hashicorp · WodansSon · Jan 31, 2020 · Jan 27, 2020 · Jan 27, 2020 · Jan 29, 2020
diff --git a/azurerm/internal/services/frontdoor/resource_arm_front_door.go b/azurerm/internal/services/frontdoor/resource_arm_front_door.go
@@ -408,6 +408,10 @@ func resourceArmFrontDoor() *schema.Resource {
 										}, false),
 										Default: string(frontdoor.CertificateSourceFrontDoor),
 									},
+									"minimum_tls_version": {
+										Type:     schema.TypeString,
+										Computed: true,
+									},
 									"provisioning_state": {
 										Type:     schema.TypeString,
 										Computed: true,
@@ -549,9 +553,12 @@ func resourceArmFrontDoorCreateUpdate(d *schema.ResourceData, meta interface{})
 					// Build a custom Https configuration based off the config file to send to the enable call
 					// NOTE: I do not need to check to see if this exists since I already do that in the validation code
 					chc := frontendEndpoint["custom_https_configuration"].([]interface{})
-					customHttpsConfiguration := chc[0].(map[string]interface{})
-					customHTTPSConfigurationUpdate := makeCustomHttpsConfiguration(customHttpsConfiguration)
-
+					customHTTPSConfiguration := chc[0].(map[string]interface{})
+					minTLSVersion := frontdoor.OneFullStopTwo // Default to TLS 1.2
+					if httpsConfig := properties.CustomHTTPSConfiguration; httpsConfig != nil {
+						minTLSVersion = httpsConfig.MinimumTLSVersion
+					}
+					customHTTPSConfigurationUpdate := makeCustomHttpsConfiguration(customHTTPSConfiguration, minTLSVersion)
 					// Enable Custom Domain HTTPS for the Frontend Endpoint
 					if err := resourceArmFrontDoorFrontendEndpointEnableHttpsProvisioning(d, true, name, frontendEndpointName, resourceGroup, customHTTPSConfigurationUpdate, meta); err != nil {
 						return fmt.Errorf("Unable enable Custom Domain HTTPS for Frontend Endpoint %q (Resource Group %q): %+v", frontendEndpointName, resourceGroup, err)
@@ -811,7 +818,6 @@ func expandArmFrontDoorFrontendEndpoint(input []interface{}, frontDoorPath strin
 		hostName := frontendEndpoint["host_name"].(string)
 		isSessionAffinityEnabled := frontendEndpoint["session_affinity_enabled"].(bool)
 		sessionAffinityTtlSeconds := int32(frontendEndpoint["session_affinity_ttl_seconds"].(int))
-		customHttpsConfiguration := frontendEndpoint["custom_https_configuration"].([]interface{})
 		waf := frontendEndpoint["web_application_firewall_policy_link_id"].(string)
 		name := frontendEndpoint["name"].(string)
 		id := utils.String(frontDoorPath + "/FrontendEndpoints/" + name)
@@ -825,7 +831,6 @@ func expandArmFrontDoorFrontendEndpoint(input []interface{}, frontDoorPath strin
 			ID:   id,
 			Name: utils.String(name),
 			FrontendEndpointProperties: &frontdoor.FrontendEndpointProperties{
-				CustomHTTPSConfiguration:    expandArmFrontDoorCustomHTTPSConfiguration(customHttpsConfiguration),
 				HostName:                    utils.String(hostName),
 				SessionAffinityEnabledState: sessionAffinityEnabled,
 				SessionAffinityTTLSeconds:   utils.Int32(sessionAffinityTtlSeconds),
@@ -844,27 +849,6 @@ func expandArmFrontDoorFrontendEndpoint(input []interface{}, frontDoorPath strin
 	return &output
 }
 
-func expandArmFrontDoorCustomHTTPSConfiguration(input []interface{}) *frontdoor.CustomHTTPSConfiguration {
-	if len(input) == 0 {
-		// https://github.com/Azure/azure-sdk-for-go/issues/6882
-		defaultProtocolType := "ServerNameIndication"
-
-		defaultHttpsConfiguration := frontdoor.CustomHTTPSConfiguration{
-			ProtocolType:      &defaultProtocolType,
-			CertificateSource: frontdoor.CertificateSourceFrontDoor,
-			CertificateSourceParameters: &frontdoor.CertificateSourceParameters{
-				CertificateType: frontdoor.Dedicated,
-			},
-		}
-		return &defaultHttpsConfiguration
-	}
-
-	v := input[0].(map[string]interface{})
-	customHttpsConfiguration := makeCustomHttpsConfiguration(v)
-
-	return &customHttpsConfiguration
-}
-
 func expandArmFrontDoorHealthProbeSettingsModel(input []interface{}, frontDoorPath string) *[]frontdoor.HealthProbeSettingsModel {
 	if len(input) == 0 {
 		return &[]frontdoor.HealthProbeSettingsModel{}
@@ -1265,6 +1249,8 @@ func flattenArmFrontDoorFrontendEndpoint(d *schema.ResourceData, input *[]frontd
 						chc["certificate_source"] = string(frontdoor.CertificateSourceFrontDoor)
 					}
 
+					chc["minimum_tls_version"] = string(customHTTPSConfiguration.MinimumTLSVersion)
+
 					if provisioningState := properties.CustomHTTPSProvisioningState; provisioningState != "" {
 						chc["provisioning_state"] = provisioningState
 						if provisioningState == frontdoor.CustomHTTPSProvisioningStateEnabled || provisioningState == frontdoor.CustomHTTPSProvisioningStateEnabling {
@@ -1498,12 +1484,13 @@ func flattenArmFrontDoorFrontendEndpointsSubResources(input *[]frontdoor.SubReso
 	return output
 }
 
-func makeCustomHttpsConfiguration(customHttpsConfiguration map[string]interface{}) frontdoor.CustomHTTPSConfiguration {
+func makeCustomHttpsConfiguration(customHttpsConfiguration map[string]interface{}, minTLSVersion frontdoor.MinimumTLSVersion) frontdoor.CustomHTTPSConfiguration {
 	// https://github.com/Azure/azure-sdk-for-go/issues/6882
 	defaultProtocolType := "ServerNameIndication"
 
 	customHTTPSConfigurationUpdate := frontdoor.CustomHTTPSConfiguration{
-		ProtocolType: &defaultProtocolType,
+		ProtocolType:      &defaultProtocolType,
+		MinimumTLSVersion: minTLSVersion,
 	}
 
 	if customHttpsConfiguration["certificate_source"].(string) == "AzureKeyVault" {

diff --git a/azurerm/internal/services/frontdoor/tests/resource_arm_front_door_test.go b/azurerm/internal/services/frontdoor/tests/resource_arm_front_door_test.go
@@ -160,6 +160,36 @@ func TestAccAzureRMFrontDoor_EnableDisableCache(t *testing.T) {
 	})
 }
 
+func TestAccAzureRMFrontDoor_CustomHttps(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_frontdoor", "test")
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { acceptance.PreCheck(t) },
+		Providers:    acceptance.SupportedProviders,
+		CheckDestroy: testCheckAzureRMFrontDoorDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMFrontDoor_CustomHttpsEnabled(data),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFrontDoorExists(data.ResourceName),
+					resource.TestCheckResourceAttr(data.ResourceName, "frontend_endpoint.0.custom_https_provisioning_enabled", "true"),
+					resource.TestCheckResourceAttr(data.ResourceName, "frontend_endpoint.0.custom_https_configuration.0.certificate_source", "FrontDoor"),
+					resource.TestCheckResourceAttr(data.ResourceName, "frontend_endpoint.0.custom_https_configuration.0.minimum_tls_version", "1.2"),
+					resource.TestCheckResourceAttr(data.ResourceName, "frontend_endpoint.0.custom_https_configuration.0.provisioning_state", "Enabled"),
+					resource.TestCheckResourceAttr(data.ResourceName, "frontend_endpoint.0.custom_https_configuration.0.provisioning_substate", "CertificateDeployed"),
+				),
+			},
+			{
+				Config: testAccAzureRMFrontDoor_CustomHttpsDisabled(data),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFrontDoorExists(data.ResourceName),
+					resource.TestCheckResourceAttr(data.ResourceName, "frontend_endpoint.0.custom_https_provisioning_enabled", "false"),
+				),
+			},
+			data.ImportStep(),
+		},
+	})
+}
+
 func testCheckAzureRMFrontDoorExists(resourceName string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		client := acceptance.AzureProvider.Meta().(*clients.Client).Frontdoor.FrontDoorsClient
@@ -573,3 +603,130 @@ resource "azurerm_frontdoor" "test" {
 }
 `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger)
 }
+
+func testAccAzureRMFrontDoor_CustomHttpsEnabled(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%d"
+  location = "%s"
+}
+
+locals {
+  backend_name        = "backend-bing"
+  endpoint_name       = "frontend-endpoint"
+  health_probe_name   = "health-probe"
+  load_balancing_name = "load-balancing-setting"
+}
+
+resource "azurerm_frontdoor" "test" {
+  name                                         = "acctestfd-%d"
+  location                                     = azurerm_resource_group.test.location
+  resource_group_name                          = azurerm_resource_group.test.name
+  enforce_backend_pools_certificate_name_check = false
+
+  routing_rule {
+    name               = "routing-rule"
+    accepted_protocols = ["Http", "Https"]
+    patterns_to_match  = ["/*"]
+    frontend_endpoints = [local.endpoint_name]
+
+    forwarding_configuration {
+      forwarding_protocol = "MatchRequest"
+      backend_pool_name   = local.backend_name
+    }
+  }
+
+  backend_pool_load_balancing {
+    name = local.load_balancing_name
+  }
+
+  backend_pool_health_probe {
+    name = local.health_probe_name
+  }
+
+  backend_pool {
+    name = local.backend_name
+    backend {
+      host_header = "www.bing.com"
+      address     = "www.bing.com"
+      http_port   = 80
+      https_port  = 443
+    }
+
+    load_balancing_name = local.load_balancing_name
+    health_probe_name   = local.health_probe_name
+  }
+
+  frontend_endpoint {
+    name                              = local.endpoint_name
+    host_name                         = "acctestfd-%d.azurefd.net"
+    custom_https_provisioning_enabled = true
+    custom_https_configuration {
+      certificate_source = "FrontDoor"
+    }
+  }
+}
+`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger)
+}
+
+func testAccAzureRMFrontDoor_CustomHttpsDisabled(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%d"
+  location = "%s"
+}
+
+locals {
+  backend_name        = "backend-bing"
+  endpoint_name       = "frontend-endpoint"
+  health_probe_name   = "health-probe"
+  load_balancing_name = "load-balancing-setting"
+}
+
+resource "azurerm_frontdoor" "test" {
+  name                                         = "acctestfd-%d"
+  location                                     = azurerm_resource_group.test.location
+  resource_group_name                          = azurerm_resource_group.test.name
+  enforce_backend_pools_certificate_name_check = false
+
+  routing_rule {
+    name               = "routing-rule"
+    accepted_protocols = ["Http", "Https"]
+    patterns_to_match  = ["/*"]
+    frontend_endpoints = [local.endpoint_name]
+
+    forwarding_configuration {
+      forwarding_protocol = "MatchRequest"
+      backend_pool_name   = local.backend_name
+    }
+  }
+
+  backend_pool_load_balancing {
+    name = local.load_balancing_name
+  }
+
+  backend_pool_health_probe {
+    name = local.health_probe_name
+  }
+
+  backend_pool {
+    name = local.backend_name
+    backend {
+      host_header = "www.bing.com"
+      address     = "www.bing.com"
+      http_port   = 80
+      https_port  = 443
+    }
+
+    load_balancing_name = local.load_balancing_name
+    health_probe_name   = local.health_probe_name
+  }
+
+  frontend_endpoint {
+    name                              = local.endpoint_name
+    host_name                         = "acctestfd-%d.azurefd.net"
+    custom_https_provisioning_enabled = false
+   }
+}
+`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger)
+}