

Hi @SebastianAtWork Apologize to the impact.

May I know whether you are using Azure Public or some other environment (e.g. Azure US Government)? If you are the latter case, then the issue is probably fixed by #8092.

Otherwise, this might because of the API issue, assuming your storage account is created by a quite old API version, where the min_tls_version is not introduced yet. Then when the newer API accesses this resource, the response model does not include min_tls_version (whilst it should have included).

@SebastianAtWork
Copy link

We´re on Azure Public. I dont know if the api is old, The storage account should have been created last year manually in the Portal and we imported them a few weeks ago into terraform. And then reimported it last week. Sounds like it should not happen with new azure storage accounts and theres not much i can do about the existing ones besides ignoring the change? (Or recreating them, which i cant do / would be too much work for such an attribute)

@magodo
Copy link
Collaborator

magodo commented Aug 18, 2020

@SebastianAtWork I just open a PR #8152 to fix this, thank you for your report!

WodansSon pushed a commit that referenced this pull request Aug 18, 2020
For those storage account created using old API version (at least
2018-02-01, before provider v1.29.0), the GET call of new API version
will not return the `minimumTLSVersion` in response body. So those users
will get a diff.

This PR sets the default value for `min_tls_version` in case it is
missing in response, using the same value as the default value defined
in schema.
@ghost
Copy link

ghost commented Sep 5, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

@ghost ghost locked and limited conversation to collaborators Sep 5, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
4 participants