diff --git a/azurerm/internal/services/apimanagement/api_management_resource.go b/azurerm/internal/services/apimanagement/api_management_resource.go index 686dcf3bdf5b..6e955ba8b978 100644 --- a/azurerm/internal/services/apimanagement/api_management_resource.go +++ b/azurerm/internal/services/apimanagement/api_management_resource.go @@ -26,14 +26,23 @@ import ( ) var ( - apimBackendProtocolSsl3 = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30" - apimBackendProtocolTls10 = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10" - apimBackendProtocolTls11 = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11" - apimFrontendProtocolSsl3 = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30" - apimFrontendProtocolTls10 = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10" - apimFrontendProtocolTls11 = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11" - apimTripleDesCiphers = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168" - apimHttp2Protocol = "Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2" + apimBackendProtocolSsl3 = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30" + apimBackendProtocolTls10 = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10" + apimBackendProtocolTls11 = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11" + apimFrontendProtocolSsl3 = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30" + apimFrontendProtocolTls10 = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10" + apimFrontendProtocolTls11 = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11" + apimTripleDesCiphers = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168" + apimHttp2Protocol = "Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2" + apimTlsEcdheEcdsaWithAes256CbcShaCiphers = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" + apimTlsEcdheEcdsaWithAes128CbcShaCiphers = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" + apimTlsEcdheRsaWithAes256CbcShaCiphers = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" + apimTlsEcdheRsaWithAes128CbcShaCiphers = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" + apimTlsRsaWithAes128GcmSha256Ciphers = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256" + apimTlsRsaWithAes256CbcSha256Ciphers = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256" + apimTlsRsaWithAes128CbcSha256Ciphers = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256" + apimTlsRsaWithAes256CbcShaCiphers = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA" + apimTlsRsaWithAes128CbcShaCiphers = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA" ) func resourceApiManagementService() *schema.Resource { @@ -284,7 +293,63 @@ func resourceApiManagementService() *schema.Resource { Default: false, }, + // TODO: Remove in v3.0 "enable_triple_des_ciphers": { + Type: schema.TypeBool, + Optional: true, + Computed: true, + ConflictsWith: []string{"security.0.triple_des_ciphers_enabled"}, + Deprecated: "this has been renamed to the boolean attribute `triple_des_ciphers_enabled`.", + }, + + "triple_des_ciphers_enabled": { + Type: schema.TypeBool, + Optional: true, + Computed: true, // TODO: v3.0 remove Computed and set Default: false + ConflictsWith: []string{"security.0.enable_triple_des_ciphers"}, + }, + + "tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + "tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + "tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers_enabled": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + "tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers_enabled": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + "tls_rsa_with_aes128_gcm_sha256_ciphers_enabled": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + "tls_rsa_with_aes256_cbc_sha256_ciphers_enabled": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + "tls_rsa_with_aes128_cbc_sha256_ciphers_enabled": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + "tls_rsa_with_aes256_cbc_sha_ciphers_enabled": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + "tls_rsa_with_aes128_cbc_sha_ciphers_enabled": { Type: schema.TypeBool, Optional: true, Default: false, @@ -1169,6 +1234,15 @@ func expandApiManagementCustomProperties(d *schema.ResourceData, skuIsConsumptio frontendProtocolTls10 := false frontendProtocolTls11 := false tripleDesCiphers := false + tlsEcdheEcdsaWithAes256CbcShaCiphers := false + tlsEcdheEcdsaWithAes128CbcShaCiphers := false + tlsEcdheRsaWithAes256CbcShaCiphers := false + tlsEcdheRsaWithAes128CbcShaCiphers := false + tlsRsaWithAes128GcmSha256Ciphers := false + tlsRsaWithAes256CbcSha256Ciphers := false + tlsRsaWithAes128CbcSha256Ciphers := false + tlsRsaWithAes256CbcShaCiphers := false + tlsRsaWithAes128CbcShaCiphers := false if vs := d.Get("security").([]interface{}); len(vs) > 0 { v := vs[0].(map[string]interface{}) @@ -1178,7 +1252,25 @@ func expandApiManagementCustomProperties(d *schema.ResourceData, skuIsConsumptio frontendProtocolSsl3 = v["enable_frontend_ssl30"].(bool) frontendProtocolTls10 = v["enable_frontend_tls10"].(bool) frontendProtocolTls11 = v["enable_frontend_tls11"].(bool) - tripleDesCiphers = v["enable_triple_des_ciphers"].(bool) + + // TODO: Remove and simplify after deprecation + if v, exists := v["enable_triple_des_ciphers"]; exists { + tripleDesCiphers = v.(bool) + } + if v, exists := v["triple_des_ciphers_enabled"]; exists { + tripleDesCiphers = v.(bool) + } + + tlsEcdheEcdsaWithAes256CbcShaCiphers = v["tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled"].(bool) + tlsEcdheEcdsaWithAes128CbcShaCiphers = v["tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled"].(bool) + tlsEcdheRsaWithAes256CbcShaCiphers = v["tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers_enabled"].(bool) + tlsEcdheRsaWithAes128CbcShaCiphers = v["tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers_enabled"].(bool) + tlsRsaWithAes128GcmSha256Ciphers = v["tls_rsa_with_aes128_gcm_sha256_ciphers_enabled"].(bool) + tlsRsaWithAes256CbcSha256Ciphers = v["tls_rsa_with_aes256_cbc_sha256_ciphers_enabled"].(bool) + tlsRsaWithAes128CbcSha256Ciphers = v["tls_rsa_with_aes128_cbc_sha256_ciphers_enabled"].(bool) + tlsRsaWithAes256CbcShaCiphers = v["tls_rsa_with_aes256_cbc_sha_ciphers_enabled"].(bool) + tlsRsaWithAes128CbcShaCiphers = v["tls_rsa_with_aes128_cbc_sha_ciphers_enabled"].(bool) + if skuIsConsumption && frontendProtocolSsl3 { return nil, fmt.Errorf("`enable_frontend_ssl30` is not support for Sku Tier `Consumption`") } @@ -1186,6 +1278,42 @@ func expandApiManagementCustomProperties(d *schema.ResourceData, skuIsConsumptio if skuIsConsumption && tripleDesCiphers { return nil, fmt.Errorf("`enable_triple_des_ciphers` is not support for Sku Tier `Consumption`") } + + if skuIsConsumption && tlsEcdheEcdsaWithAes256CbcShaCiphers { + return nil, fmt.Errorf("`tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled` is not support for Sku Tier `Consumption`") + } + + if skuIsConsumption && tlsEcdheEcdsaWithAes128CbcShaCiphers { + return nil, fmt.Errorf("`tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled` is not support for Sku Tier `Consumption`") + } + + if skuIsConsumption && tlsEcdheRsaWithAes256CbcShaCiphers { + return nil, fmt.Errorf("`tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers_enabled` is not support for Sku Tier `Consumption`") + } + + if skuIsConsumption && tlsEcdheRsaWithAes128CbcShaCiphers { + return nil, fmt.Errorf("`tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers_enabled` is not support for Sku Tier `Consumption`") + } + + if skuIsConsumption && tlsRsaWithAes128GcmSha256Ciphers { + return nil, fmt.Errorf("`tls_rsa_with_aes128_gcm_sha256_ciphers_enabled` is not support for Sku Tier `Consumption`") + } + + if skuIsConsumption && tlsRsaWithAes256CbcSha256Ciphers { + return nil, fmt.Errorf("`tls_rsa_with_aes256_cbc_sha256_ciphers_enabled` is not support for Sku Tier `Consumption`") + } + + if skuIsConsumption && tlsRsaWithAes128CbcSha256Ciphers { + return nil, fmt.Errorf("`tls_rsa_with_aes128_cbc_sha256_ciphers_enabled` is not support for Sku Tier `Consumption`") + } + + if skuIsConsumption && tlsRsaWithAes256CbcShaCiphers { + return nil, fmt.Errorf("`tls_rsa_with_aes256_cbc_sha_ciphers_enabled` is not support for Sku Tier `Consumption`") + } + + if skuIsConsumption && tlsRsaWithAes128CbcShaCiphers { + return nil, fmt.Errorf("`tls_rsa_with_aes128_cbc_sha_ciphers_enabled` is not support for Sku Tier `Consumption`") + } } customProperties := map[string]*string{ @@ -1199,6 +1327,15 @@ func expandApiManagementCustomProperties(d *schema.ResourceData, skuIsConsumptio if !skuIsConsumption { customProperties[apimFrontendProtocolSsl3] = utils.String(strconv.FormatBool(frontendProtocolSsl3)) customProperties[apimTripleDesCiphers] = utils.String(strconv.FormatBool(tripleDesCiphers)) + customProperties[apimTlsEcdheEcdsaWithAes256CbcShaCiphers] = utils.String(strconv.FormatBool(tlsEcdheEcdsaWithAes256CbcShaCiphers)) + customProperties[apimTlsEcdheEcdsaWithAes128CbcShaCiphers] = utils.String(strconv.FormatBool(tlsEcdheEcdsaWithAes128CbcShaCiphers)) + customProperties[apimTlsEcdheRsaWithAes256CbcShaCiphers] = utils.String(strconv.FormatBool(tlsEcdheRsaWithAes256CbcShaCiphers)) + customProperties[apimTlsEcdheRsaWithAes128CbcShaCiphers] = utils.String(strconv.FormatBool(tlsEcdheRsaWithAes128CbcShaCiphers)) + customProperties[apimTlsRsaWithAes128GcmSha256Ciphers] = utils.String(strconv.FormatBool(tlsRsaWithAes128GcmSha256Ciphers)) + customProperties[apimTlsRsaWithAes256CbcSha256Ciphers] = utils.String(strconv.FormatBool(tlsRsaWithAes256CbcSha256Ciphers)) + customProperties[apimTlsRsaWithAes128CbcSha256Ciphers] = utils.String(strconv.FormatBool(tlsRsaWithAes128CbcSha256Ciphers)) + customProperties[apimTlsRsaWithAes256CbcShaCiphers] = utils.String(strconv.FormatBool(tlsRsaWithAes256CbcShaCiphers)) + customProperties[apimTlsRsaWithAes128CbcShaCiphers] = utils.String(strconv.FormatBool(tlsRsaWithAes128CbcShaCiphers)) } if vp := d.Get("protocols").([]interface{}); len(vp) > 0 { @@ -1235,7 +1372,17 @@ func flattenApiManagementSecurityCustomProperties(input map[string]*string, skuI if !skuIsConsumption { output["enable_frontend_ssl30"] = parseApiManagementNilableDictionary(input, apimFrontendProtocolSsl3) - output["enable_triple_des_ciphers"] = parseApiManagementNilableDictionary(input, apimTripleDesCiphers) + output["triple_des_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTripleDesCiphers) + output["enable_triple_des_ciphers"] = output["triple_des_ciphers_enabled"] // TODO: remove in v3.0 + output["tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheEcdsaWithAes256CbcShaCiphers) + output["tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheEcdsaWithAes128CbcShaCiphers) + output["tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheRsaWithAes256CbcShaCiphers) + output["tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheRsaWithAes128CbcShaCiphers) + output["tls_rsa_with_aes128_gcm_sha256_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128GcmSha256Ciphers) + output["tls_rsa_with_aes256_cbc_sha256_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes256CbcSha256Ciphers) + output["tls_rsa_with_aes128_cbc_sha256_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128CbcSha256Ciphers) + output["tls_rsa_with_aes256_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes256CbcShaCiphers) + output["tls_rsa_with_aes128_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128CbcShaCiphers) } return []interface{}{output} diff --git a/azurerm/internal/services/apimanagement/api_management_resource_test.go b/azurerm/internal/services/apimanagement/api_management_resource_test.go index 493a3e0716e3..1203dbebbe60 100644 --- a/azurerm/internal/services/apimanagement/api_management_resource_test.go +++ b/azurerm/internal/services/apimanagement/api_management_resource_test.go @@ -648,8 +648,8 @@ resource "azurerm_api_management" "test" { sku_name = "Developer_1" security { - enable_frontend_tls10 = true - enable_triple_des_ciphers = true + enable_frontend_tls10 = true + triple_des_ciphers_enabled = true } } `, data.RandomInteger, data.Locations.Secondary, data.RandomInteger) @@ -744,13 +744,22 @@ resource "azurerm_api_management" "test" { } security { - enable_backend_tls11 = true - enable_backend_ssl30 = true - enable_backend_tls10 = true - enable_frontend_ssl30 = true - enable_frontend_tls10 = true - enable_frontend_tls11 = true - enable_triple_des_ciphers = true + enable_backend_tls11 = true + enable_backend_ssl30 = true + enable_backend_tls10 = true + enable_frontend_ssl30 = true + enable_frontend_tls10 = true + enable_frontend_tls11 = true + tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled = true + tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled = true + tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers_enabled = true + tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers_enabled = true + tls_rsa_with_aes128_cbc_sha256_ciphers_enabled = true + tls_rsa_with_aes128_cbc_sha_ciphers_enabled = true + tls_rsa_with_aes128_gcm_sha256_ciphers_enabled = true + tls_rsa_with_aes256_cbc_sha256_ciphers_enabled = true + tls_rsa_with_aes256_cbc_sha_ciphers_enabled = true + triple_des_ciphers_enabled = true } hostname_configuration { diff --git a/website/docs/r/api_management.html.markdown b/website/docs/r/api_management.html.markdown index 8cb2f5318790..26c0bc20c8f4 100644 --- a/website/docs/r/api_management.html.markdown +++ b/website/docs/r/api_management.html.markdown @@ -215,8 +215,48 @@ A `security` block supports the following: -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11` field +* `tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled` - (Optional) Should the `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA` cipher be enabled? Defaults to `false`. + +-> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA` field + +* `tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled` - (Optional) Should the `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA` cipher be enabled? Defaults to `false`. + +-> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA` field + +* `tls_ecdheRsa_with_aes128_cbc_sha_ciphers_enabled` - (Optional) Should the `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` cipher be enabled? Defaults to `false`. + +-> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` field + +* `tls_ecdheRsa_with_aes256_cbc_sha_ciphers_enabled` - (Optional) Should the `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA` cipher be enabled? Defaults to `false`. + +-> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA` field + +* `tls_rsa_with_aes128_cbc_sha256_ciphers_enabled` - (Optional) Should the `TLS_RSA_WITH_AES_128_CBC_SHA256` cipher be enabled? Defaults to `false`. + +-> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256` field + +* `tls_rsa_with_aes128_cbc_sha_ciphers_enabled` - (Optional) Should the `TLS_RSA_WITH_AES_128_CBC_SHA` cipher be enabled? Defaults to `false`. + +-> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA` field + +* `tls_rsa_with_aes128_gcm_sha256_ciphers_enabled` - (Optional) Should the `TLS_RSA_WITH_AES_128_GCM_SHA256` cipher be enabled? Defaults to `false`. + +-> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256` field + +* `tls_rsa_with_aes256_cbc_sha256_ciphers_enabled` - (Optional) Should the `TLS_RSA_WITH_AES_256_CBC_SHA256` cipher be enabled? Defaults to `false`. + +-> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256` field + +* `tls_rsa_with_aes256_cbc_sha_ciphers_enabled` - (Optional) Should the `TLS_RSA_WITH_AES_256_CBC_SHA` cipher be enabled? Defaults to `false`. + +-> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA` field + * `enable_triple_des_ciphers` - (Optional) Should the `TLS_RSA_WITH_3DES_EDE_CBC_SHA` cipher be enabled for alL TLS versions (1.0, 1.1 and 1.2)? Defaults to `false`. + -> **Note:** This property has been deprecated in favour of the `triple_des_ciphers_enabled` property and will be removed in version 3.0 of the provider. + +* `triple_des_ciphers_enabled` - (Optional) Should the `TLS_RSA_WITH_3DES_EDE_CBC_SHA` cipher be enabled for alL TLS versions (1.0, 1.1 and 1.2)? Defaults to `false`. + -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168` field * `disable_backend_ssl30` - (Optional) Should SSL 3.0 be disabled on the backend of the gateway? This property was mistakenly inverted and `true` actually enables it. Defaults to `false`. @@ -243,10 +283,6 @@ A `security` block supports the following: -> **Note:** This property has been deprecated in favour of the `enable_frontend_tls11` property and will be removed in version 2.0 of the provider. -* `disable_triple_des_ciphers` - (Optional) Should the `TLS_RSA_WITH_3DES_EDE_CBC_SHA` cipher be disabled for alL TLS versions (1.0, 1.1 and 1.2)? This property was mistakenly inverted and `true` actually enables it. Defaults to `false`. - --> **Note:** This property has been deprecated in favour of the `enable_triple_des_ciphers` property and will be removed in version 2.0 of the provider. - --- A `sign_in` block supports the following: