feat: ssl-policies (#34)

* chore: update devcontainer and pre-commit * chore: update license * chore: update readme * chore: update devcontainer * chore: delete azurerm_client_config data resource #33 * feat: ssl policies * chore: add SSL policies unit tests * feat: update ssl_policy * chore: update markdownlint * chore: add unit tests to default ssl profile and ssl profiles * fix: unit tests * chore: remove a unit test * fix: default_ssl_policy parameter * fix: update ssl_profiles in testing.tftest.hcl * fix: update validation condition for ssl_profiles in variables.tf * fix: update validation condition for ssl_profiles in variables.tf * fix: cipher_suites of ssl profiles * fix: Update cipher suites and minimum protocol version for ssl-profile-2 in testing.tftest.hcl * fix: Update validation condition for ssl_profiles in testing.tftest.hcl * fix: Update SSL profile validation conditions and cipher suites * fix: Update SSL profile validation conditions and cipher suites in testing.tftest.hcl * chore: Update release date in CHANGELOG.md
aztfm · Sep 29, 2024 · dd3b209 · dd3b209
1 parent 508e806
commit dd3b209
Show file tree

Hide file tree

Showing 14 changed files with 657 additions and 60 deletions.
diff --git a/.config/.terraform-docs.yml b/.config/.terraform-docs.yml
@@ -51,6 +51,8 @@ content: |
   {{ template "table" dict "Resource" "autoscale_configuration" "File" ".config/autoscale_configuration_parameters.json" }}
   {{ template "table" dict "Resource" "frontend_ip_configuration" "File" ".config/frontend_ip_configuration_parameters.json" }}
   {{ template "table" dict "Resource" "backend_address_pools" "File" ".config/backend_address_pool_parameters.json" }}
+  {{ template "table" dict "Resource" "default_ssl_policy" "File" ".config/default_ssl_policy_parameters.json" }}
+  {{ template "table" dict "Resource" "ssl_profiles" "File" ".config/ssl_profile_parameters.json" }}
   {{ template "table" dict "Resource" "ssl_certificates" "File" ".config/ssl_certificate_parameters.json" }}
   {{ template "table" dict "Resource" "http_listeners" "File" ".config/http_listener_parameters.json" }}
   {{ template "table" dict "Resource" "probes" "File" ".config/probe_parameters.json" }}

diff --git a/.config/default_ssl_policy_parameters.json b/.config/default_ssl_policy_parameters.json
@@ -0,0 +1,72 @@
+[
+    {
+        "Name": "policy_type",
+        "Description": "The Type of the Policy. Possible values are",
+        "Type": "string",
+        "Default": "Predefined",
+        "Required": "no",
+        "Support": [
+            "Predefined",
+            "Custom",
+            "CustomV2"
+        ]
+    },
+    {
+        "Name": "policy_name",
+        "Description": "The Name of the Policy e.g. AppGwSslPolicy20170401S. Required if policy_type is set to Predefined.",
+        "Type": "string",
+        "Default": "AppGwSslPolicy20220101",
+        "Required": "no",
+        "Support": []
+    },
+    {
+        "Name": "min_protocol_version",
+        "Description": "The minimal TLS version. Possible values are",
+        "Type": "string",
+        "Default": "null",
+        "Required": "no",
+        "Support": [
+            "TLSv1_0",
+            "TLSv1_1",
+            "TLSv1_2",
+            "TLSv1_3"
+        ]
+    },
+    {
+        "Name": "cipher_suites",
+        "Description": "A list of accepted cipher suites. Possible values are",
+        "Type": "list(string)",
+        "Default": "null",
+        "Required": "no",
+        "Support": [
+            "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
+            "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
+            "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
+            "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
+            "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
+            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
+            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
+            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+            "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+            "TLS_RSA_WITH_AES_128_CBC_SHA",
+            "TLS_RSA_WITH_AES_128_CBC_SHA256",
+            "TLS_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_RSA_WITH_AES_256_CBC_SHA",
+            "TLS_RSA_WITH_AES_256_CBC_SHA256",
+            "TLS_RSA_WITH_AES_256_GCM_SHA384"
+        ]
+    }
+]
diff --git a/.config/ssl_profile_parameters.json b/.config/ssl_profile_parameters.json
@@ -0,0 +1,80 @@
+[
+    {
+        "Name": "name",
+        "Description": "The name of the SSL Profile that is unique within this Application Gateway.",
+        "Type": "string",
+        "Default": "n/a",
+        "Required": "yes",
+        "Support": []
+    },
+    {
+        "Name": "policy_type",
+        "Description": "The type of the Policy. Possible values are",
+        "Type": "string",
+        "Default": "null",
+        "Required": "no",
+        "Support": [
+            "Predefined",
+            "Custom",
+            "CustomV2"
+        ]
+    },
+    {
+        "Name": "policy_name",
+        "Description": "The name of the SSL Profile that is unique within this Application Gateway.",
+        "Type": "string",
+        "Default": "null",
+        "Required": "no",
+        "Support": []
+    },
+    {
+        "Name": "min_protocol_version",
+        "Description": "The minimal TLS version. Possible values are",
+        "Type": "string",
+        "Default": "null",
+        "Required": "no",
+        "Support": [
+            "TLSv1_0",
+            "TLSv1_1",
+            "TLSv1_2",
+            "TLSv1_3"
+        ]
+    },
+    {
+        "Name": "cipher_suites",
+        "Description": "A list of accepted cipher suites. Possible values are",
+        "Type": "list(string)",
+        "Default": "null",
+        "Required": "no",
+        "Support": [
+            "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
+            "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
+            "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
+            "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
+            "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
+            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
+            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
+            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+            "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+            "TLS_RSA_WITH_AES_128_CBC_SHA",
+            "TLS_RSA_WITH_AES_128_CBC_SHA256",
+            "TLS_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_RSA_WITH_AES_256_CBC_SHA",
+            "TLS_RSA_WITH_AES_256_CBC_SHA256",
+            "TLS_RSA_WITH_AES_256_GCM_SHA384"
+        ]
+    }
+]
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -24,16 +24,23 @@
                 "bierner.markdown-emoji",
                 "bierner.markdown-preview-github-styles",
                 "DavidAnson.vscode-markdownlint",
+                "GitHub.vscode-github-actions",
+                "GitHub.vscode-pull-request-github",
                 "hashicorp.hcl",
                 "hashicorp.terraform",
                 "streetsidesoftware.code-spell-checker",
+                "TylerHarris.terraform-link-docs",
                 "redhat.vscode-yaml",
                 "vscode-icons-team.vscode-icons"
             ],
             "settings": {
                 "cSpell.ignorePaths": [
                     ".devcontainer/devcontainer.json"
                 ],
+                "cSpell.ignoreWords": [
+                    "aztfm",
+                    "azurerm"
+                ],
                 "editor.bracketPairColorization.enabled": true,
                 "editor.formatOnSave": true,
                 "editor.formatOnSaveMode": "file",

diff --git a/.markdownlint.json b/.markdownlint.json
@@ -1,3 +1,4 @@
 {
-    "MD013": false
+    "MD013": false,
+    "MD041": false
 }
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.92.1
+    rev: v1.96.1
     hooks:
       - id: terraform_fmt
         name: Format Terraform code
@@ -12,14 +12,15 @@ repos:
         name: Validate Terraform tests
         exclude: ^(examples|tests)
         args:
+          - --args=--enable-rule=terraform_comment_syntax
           - --args=--enable-rule=terraform_documented_outputs
           - --args=--enable-rule=terraform_documented_variables
           - --args=--enable-rule=terraform_naming_convention
           - --args=--enable-rule=terraform_standard_module_structure
           - --args=--enable-rule=terraform_unused_required_providers
 
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.41.0
+    rev: v0.42.0
     hooks:
       - id: markdownlint
         name: Validate Markdown text
@@ -40,7 +41,7 @@ repos:
         fail_fast: true
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.92.1
+    rev: v1.96.1
     hooks:
       - id: terraform_validate
         name: Validate Terraform code

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,4 +1,19 @@
-<!-- markdownlint-disable MD041 -->
+## 2.1.0 (September 29, 2024)
+
+FEATURES:
+
+* **New Parameter**: `default_ssl_policy`
+* **New Parameter**: `default_ssl_policy.policy_type`
+* **New Parameter**: `default_ssl_policy.policy_name`
+* **New Parameter**: `default_ssl_policy.min_protocol_version`
+* **New Parameter**: `default_ssl_policy.cipher_suites`
+* **New Parameter**: `ssl_profiles`
+* **New Parameter**: `ssl_profiles.name`
+* **New Parameter**: `ssl_profiles.policy_type`
+* **New Parameter**: `ssl_profiles.policy_name`
+* **New Parameter**: `ssl_profiles.min_protocol_version`
+* **New Parameter**: `ssl_profiles.cipher_suites`
+
 ## 2.0.0 (August 07, 2024)
 
 BREAKING CHANGES: