From 847e63b1fd5b434171d058cee93a16ed201e3a46 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Garrido=20S=C3=A1nchez?= Date: Sun, 29 Sep 2024 06:54:20 +0000 Subject: [PATCH] fix: cipher_suites of ssl profiles --- .config/default_ssl_policy_parameters.json | 37 +++++++++++++++++++ .config/ssl_profile_parameters.json | 2 -- .pre-commit-config.yaml | 1 + CHANGELOG.md | 1 + README.md | 5 ++- main.tf | 1 + variables.tf | 42 ++++++++++++++++++---- 7 files changed, 79 insertions(+), 10 deletions(-) diff --git a/.config/default_ssl_policy_parameters.json b/.config/default_ssl_policy_parameters.json index 739ff33..7db75e3 100644 --- a/.config/default_ssl_policy_parameters.json +++ b/.config/default_ssl_policy_parameters.json @@ -31,5 +31,42 @@ "TLSv1_2", "TLSv1_3" ] + }, + { + "Name": "cipher_suites", + "Description": "A list of accepted cipher suites. Possible values are", + "Type": "list(string)", + "Default": "null", + "Required": "no", + "Support": [ + "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", + "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", + "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_RSA_WITH_AES_128_CBC_SHA", + "TLS_RSA_WITH_AES_128_CBC_SHA256", + "TLS_RSA_WITH_AES_128_GCM_SHA256", + "TLS_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_AES_256_CBC_SHA256", + "TLS_RSA_WITH_AES_256_GCM_SHA384" + ] } ] \ No newline at end of file diff --git a/.config/ssl_profile_parameters.json b/.config/ssl_profile_parameters.json index a53b334..789a30a 100644 --- a/.config/ssl_profile_parameters.json +++ b/.config/ssl_profile_parameters.json @@ -47,8 +47,6 @@ "Default": "null", "Required": "no", "Support": [ - "TLS_AES_128_GCM_SHA256", - "TLS_AES_256_GCM_SHA384", "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c327ad8..64fe284 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -12,6 +12,7 @@ repos: name: Validate Terraform tests exclude: ^(examples|tests) args: + - --args=--enable-rule=terraform_comment_syntax - --args=--enable-rule=terraform_documented_outputs - --args=--enable-rule=terraform_documented_variables - --args=--enable-rule=terraform_naming_convention diff --git a/CHANGELOG.md b/CHANGELOG.md index bd5208e..3f9bc80 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ FEATURES: * **New Parameter**: `default_ssl_policy.policy_type` * **New Parameter**: `default_ssl_policy.policy_name` * **New Parameter**: `default_ssl_policy.min_protocol_version` +* **New Parameter**: `default_ssl_policy.cipher_suites` * **New Parameter**: `ssl_profiles` * **New Parameter**: `ssl_profiles.name` * **New Parameter**: `ssl_profiles.policy_type` diff --git a/README.md b/README.md index 4014696..b904c76 100644 --- a/README.md +++ b/README.md @@ -100,6 +100,8 @@ module "application_gateway" { } ``` +Reference to more [examples](https://github.com/aztfm/terraform-azurerm-application-gateway/tree/main/examples). + ## :arrow_forward: Parameters @@ -159,6 +161,7 @@ The `default_ssl_policy` supports the following: |policy\_type|The Type of the Policy. Possible values are `Predefined`, `Custom` and `CustomV2`.|`string`|`Predefined`|no| |policy\_name|The Name of the Policy e.g. AppGwSslPolicy20170401S. Required if policy_type is set to Predefined.|`string`|`AppGwSslPolicy20220101`|no| |min\_protocol\_version|The minimal TLS version. Possible values are `TLSv1_0`, `TLSv1_1`, `TLSv1_2` and `TLSv1_3`.|`string`|`null`|no| +|cipher\_suites|A list of accepted cipher suites. Possible values are `TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA`, `TLS_DHE_DSS_WITH_AES_128_CBC_SHA`, `TLS_DHE_DSS_WITH_AES_128_CBC_SHA256`, `TLS_DHE_DSS_WITH_AES_256_CBC_SHA`, `TLS_DHE_DSS_WITH_AES_256_CBC_SHA256`, `TLS_DHE_RSA_WITH_AES_128_CBC_SHA`, `TLS_DHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_DHE_RSA_WITH_AES_256_CBC_SHA`, `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_RSA_WITH_3DES_EDE_CBC_SHA`, `TLS_RSA_WITH_AES_128_CBC_SHA`, `TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_128_GCM_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`, `TLS_RSA_WITH_AES_256_CBC_SHA256` and `TLS_RSA_WITH_AES_256_GCM_SHA384`.|`list(string)`|`null`|no| The `ssl_profiles` supports the following: @@ -168,7 +171,7 @@ The `ssl_profiles` supports the following: |policy\_type|The type of the Policy. Possible values are `Predefined`, `Custom` and `CustomV2`.|`string`|`null`|no| |policy\_name|The name of the SSL Profile that is unique within this Application Gateway.|`string`|`null`|no| |min\_protocol\_version|The minimal TLS version. Possible values are `TLSv1_0`, `TLSv1_1`, `TLSv1_2` and `TLSv1_3`.|`string`|`null`|no| -|cipher\_suites|A list of accepted cipher suites. Possible values are `TLS_AES_128_GCM_SHA256`, `TLS_AES_256_GCM_SHA384`, `TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA`, `TLS_DHE_DSS_WITH_AES_128_CBC_SHA`, `TLS_DHE_DSS_WITH_AES_128_CBC_SHA256`, `TLS_DHE_DSS_WITH_AES_256_CBC_SHA`, `TLS_DHE_DSS_WITH_AES_256_CBC_SHA256`, `TLS_DHE_RSA_WITH_AES_128_CBC_SHA`, `TLS_DHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_DHE_RSA_WITH_AES_256_CBC_SHA`, `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_RSA_WITH_3DES_EDE_CBC_SHA`, `TLS_RSA_WITH_AES_128_CBC_SHA`, `TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_128_GCM_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`, `TLS_RSA_WITH_AES_256_CBC_SHA256` and `TLS_RSA_WITH_AES_256_GCM_SHA384`.|`list(string)`|`null`|no| +|cipher\_suites|A list of accepted cipher suites. Possible values are `TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA`, `TLS_DHE_DSS_WITH_AES_128_CBC_SHA`, `TLS_DHE_DSS_WITH_AES_128_CBC_SHA256`, `TLS_DHE_DSS_WITH_AES_256_CBC_SHA`, `TLS_DHE_DSS_WITH_AES_256_CBC_SHA256`, `TLS_DHE_RSA_WITH_AES_128_CBC_SHA`, `TLS_DHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_DHE_RSA_WITH_AES_256_CBC_SHA`, `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_RSA_WITH_3DES_EDE_CBC_SHA`, `TLS_RSA_WITH_AES_128_CBC_SHA`, `TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_128_GCM_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`, `TLS_RSA_WITH_AES_256_CBC_SHA256` and `TLS_RSA_WITH_AES_256_GCM_SHA384`.|`list(string)`|`null`|no| The `ssl_certificates` supports the following: diff --git a/main.tf b/main.tf index 2693fa5..dbcdf88 100644 --- a/main.tf +++ b/main.tf @@ -76,6 +76,7 @@ resource "azurerm_application_gateway" "main" { policy_type = var.default_ssl_policy.policy_type policy_name = var.default_ssl_policy.policy_name min_protocol_version = var.default_ssl_policy.min_protocol_version + cipher_suites = var.default_ssl_policy.cipher_suites } dynamic "ssl_profile" { diff --git a/variables.tf b/variables.tf index fc39e34..000a216 100644 --- a/variables.tf +++ b/variables.tf @@ -151,6 +151,7 @@ variable "default_ssl_policy" { policy_type = optional(string, "Predefined") policy_name = optional(string, "AppGwSslPolicy20220101") min_protocol_version = optional(string) + cipher_suites = optional(list(string)) }) default = null description = "A mapping with the default ssl policy of the Application Gateway." @@ -169,6 +170,40 @@ variable "default_ssl_policy" { condition = var.default_ssl_policy.min_protocol_version != null ? contains(["TLSv1_0", "TLSv1_1", "TLSv1_2", "TLSv1_3"], var.default_ssl_policy.min_protocol_version) : true error_message = "The min_protocol_version must be one of TLSv1_0, TLSv1_1, TLSv1_2, or TLSv1_3." } + + validation { + condition = var.default_ssl_policy.cipher_suites != null ? alltrue([for suite in var.default_ssl_policy.cipher_suites : contains([ + "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", + "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", + "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_RSA_WITH_AES_128_CBC_SHA", + "TLS_RSA_WITH_AES_128_CBC_SHA256", + "TLS_RSA_WITH_AES_128_GCM_SHA256", + "TLS_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_AES_256_CBC_SHA256", + "TLS_RSA_WITH_AES_256_GCM_SHA384" + ], suite)]) : true + error_message = "All cipher_suites must be one of the supported values." + } } variable "ssl_profiles" { @@ -200,8 +235,6 @@ variable "ssl_profiles" { validation { condition = alltrue([for policy in var.ssl_profiles : alltrue([for suite in policy.cipher_suites : contains([ - "TLS_AES_128_GCM_SHA256", - "TLS_AES_256_GCM_SHA384", "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", @@ -233,11 +266,6 @@ variable "ssl_profiles" { ], suite)]) if policy.cipher_suites != null]) error_message = "All cipher_suites must be one of the supported values." } - - validation { - condition = alltrue([for policy in var.ssl_profiles : policy.cipher_suites != null ? contains(["TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384"], policy.cipher_suites) ? policy.policy_type == "CustomV2" : true : true]) - error_message = "The cipher_suites TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384 are only supported for CustomV2 policies." - } } variable "ssl_certificates" {