From fc4a449ed323e66ba26932d12da4984ac1d38605 Mon Sep 17 00:00:00 2001 From: Florian Mueller Date: Wed, 11 Nov 2020 22:26:50 +0100 Subject: [PATCH 01/16] Add more cipher options to API management. --- .../apimanagement/api_management_resource.go | 106 ++++++++++++++++-- website/docs/r/api_management.html.markdown | 36 ++++++ 2 files changed, 135 insertions(+), 7 deletions(-) diff --git a/azurerm/internal/services/apimanagement/api_management_resource.go b/azurerm/internal/services/apimanagement/api_management_resource.go index 97643d4c93a9..d477d3c5f084 100644 --- a/azurerm/internal/services/apimanagement/api_management_resource.go +++ b/azurerm/internal/services/apimanagement/api_management_resource.go @@ -33,6 +33,15 @@ var apimFrontendProtocolTls10 = "Microsoft.WindowsAzure.ApiManagement.Gateway.Se var apimFrontendProtocolTls11 = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11" var apimTripleDesCiphers = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168" var apimHttp2Protocol = "Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2" +var apimTlsEcdheEcdsaWithAes256CbcShaCiphers = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" +var apimTlsEcdheEcdsaWithAes128CbcShaCiphers = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" +var apimTlsEcdheRsaWithAes256CbcShaCiphers = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" +var apimTlsEcdheRsaWithAes128CbcShaCiphers = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" +var apimTlsRsaWithAes128GcmSha256Ciphers = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256" +var apimTlsRsaWithAes256CbcSha256Ciphers = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256" +var apimTlsRsaWithAes128CbcSha256Ciphers = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256" +var apimTlsRsaWithAes256CbcShaCiphers = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA" +var apimTlsRsaWithAes128CbcShaCiphers = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA" func resourceArmApiManagementService() *schema.Resource { return &schema.Resource{ @@ -294,6 +303,52 @@ func resourceArmApiManagementService() *schema.Resource { Optional: true, Default: false, }, + + "enable_tlsEcdheEcdsaWithAes256CbcSha_ciphers": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + "enable_tlsEcdheEcdsaWithAes128CbcSha_ciphers": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + "enable_tlsEcdheRsaWithAes256CbcSha_ciphers": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + "enable_tlsEcdheRsaWithAes128CbcSha_ciphers": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + "enable_tlsRsaWithAes128GcmSha256_ciphers": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + "enable_tlsRsaWithAes256CbcSha256_ciphers": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + "enable_tlsRsaWithAes128CbcSha256_ciphers": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + "enable_tlsRsaWithAes256CbcSha_ciphers": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + "enable_tlsRsaWithAes128CbcSha_ciphers": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, }, }, }, @@ -1130,6 +1185,15 @@ func expandApiManagementCustomProperties(d *schema.ResourceData) map[string]*str frontendProtocolTls10 := false frontendProtocolTls11 := false tripleDesCiphers := false + tlsEcdheEcdsaWithAes256CbcShaCiphers := false + tlsEcdheEcdsaWithAes128CbcShaCiphers := false + tlsEcdheRsaWithAes256CbcShaCiphers := false + tlsEcdheRsaWithAes128CbcShaCiphers := false + tlsRsaWithAes128GcmSha256Ciphers := false + tlsRsaWithAes256CbcSha256Ciphers := false + tlsRsaWithAes128CbcSha256Ciphers := false + tlsRsaWithAes256CbcShaCiphers := false + tlsRsaWithAes128CbcShaCiphers := false if vs := d.Get("security").([]interface{}); len(vs) > 0 { v := vs[0].(map[string]interface{}) @@ -1140,16 +1204,35 @@ func expandApiManagementCustomProperties(d *schema.ResourceData) map[string]*str frontendProtocolTls10 = v["enable_frontend_tls10"].(bool) frontendProtocolTls11 = v["enable_frontend_tls11"].(bool) tripleDesCiphers = v["enable_triple_des_ciphers"].(bool) + + tlsEcdheEcdsaWithAes256CbcShaCiphers = v["enable_tlsEcdheEcdsaWithAes256CbcSha_ciphers"].(bool) + tlsEcdheEcdsaWithAes128CbcShaCiphers = v["enable_tlsEcdheEcdsaWithAes128CbcSha_ciphers"].(bool) + tlsEcdheRsaWithAes256CbcShaCiphers = v["enable_tlsEcdheRsaWithAes256CbcSha_ciphers"].(bool) + tlsEcdheRsaWithAes128CbcShaCiphers = v["enable_tlsEcdheRsaWithAes128CbcSha_ciphers"].(bool) + tlsRsaWithAes128GcmSha256Ciphers = v["enable_tlsRsaWithAes128GcmSha256_ciphers"].(bool) + tlsRsaWithAes256CbcSha256Ciphers = v["enable_tlsRsaWithAes256CbcSha256_ciphers"].(bool) + tlsRsaWithAes128CbcSha256Ciphers = v["enable_tlsRsaWithAes128CbcSha256_ciphers"].(bool) + tlsRsaWithAes256CbcShaCiphers = v["enable_tlsRsaWithAes256CbcSha_ciphers"].(bool) + tlsRsaWithAes128CbcShaCiphers = v["enable_tlsRsaWithAes128CbcSha_ciphers"].(bool) } customProperties := map[string]*string{ - apimBackendProtocolSsl3: utils.String(strconv.FormatBool(backendProtocolSsl3)), - apimBackendProtocolTls10: utils.String(strconv.FormatBool(backendProtocolTls10)), - apimBackendProtocolTls11: utils.String(strconv.FormatBool(backendProtocolTls11)), - apimFrontendProtocolSsl3: utils.String(strconv.FormatBool(frontendProtocolSsl3)), - apimFrontendProtocolTls10: utils.String(strconv.FormatBool(frontendProtocolTls10)), - apimFrontendProtocolTls11: utils.String(strconv.FormatBool(frontendProtocolTls11)), - apimTripleDesCiphers: utils.String(strconv.FormatBool(tripleDesCiphers)), + apimBackendProtocolSsl3: utils.String(strconv.FormatBool(backendProtocolSsl3)), + apimBackendProtocolTls10: utils.String(strconv.FormatBool(backendProtocolTls10)), + apimBackendProtocolTls11: utils.String(strconv.FormatBool(backendProtocolTls11)), + apimFrontendProtocolSsl3: utils.String(strconv.FormatBool(frontendProtocolSsl3)), + apimFrontendProtocolTls10: utils.String(strconv.FormatBool(frontendProtocolTls10)), + apimFrontendProtocolTls11: utils.String(strconv.FormatBool(frontendProtocolTls11)), + apimTripleDesCiphers: utils.String(strconv.FormatBool(tripleDesCiphers)), + apimTlsEcdheEcdsaWithAes256CbcShaCiphers: utils.String(strconv.FormatBool(tlsEcdheEcdsaWithAes256CbcShaCiphers)), + apimTlsEcdheEcdsaWithAes128CbcShaCiphers: utils.String(strconv.FormatBool(tlsEcdheEcdsaWithAes128CbcShaCiphers)), + apimTlsEcdheRsaWithAes256CbcShaCiphers: utils.String(strconv.FormatBool(tlsEcdheRsaWithAes256CbcShaCiphers)), + apimTlsEcdheRsaWithAes128CbcShaCiphers: utils.String(strconv.FormatBool(tlsEcdheRsaWithAes128CbcShaCiphers)), + apimTlsRsaWithAes128GcmSha256Ciphers: utils.String(strconv.FormatBool(tlsRsaWithAes128GcmSha256Ciphers)), + apimTlsRsaWithAes256CbcSha256Ciphers: utils.String(strconv.FormatBool(tlsRsaWithAes256CbcSha256Ciphers)), + apimTlsRsaWithAes128CbcSha256Ciphers: utils.String(strconv.FormatBool(tlsRsaWithAes128CbcSha256Ciphers)), + apimTlsRsaWithAes256CbcShaCiphers: utils.String(strconv.FormatBool(tlsRsaWithAes256CbcShaCiphers)), + apimTlsRsaWithAes128CbcShaCiphers: utils.String(strconv.FormatBool(tlsRsaWithAes128CbcShaCiphers)), } if vp := d.Get("protocols").([]interface{}); len(vp) > 0 { @@ -1185,6 +1268,15 @@ func flattenApiManagementSecurityCustomProperties(input map[string]*string) []in output["enable_frontend_tls10"] = parseApiManagementNilableDictionary(input, apimFrontendProtocolTls10) output["enable_frontend_tls11"] = parseApiManagementNilableDictionary(input, apimFrontendProtocolTls11) output["enable_triple_des_ciphers"] = parseApiManagementNilableDictionary(input, apimTripleDesCiphers) + output["enable_tlsEcdheEcdsaWithAes256CbcSha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsEcdheEcdsaWithAes256CbcShaCiphers) + output["enable_tlsEcdheEcdsaWithAes128CbcSha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsEcdheEcdsaWithAes128CbcShaCiphers) + output["enable_tlsEcdheRsaWithAes256CbcSha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsEcdheRsaWithAes256CbcShaCiphers) + output["enable_tlsEcdheRsaWithAes128CbcSha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsEcdheRsaWithAes128CbcShaCiphers) + output["enable_tlsRsaWithAes128GcmSha256_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128GcmSha256Ciphers) + output["enable_tlsRsaWithAes256CbcSha256_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes256CbcSha256Ciphers) + output["enable_tlsRsaWithAes128CbcSha256_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128CbcSha256Ciphers) + output["enable_tlsRsaWithAes256CbcSha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes256CbcShaCiphers) + output["enable_tlsRsaWithAes128CbcSha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128CbcShaCiphers) return []interface{}{output} } diff --git a/website/docs/r/api_management.html.markdown b/website/docs/r/api_management.html.markdown index 12e0a7b3b35c..1afde90fd254 100644 --- a/website/docs/r/api_management.html.markdown +++ b/website/docs/r/api_management.html.markdown @@ -214,6 +214,42 @@ A `security` block supports the following: -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11` field +* `enable_tlsEcdheEcdsaWithAes128CbcSha_ciphers` - (Optional) Should the `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA` cipher be enabled? Defaults to `false`. + +-> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA` field + +* `enable_tlsEcdheEcdsaWithAes256CbcSha_ciphers` - (Optional) Should the `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA` cipher be enabled? Defaults to `false`. + +-> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA` field + +* `enable_tlsEcdheRsaWithAes128CbcSha_ciphers` - (Optional) Should the `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` cipher be enabled? Defaults to `false`. + +-> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` field + +* `enable_tlsEcdheRsaWithAes256CbcSha_ciphers` - (Optional) Should the `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA` cipher be enabled? Defaults to `false`. + +-> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA` field + +* `enable_tlsRsaWithAes128CbcSha256_ciphers` - (Optional) Should the `TLS_RSA_WITH_AES_128_CBC_SHA256` cipher be enabled? Defaults to `false`. + +-> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256` field + +* `enable_tlsRsaWithAes128CbcSha_ciphers` - (Optional) Should the `TLS_RSA_WITH_AES_128_CBC_SHA` cipher be enabled? Defaults to `false`. + +-> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA` field + +* `enable_tlsRsaWithAes128GcmSha256_ciphers` - (Optional) Should the `TLS_RSA_WITH_AES_128_GCM_SHA256` cipher be enabled? Defaults to `false`. + +-> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256` field + +* `enable_tlsRsaWithAes256CbcSha256_ciphers` - (Optional) Should the `TLS_RSA_WITH_AES_256_CBC_SHA256` cipher be enabled? Defaults to `false`. + +-> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256` field + +* `enable_tlsRsaWithAes256CbcSha_ciphers` - (Optional) Should the `TLS_RSA_WITH_AES_256_CBC_SHA` cipher be enabled? Defaults to `false`. + +-> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA` field + * `enable_triple_des_ciphers` - (Optional) Should the `TLS_RSA_WITH_3DES_EDE_CBC_SHA` cipher be enabled for alL TLS versions (1.0, 1.1 and 1.2)? Defaults to `false`. -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168` field From aa8fd44b22f9753b76c43730783851b7585ffffb Mon Sep 17 00:00:00 2001 From: Florian Mueller Date: Wed, 11 Nov 2020 22:35:16 +0100 Subject: [PATCH 02/16] Add new cipher options to acc test. --- .../tests/api_management_resource_test.go | 23 +++++++++++++------ 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/azurerm/internal/services/apimanagement/tests/api_management_resource_test.go b/azurerm/internal/services/apimanagement/tests/api_management_resource_test.go index 976e06b4097a..cb591077439f 100644 --- a/azurerm/internal/services/apimanagement/tests/api_management_resource_test.go +++ b/azurerm/internal/services/apimanagement/tests/api_management_resource_test.go @@ -822,13 +822,22 @@ resource "azurerm_api_management" "test" { } security { - enable_backend_tls11 = true - enable_backend_ssl30 = true - enable_backend_tls10 = true - enable_frontend_ssl30 = true - enable_frontend_tls10 = true - enable_frontend_tls11 = true - enable_triple_des_ciphers = true + enable_backend_tls11 = true + enable_backend_ssl30 = true + enable_backend_tls10 = true + enable_frontend_ssl30 = true + enable_frontend_tls10 = true + enable_frontend_tls11 = true + enable_tlsEcdheEcdsaWithAes128CbcSha_ciphers = true + enable_tlsEcdheEcdsaWithAes256CbcSha_ciphers = true + enable_tlsEcdheRsaWithAes128CbcSha_ciphers = true + enable_tlsEcdheRsaWithAes256CbcSha_ciphers = true + enable_tlsRsaWithAes128CbcSha256_ciphers = true + enable_tlsRsaWithAes128CbcSha_ciphers = true + enable_tlsRsaWithAes128GcmSha256_ciphers = true + enable_tlsRsaWithAes256CbcSha256_ciphers = true + enable_tlsRsaWithAes256CbcSha_ciphers = true + enable_triple_des_ciphers = true } hostname_configuration { From 29972d5db3487bd031fc831b4f8a850542f8f771 Mon Sep 17 00:00:00 2001 From: flo_02_mu Date: Wed, 11 Nov 2020 23:26:57 +0100 Subject: [PATCH 03/16] Rename cipher options to match allowed pattern --- .../apimanagement/api_management_resource.go | 54 +++++++++---------- .../tests/api_management_resource_test.go | 32 +++++------ website/docs/r/api_management.html.markdown | 18 +++---- 3 files changed, 52 insertions(+), 52 deletions(-) diff --git a/azurerm/internal/services/apimanagement/api_management_resource.go b/azurerm/internal/services/apimanagement/api_management_resource.go index d477d3c5f084..2a6a4cc44ae1 100644 --- a/azurerm/internal/services/apimanagement/api_management_resource.go +++ b/azurerm/internal/services/apimanagement/api_management_resource.go @@ -304,47 +304,47 @@ func resourceArmApiManagementService() *schema.Resource { Default: false, }, - "enable_tlsEcdheEcdsaWithAes256CbcSha_ciphers": { + "enable_tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers": { Type: schema.TypeBool, Optional: true, Default: false, }, - "enable_tlsEcdheEcdsaWithAes128CbcSha_ciphers": { + "enable_tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers": { Type: schema.TypeBool, Optional: true, Default: false, }, - "enable_tlsEcdheRsaWithAes256CbcSha_ciphers": { + "enable_tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers": { Type: schema.TypeBool, Optional: true, Default: false, }, - "enable_tlsEcdheRsaWithAes128CbcSha_ciphers": { + "enable_tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers": { Type: schema.TypeBool, Optional: true, Default: false, }, - "enable_tlsRsaWithAes128GcmSha256_ciphers": { + "enable_tls_rsa_with_aes128_gcm_sha256_ciphers": { Type: schema.TypeBool, Optional: true, Default: false, }, - "enable_tlsRsaWithAes256CbcSha256_ciphers": { + "enable_tls_rsa_with_aes256_cbc_sha256_ciphers": { Type: schema.TypeBool, Optional: true, Default: false, }, - "enable_tlsRsaWithAes128CbcSha256_ciphers": { + "enable_tls_rsa_with_aes128_cbc_sha256_ciphers": { Type: schema.TypeBool, Optional: true, Default: false, }, - "enable_tlsRsaWithAes256CbcSha_ciphers": { + "enable_tls_rsa_with_aes256_cbc_sha_ciphers": { Type: schema.TypeBool, Optional: true, Default: false, }, - "enable_tlsRsaWithAes128CbcSha_ciphers": { + "enable_tls_rsa_with_aes128_cbc_sha_ciphers": { Type: schema.TypeBool, Optional: true, Default: false, @@ -1205,15 +1205,15 @@ func expandApiManagementCustomProperties(d *schema.ResourceData) map[string]*str frontendProtocolTls11 = v["enable_frontend_tls11"].(bool) tripleDesCiphers = v["enable_triple_des_ciphers"].(bool) - tlsEcdheEcdsaWithAes256CbcShaCiphers = v["enable_tlsEcdheEcdsaWithAes256CbcSha_ciphers"].(bool) - tlsEcdheEcdsaWithAes128CbcShaCiphers = v["enable_tlsEcdheEcdsaWithAes128CbcSha_ciphers"].(bool) - tlsEcdheRsaWithAes256CbcShaCiphers = v["enable_tlsEcdheRsaWithAes256CbcSha_ciphers"].(bool) - tlsEcdheRsaWithAes128CbcShaCiphers = v["enable_tlsEcdheRsaWithAes128CbcSha_ciphers"].(bool) - tlsRsaWithAes128GcmSha256Ciphers = v["enable_tlsRsaWithAes128GcmSha256_ciphers"].(bool) - tlsRsaWithAes256CbcSha256Ciphers = v["enable_tlsRsaWithAes256CbcSha256_ciphers"].(bool) - tlsRsaWithAes128CbcSha256Ciphers = v["enable_tlsRsaWithAes128CbcSha256_ciphers"].(bool) - tlsRsaWithAes256CbcShaCiphers = v["enable_tlsRsaWithAes256CbcSha_ciphers"].(bool) - tlsRsaWithAes128CbcShaCiphers = v["enable_tlsRsaWithAes128CbcSha_ciphers"].(bool) + tlsEcdheEcdsaWithAes256CbcShaCiphers = v["enable_tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers"].(bool) + tlsEcdheEcdsaWithAes128CbcShaCiphers = v["enable_tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers"].(bool) + tlsEcdheRsaWithAes256CbcShaCiphers = v["enable_tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers"].(bool) + tlsEcdheRsaWithAes128CbcShaCiphers = v["enable_tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers"].(bool) + tlsRsaWithAes128GcmSha256Ciphers = v["enable_tls_rsa_with_aes128_gcm_sha256_ciphers"].(bool) + tlsRsaWithAes256CbcSha256Ciphers = v["enable_tls_rsa_with_aes256_cbc_sha256_ciphers"].(bool) + tlsRsaWithAes128CbcSha256Ciphers = v["enable_tls_rsa_with_aes128_cbc_sha256_ciphers"].(bool) + tlsRsaWithAes256CbcShaCiphers = v["enable_tls_rsa_with_aes256_cbc_sha_ciphers"].(bool) + tlsRsaWithAes128CbcShaCiphers = v["enable_tls_rsa_with_aes128_cbc_sha_ciphers"].(bool) } customProperties := map[string]*string{ @@ -1268,15 +1268,15 @@ func flattenApiManagementSecurityCustomProperties(input map[string]*string) []in output["enable_frontend_tls10"] = parseApiManagementNilableDictionary(input, apimFrontendProtocolTls10) output["enable_frontend_tls11"] = parseApiManagementNilableDictionary(input, apimFrontendProtocolTls11) output["enable_triple_des_ciphers"] = parseApiManagementNilableDictionary(input, apimTripleDesCiphers) - output["enable_tlsEcdheEcdsaWithAes256CbcSha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsEcdheEcdsaWithAes256CbcShaCiphers) - output["enable_tlsEcdheEcdsaWithAes128CbcSha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsEcdheEcdsaWithAes128CbcShaCiphers) - output["enable_tlsEcdheRsaWithAes256CbcSha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsEcdheRsaWithAes256CbcShaCiphers) - output["enable_tlsEcdheRsaWithAes128CbcSha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsEcdheRsaWithAes128CbcShaCiphers) - output["enable_tlsRsaWithAes128GcmSha256_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128GcmSha256Ciphers) - output["enable_tlsRsaWithAes256CbcSha256_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes256CbcSha256Ciphers) - output["enable_tlsRsaWithAes128CbcSha256_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128CbcSha256Ciphers) - output["enable_tlsRsaWithAes256CbcSha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes256CbcShaCiphers) - output["enable_tlsRsaWithAes128CbcSha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128CbcShaCiphers) + output["enable_tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsEcdheEcdsaWithAes256CbcShaCiphers) + output["enable_tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsEcdheEcdsaWithAes128CbcShaCiphers) + output["enable_tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsEcdheRsaWithAes256CbcShaCiphers) + output["enable_tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsEcdheRsaWithAes128CbcShaCiphers) + output["enable_tls_rsa_with_aes128_gcm_sha256_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128GcmSha256Ciphers) + output["enable_tls_rsa_with_aes256_cbc_sha256_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes256CbcSha256Ciphers) + output["enable_tls_rsa_with_aes128_cbc_sha256_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128CbcSha256Ciphers) + output["enable_tls_rsa_with_aes256_cbc_sha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes256CbcShaCiphers) + output["enable_tls_rsa_with_aes128_cbc_sha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128CbcShaCiphers) return []interface{}{output} } diff --git a/azurerm/internal/services/apimanagement/tests/api_management_resource_test.go b/azurerm/internal/services/apimanagement/tests/api_management_resource_test.go index cb591077439f..d321fd552a28 100644 --- a/azurerm/internal/services/apimanagement/tests/api_management_resource_test.go +++ b/azurerm/internal/services/apimanagement/tests/api_management_resource_test.go @@ -822,22 +822,22 @@ resource "azurerm_api_management" "test" { } security { - enable_backend_tls11 = true - enable_backend_ssl30 = true - enable_backend_tls10 = true - enable_frontend_ssl30 = true - enable_frontend_tls10 = true - enable_frontend_tls11 = true - enable_tlsEcdheEcdsaWithAes128CbcSha_ciphers = true - enable_tlsEcdheEcdsaWithAes256CbcSha_ciphers = true - enable_tlsEcdheRsaWithAes128CbcSha_ciphers = true - enable_tlsEcdheRsaWithAes256CbcSha_ciphers = true - enable_tlsRsaWithAes128CbcSha256_ciphers = true - enable_tlsRsaWithAes128CbcSha_ciphers = true - enable_tlsRsaWithAes128GcmSha256_ciphers = true - enable_tlsRsaWithAes256CbcSha256_ciphers = true - enable_tlsRsaWithAes256CbcSha_ciphers = true - enable_triple_des_ciphers = true + enable_backend_tls11 = true + enable_backend_ssl30 = true + enable_backend_tls10 = true + enable_frontend_ssl30 = true + enable_frontend_tls10 = true + enable_frontend_tls11 = true + enable_tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers = true + enable_tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers = true + enable_tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers = true + enable_tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers = true + enable_tls_rsa_with_aes128_cbc_sha256_ciphers = true + enable_tls_rsa_with_aes128_cbc_sha_ciphers = true + enable_tls_rsa_with_aes128Gcm_sha256_ciphers = true + enable_tls_rsa_with_aes256_cbc_sha256_ciphers = true + enable_tls_rsa_with_aes256_cbc_sha_ciphers = true + enable_triple_des_ciphers = true } hostname_configuration { diff --git a/website/docs/r/api_management.html.markdown b/website/docs/r/api_management.html.markdown index 1afde90fd254..49c549bf112e 100644 --- a/website/docs/r/api_management.html.markdown +++ b/website/docs/r/api_management.html.markdown @@ -214,39 +214,39 @@ A `security` block supports the following: -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11` field -* `enable_tlsEcdheEcdsaWithAes128CbcSha_ciphers` - (Optional) Should the `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA` cipher be enabled? Defaults to `false`. +* `enable_tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers` - (Optional) Should the `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA` cipher be enabled? Defaults to `false`. -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA` field -* `enable_tlsEcdheEcdsaWithAes256CbcSha_ciphers` - (Optional) Should the `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA` cipher be enabled? Defaults to `false`. +* `enable_tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers` - (Optional) Should the `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA` cipher be enabled? Defaults to `false`. -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA` field -* `enable_tlsEcdheRsaWithAes128CbcSha_ciphers` - (Optional) Should the `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` cipher be enabled? Defaults to `false`. +* `enable_tls_ecdheRsa_with_aes128_cbc_sha_ciphers` - (Optional) Should the `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` cipher be enabled? Defaults to `false`. -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` field -* `enable_tlsEcdheRsaWithAes256CbcSha_ciphers` - (Optional) Should the `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA` cipher be enabled? Defaults to `false`. +* `enable_tls_ecdheRsa_with_aes256_cbc_sha_ciphers` - (Optional) Should the `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA` cipher be enabled? Defaults to `false`. -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA` field -* `enable_tlsRsaWithAes128CbcSha256_ciphers` - (Optional) Should the `TLS_RSA_WITH_AES_128_CBC_SHA256` cipher be enabled? Defaults to `false`. +* `enable_tls_rsa_with_aes128_cbc_sha256_ciphers` - (Optional) Should the `TLS_RSA_WITH_AES_128_CBC_SHA256` cipher be enabled? Defaults to `false`. -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256` field -* `enable_tlsRsaWithAes128CbcSha_ciphers` - (Optional) Should the `TLS_RSA_WITH_AES_128_CBC_SHA` cipher be enabled? Defaults to `false`. +* `enable_tls_rsa_with_aes128_cbc_sha_ciphers` - (Optional) Should the `TLS_RSA_WITH_AES_128_CBC_SHA` cipher be enabled? Defaults to `false`. -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA` field -* `enable_tlsRsaWithAes128GcmSha256_ciphers` - (Optional) Should the `TLS_RSA_WITH_AES_128_GCM_SHA256` cipher be enabled? Defaults to `false`. +* `enable_tls_rsa_with_aes128_gcm_sha256_ciphers` - (Optional) Should the `TLS_RSA_WITH_AES_128_GCM_SHA256` cipher be enabled? Defaults to `false`. -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256` field -* `enable_tlsRsaWithAes256CbcSha256_ciphers` - (Optional) Should the `TLS_RSA_WITH_AES_256_CBC_SHA256` cipher be enabled? Defaults to `false`. +* `enable_tls_rsa_with_aes256_cbc_sha256_ciphers` - (Optional) Should the `TLS_RSA_WITH_AES_256_CBC_SHA256` cipher be enabled? Defaults to `false`. -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256` field -* `enable_tlsRsaWithAes256CbcSha_ciphers` - (Optional) Should the `TLS_RSA_WITH_AES_256_CBC_SHA` cipher be enabled? Defaults to `false`. +* `enable_tls_rsa_with_aes256_cbc_sha_ciphers` - (Optional) Should the `TLS_RSA_WITH_AES_256_CBC_SHA` cipher be enabled? Defaults to `false`. -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA` field From 613fea449a73725568789d10e08fcab5a2e1545d Mon Sep 17 00:00:00 2001 From: Florian Mueller Date: Thu, 12 Nov 2020 08:46:53 +0100 Subject: [PATCH 04/16] Rename all cipher flags to match proposed convention. --- .../apimanagement/api_management_resource.go | 60 +++++++++---------- .../tests/api_management_resource_test.go | 36 +++++------ website/docs/r/api_management.html.markdown | 24 ++++---- 3 files changed, 60 insertions(+), 60 deletions(-) diff --git a/azurerm/internal/services/apimanagement/api_management_resource.go b/azurerm/internal/services/apimanagement/api_management_resource.go index 2a6a4cc44ae1..e7a734529349 100644 --- a/azurerm/internal/services/apimanagement/api_management_resource.go +++ b/azurerm/internal/services/apimanagement/api_management_resource.go @@ -298,53 +298,53 @@ func resourceArmApiManagementService() *schema.Resource { Default: false, }, - "enable_triple_des_ciphers": { + "triple_des_ciphers_enabled": { Type: schema.TypeBool, Optional: true, Default: false, }, - "enable_tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers": { + "tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled": { Type: schema.TypeBool, Optional: true, Default: false, }, - "enable_tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers": { + "tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled": { Type: schema.TypeBool, Optional: true, Default: false, }, - "enable_tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers": { + "tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers_enabled": { Type: schema.TypeBool, Optional: true, Default: false, }, - "enable_tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers": { + "tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers_enabled": { Type: schema.TypeBool, Optional: true, Default: false, }, - "enable_tls_rsa_with_aes128_gcm_sha256_ciphers": { + "tls_rsa_with_aes128_gcm_sha256_ciphers_enabled": { Type: schema.TypeBool, Optional: true, Default: false, }, - "enable_tls_rsa_with_aes256_cbc_sha256_ciphers": { + "tls_rsa_with_aes256_cbc_sha256_ciphers_enabled": { Type: schema.TypeBool, Optional: true, Default: false, }, - "enable_tls_rsa_with_aes128_cbc_sha256_ciphers": { + "tls_rsa_with_aes128_cbc_sha256_ciphers_enabled": { Type: schema.TypeBool, Optional: true, Default: false, }, - "enable_tls_rsa_with_aes256_cbc_sha_ciphers": { + "tls_rsa_with_aes256_cbc_sha_ciphers_enabled": { Type: schema.TypeBool, Optional: true, Default: false, }, - "enable_tls_rsa_with_aes128_cbc_sha_ciphers": { + "tls_rsa_with_aes128_cbc_sha_ciphers_enabled": { Type: schema.TypeBool, Optional: true, Default: false, @@ -1203,17 +1203,17 @@ func expandApiManagementCustomProperties(d *schema.ResourceData) map[string]*str frontendProtocolSsl3 = v["enable_frontend_ssl30"].(bool) frontendProtocolTls10 = v["enable_frontend_tls10"].(bool) frontendProtocolTls11 = v["enable_frontend_tls11"].(bool) - tripleDesCiphers = v["enable_triple_des_ciphers"].(bool) + tripleDesCiphers = v["triple_des_ciphers_enabled"].(bool) - tlsEcdheEcdsaWithAes256CbcShaCiphers = v["enable_tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers"].(bool) - tlsEcdheEcdsaWithAes128CbcShaCiphers = v["enable_tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers"].(bool) - tlsEcdheRsaWithAes256CbcShaCiphers = v["enable_tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers"].(bool) - tlsEcdheRsaWithAes128CbcShaCiphers = v["enable_tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers"].(bool) - tlsRsaWithAes128GcmSha256Ciphers = v["enable_tls_rsa_with_aes128_gcm_sha256_ciphers"].(bool) - tlsRsaWithAes256CbcSha256Ciphers = v["enable_tls_rsa_with_aes256_cbc_sha256_ciphers"].(bool) - tlsRsaWithAes128CbcSha256Ciphers = v["enable_tls_rsa_with_aes128_cbc_sha256_ciphers"].(bool) - tlsRsaWithAes256CbcShaCiphers = v["enable_tls_rsa_with_aes256_cbc_sha_ciphers"].(bool) - tlsRsaWithAes128CbcShaCiphers = v["enable_tls_rsa_with_aes128_cbc_sha_ciphers"].(bool) + tlsEcdheEcdsaWithAes256CbcShaCiphers = v["tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled"].(bool) + tlsEcdheEcdsaWithAes128CbcShaCiphers = v["tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled"].(bool) + tlsEcdheRsaWithAes256CbcShaCiphers = v["tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers_enabled"].(bool) + tlsEcdheRsaWithAes128CbcShaCiphers = v["tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers_enabled"].(bool) + tlsRsaWithAes128GcmSha256Ciphers = v["tls_rsa_with_aes128_gcm_sha256_ciphers_enabled"].(bool) + tlsRsaWithAes256CbcSha256Ciphers = v["tls_rsa_with_aes256_cbc_sha256_ciphers_enabled"].(bool) + tlsRsaWithAes128CbcSha256Ciphers = v["tls_rsa_with_aes128_cbc_sha256_ciphers_enabled"].(bool) + tlsRsaWithAes256CbcShaCiphers = v["tls_rsa_with_aes256_cbc_sha_ciphers_enabled"].(bool) + tlsRsaWithAes128CbcShaCiphers = v["tls_rsa_with_aes128_cbc_sha_ciphers_enabled"].(bool) } customProperties := map[string]*string{ @@ -1267,16 +1267,16 @@ func flattenApiManagementSecurityCustomProperties(input map[string]*string) []in output["enable_frontend_ssl30"] = parseApiManagementNilableDictionary(input, apimFrontendProtocolSsl3) output["enable_frontend_tls10"] = parseApiManagementNilableDictionary(input, apimFrontendProtocolTls10) output["enable_frontend_tls11"] = parseApiManagementNilableDictionary(input, apimFrontendProtocolTls11) - output["enable_triple_des_ciphers"] = parseApiManagementNilableDictionary(input, apimTripleDesCiphers) - output["enable_tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsEcdheEcdsaWithAes256CbcShaCiphers) - output["enable_tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsEcdheEcdsaWithAes128CbcShaCiphers) - output["enable_tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsEcdheRsaWithAes256CbcShaCiphers) - output["enable_tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsEcdheRsaWithAes128CbcShaCiphers) - output["enable_tls_rsa_with_aes128_gcm_sha256_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128GcmSha256Ciphers) - output["enable_tls_rsa_with_aes256_cbc_sha256_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes256CbcSha256Ciphers) - output["enable_tls_rsa_with_aes128_cbc_sha256_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128CbcSha256Ciphers) - output["enable_tls_rsa_with_aes256_cbc_sha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes256CbcShaCiphers) - output["enable_tls_rsa_with_aes128_cbc_sha_ciphers"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128CbcShaCiphers) + output["triple_des_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTripleDesCiphers) + output["tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheEcdsaWithAes256CbcShaCiphers) + output["tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheEcdsaWithAes128CbcShaCiphers) + output["tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheRsaWithAes256CbcShaCiphers) + output["tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheRsaWithAes128CbcShaCiphers) + output["tls_rsa_with_aes128_gcm_sha256_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128GcmSha256Ciphers) + output["tls_rsa_with_aes256_cbc_sha256_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes256CbcSha256Ciphers) + output["tls_rsa_with_aes128_cbc_sha256_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128CbcSha256Ciphers) + output["tls_rsa_with_aes256_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes256CbcShaCiphers) + output["tls_rsa_with_aes128_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128CbcShaCiphers) return []interface{}{output} } diff --git a/azurerm/internal/services/apimanagement/tests/api_management_resource_test.go b/azurerm/internal/services/apimanagement/tests/api_management_resource_test.go index d321fd552a28..975714772c09 100644 --- a/azurerm/internal/services/apimanagement/tests/api_management_resource_test.go +++ b/azurerm/internal/services/apimanagement/tests/api_management_resource_test.go @@ -726,8 +726,8 @@ resource "azurerm_api_management" "test" { sku_name = "Developer_1" security { - enable_frontend_tls10 = true - enable_triple_des_ciphers = true + enable_frontend_tls10 = true + triple_des_ciphers_enabled = true } } `, data.RandomInteger, data.Locations.Secondary, data.RandomInteger) @@ -822,22 +822,22 @@ resource "azurerm_api_management" "test" { } security { - enable_backend_tls11 = true - enable_backend_ssl30 = true - enable_backend_tls10 = true - enable_frontend_ssl30 = true - enable_frontend_tls10 = true - enable_frontend_tls11 = true - enable_tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers = true - enable_tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers = true - enable_tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers = true - enable_tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers = true - enable_tls_rsa_with_aes128_cbc_sha256_ciphers = true - enable_tls_rsa_with_aes128_cbc_sha_ciphers = true - enable_tls_rsa_with_aes128Gcm_sha256_ciphers = true - enable_tls_rsa_with_aes256_cbc_sha256_ciphers = true - enable_tls_rsa_with_aes256_cbc_sha_ciphers = true - enable_triple_des_ciphers = true + enable_backend_tls11 = true + enable_backend_ssl30 = true + enable_backend_tls10 = true + enable_frontend_ssl30 = true + enable_frontend_tls10 = true + enable_frontend_tls11 = true + tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled = true + tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled = true + tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers_enabled = true + tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers_enabled = true + tls_rsa_with_aes128_cbc_sha256_ciphers_enabled = true + tls_rsa_with_aes128_cbc_sha_ciphers_enabled = true + tls_rsa_with_aes128Gcm_sha256_ciphers_enabled = true + tls_rsa_with_aes256_cbc_sha256_ciphers_enabled = true + tls_rsa_with_aes256_cbc_sha_ciphers_enabled = true + triple_des_ciphers_enabled = true } hostname_configuration { diff --git a/website/docs/r/api_management.html.markdown b/website/docs/r/api_management.html.markdown index 49c549bf112e..aaef2cdf2cdc 100644 --- a/website/docs/r/api_management.html.markdown +++ b/website/docs/r/api_management.html.markdown @@ -214,43 +214,43 @@ A `security` block supports the following: -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11` field -* `enable_tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers` - (Optional) Should the `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA` cipher be enabled? Defaults to `false`. +* `tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled` - (Optional) Should the `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA` cipher be enabled? Defaults to `false`. -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA` field -* `enable_tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers` - (Optional) Should the `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA` cipher be enabled? Defaults to `false`. +* `tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled` - (Optional) Should the `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA` cipher be enabled? Defaults to `false`. -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA` field -* `enable_tls_ecdheRsa_with_aes128_cbc_sha_ciphers` - (Optional) Should the `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` cipher be enabled? Defaults to `false`. +* `tls_ecdheRsa_with_aes128_cbc_sha_ciphers_enabled` - (Optional) Should the `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` cipher be enabled? Defaults to `false`. -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` field -* `enable_tls_ecdheRsa_with_aes256_cbc_sha_ciphers` - (Optional) Should the `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA` cipher be enabled? Defaults to `false`. +* `tls_ecdheRsa_with_aes256_cbc_sha_ciphers_enabled` - (Optional) Should the `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA` cipher be enabled? Defaults to `false`. -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA` field -* `enable_tls_rsa_with_aes128_cbc_sha256_ciphers` - (Optional) Should the `TLS_RSA_WITH_AES_128_CBC_SHA256` cipher be enabled? Defaults to `false`. +* `tls_rsa_with_aes128_cbc_sha256_ciphers_enabled` - (Optional) Should the `TLS_RSA_WITH_AES_128_CBC_SHA256` cipher be enabled? Defaults to `false`. -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256` field -* `enable_tls_rsa_with_aes128_cbc_sha_ciphers` - (Optional) Should the `TLS_RSA_WITH_AES_128_CBC_SHA` cipher be enabled? Defaults to `false`. +* `tls_rsa_with_aes128_cbc_sha_ciphers_enabled` - (Optional) Should the `TLS_RSA_WITH_AES_128_CBC_SHA` cipher be enabled? Defaults to `false`. -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA` field -* `enable_tls_rsa_with_aes128_gcm_sha256_ciphers` - (Optional) Should the `TLS_RSA_WITH_AES_128_GCM_SHA256` cipher be enabled? Defaults to `false`. +* `tls_rsa_with_aes128_gcm_sha256_ciphers_enabled` - (Optional) Should the `TLS_RSA_WITH_AES_128_GCM_SHA256` cipher be enabled? Defaults to `false`. -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256` field -* `enable_tls_rsa_with_aes256_cbc_sha256_ciphers` - (Optional) Should the `TLS_RSA_WITH_AES_256_CBC_SHA256` cipher be enabled? Defaults to `false`. +* `tls_rsa_with_aes256_cbc_sha256_ciphers_enabled` - (Optional) Should the `TLS_RSA_WITH_AES_256_CBC_SHA256` cipher be enabled? Defaults to `false`. -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256` field -* `enable_tls_rsa_with_aes256_cbc_sha_ciphers` - (Optional) Should the `TLS_RSA_WITH_AES_256_CBC_SHA` cipher be enabled? Defaults to `false`. +* `tls_rsa_with_aes256_cbc_sha_ciphers_enabled` - (Optional) Should the `TLS_RSA_WITH_AES_256_CBC_SHA` cipher be enabled? Defaults to `false`. -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA` field -* `enable_triple_des_ciphers` - (Optional) Should the `TLS_RSA_WITH_3DES_EDE_CBC_SHA` cipher be enabled for alL TLS versions (1.0, 1.1 and 1.2)? Defaults to `false`. +* `triple_des_ciphers_enabled` - (Optional) Should the `TLS_RSA_WITH_3DES_EDE_CBC_SHA` cipher be enabled for alL TLS versions (1.0, 1.1 and 1.2)? Defaults to `false`. -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168` field @@ -278,9 +278,9 @@ A `security` block supports the following: -> **Note:** This property has been deprecated in favour of the `enable_frontend_tls11` property and will be removed in version 2.0 of the provider. -* `disable_triple_des_ciphers` - (Optional) Should the `TLS_RSA_WITH_3DES_EDE_CBC_SHA` cipher be disabled for alL TLS versions (1.0, 1.1 and 1.2)? This property was mistakenly inverted and `true` actually enables it. Defaults to `false`. +* `disable_triple_des_ciphers_enabled` - (Optional) Should the `TLS_RSA_WITH_3DES_EDE_CBC_SHA` cipher be disabled for alL TLS versions (1.0, 1.1 and 1.2)? This property was mistakenly inverted and `true` actually enables it. Defaults to `false`. --> **Note:** This property has been deprecated in favour of the `enable_triple_des_ciphers` property and will be removed in version 2.0 of the provider. +-> **Note:** This property has been deprecated in favour of the `triple_des_ciphers_enabled` property and will be removed in version 2.0 of the provider. --- From 633c21a3ad07dcbbb777d787b22a4a4e510576ee Mon Sep 17 00:00:00 2001 From: flo_02_mu Date: Sat, 28 Nov 2020 22:23:19 +0100 Subject: [PATCH 05/16] Add deprecation fallback for enable_triple_des_ciphers --- .../apimanagement/api_management_resource.go | 26 ++++++++++++++++--- website/docs/r/api_management.html.markdown | 2 ++ 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/azurerm/internal/services/apimanagement/api_management_resource.go b/azurerm/internal/services/apimanagement/api_management_resource.go index ec5a9a92c160..cad1c1abb9e9 100644 --- a/azurerm/internal/services/apimanagement/api_management_resource.go +++ b/azurerm/internal/services/apimanagement/api_management_resource.go @@ -300,10 +300,20 @@ func resourceArmApiManagementService() *schema.Resource { Default: false, }, + // TODO: Remove after deprecation + "enable_triple_des_ciphers": { + Type: schema.TypeBool, + Optional: true, + Default: false, + ConflictsWith: []string{"triple_des_ciphers_enabled"}, + Deprecated: "this has been renamed to the boolean attribute `triple_des_ciphers_enabled`.", + }, + "triple_des_ciphers_enabled": { - Type: schema.TypeBool, - Optional: true, - Default: false, + Type: schema.TypeBool, + Optional: true, + Default: false, + ConflictsWith: []string{"enable_triple_des_ciphers"}, }, "tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled": { @@ -1205,7 +1215,14 @@ func expandApiManagementCustomProperties(d *schema.ResourceData) map[string]*str frontendProtocolSsl3 = v["enable_frontend_ssl30"].(bool) frontendProtocolTls10 = v["enable_frontend_tls10"].(bool) frontendProtocolTls11 = v["enable_frontend_tls11"].(bool) - tripleDesCiphers = v["triple_des_ciphers_enabled"].(bool) + + // TODO: Remove and simplify after deprecation + if v, ok := d.GetOk("enable_triple_des_ciphers"); ok { + tripleDesCiphers = v.(bool) + } + if v, ok := d.GetOk("triple_des_ciphers_enabled"); ok { + tripleDesCiphers = v.(bool) + } tlsEcdheEcdsaWithAes256CbcShaCiphers = v["tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled"].(bool) tlsEcdheEcdsaWithAes128CbcShaCiphers = v["tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled"].(bool) @@ -1269,6 +1286,7 @@ func flattenApiManagementSecurityCustomProperties(input map[string]*string) []in output["enable_frontend_ssl30"] = parseApiManagementNilableDictionary(input, apimFrontendProtocolSsl3) output["enable_frontend_tls10"] = parseApiManagementNilableDictionary(input, apimFrontendProtocolTls10) output["enable_frontend_tls11"] = parseApiManagementNilableDictionary(input, apimFrontendProtocolTls11) + output["enable_triple_des_ciphers"] = parseApiManagementNilableDictionary(input, apimTripleDesCiphers) output["triple_des_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTripleDesCiphers) output["tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheEcdsaWithAes256CbcShaCiphers) output["tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheEcdsaWithAes128CbcShaCiphers) diff --git a/website/docs/r/api_management.html.markdown b/website/docs/r/api_management.html.markdown index aaef2cdf2cdc..721f1e77dfd6 100644 --- a/website/docs/r/api_management.html.markdown +++ b/website/docs/r/api_management.html.markdown @@ -250,6 +250,8 @@ A `security` block supports the following: -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA` field +* `enable_triple_des_ciphers` - (Optional / **Deprecated in favour of `triple_des_ciphers_enabled`**) Should the `TLS_RSA_WITH_3DES_EDE_CBC_SHA` cipher be enabled for alL TLS versions (1.0, 1.1 and 1.2)? Defaults to `false`. + * `triple_des_ciphers_enabled` - (Optional) Should the `TLS_RSA_WITH_3DES_EDE_CBC_SHA` cipher be enabled for alL TLS versions (1.0, 1.1 and 1.2)? Defaults to `false`. -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168` field From db4e4bb8304f2fc87016a3c780f0250309554e26 Mon Sep 17 00:00:00 2001 From: flo_02_mu Date: Sat, 28 Nov 2020 23:18:58 +0100 Subject: [PATCH 06/16] Fix path for deprecated triple des property --- .../services/apimanagement/api_management_resource.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/azurerm/internal/services/apimanagement/api_management_resource.go b/azurerm/internal/services/apimanagement/api_management_resource.go index cad1c1abb9e9..3f2812f65f39 100644 --- a/azurerm/internal/services/apimanagement/api_management_resource.go +++ b/azurerm/internal/services/apimanagement/api_management_resource.go @@ -305,7 +305,7 @@ func resourceArmApiManagementService() *schema.Resource { Type: schema.TypeBool, Optional: true, Default: false, - ConflictsWith: []string{"triple_des_ciphers_enabled"}, + ConflictsWith: []string{"security.triple_des_ciphers_enabled"}, Deprecated: "this has been renamed to the boolean attribute `triple_des_ciphers_enabled`.", }, @@ -313,7 +313,7 @@ func resourceArmApiManagementService() *schema.Resource { Type: schema.TypeBool, Optional: true, Default: false, - ConflictsWith: []string{"enable_triple_des_ciphers"}, + ConflictsWith: []string{"security.enable_triple_des_ciphers"}, }, "tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled": { @@ -1217,10 +1217,10 @@ func expandApiManagementCustomProperties(d *schema.ResourceData) map[string]*str frontendProtocolTls11 = v["enable_frontend_tls11"].(bool) // TODO: Remove and simplify after deprecation - if v, ok := d.GetOk("enable_triple_des_ciphers"); ok { + if v, ok := d.GetOk("security.enable_triple_des_ciphers"); ok { tripleDesCiphers = v.(bool) } - if v, ok := d.GetOk("triple_des_ciphers_enabled"); ok { + if v, ok := d.GetOk("security.triple_des_ciphers_enabled"); ok { tripleDesCiphers = v.(bool) } From 946499d0fdbc8b2caa29475f413ccccb99620ea1 Mon Sep 17 00:00:00 2001 From: Florian Mueller <46089838+flo-02-mu@users.noreply.github.com> Date: Tue, 12 Jan 2021 14:17:08 +0100 Subject: [PATCH 07/16] Update azurerm/internal/services/apimanagement/api_management_resource.go Co-authored-by: Tom Bamford --- .../internal/services/apimanagement/api_management_resource.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azurerm/internal/services/apimanagement/api_management_resource.go b/azurerm/internal/services/apimanagement/api_management_resource.go index 037a39d1fadb..f0c17d560508 100644 --- a/azurerm/internal/services/apimanagement/api_management_resource.go +++ b/azurerm/internal/services/apimanagement/api_management_resource.go @@ -298,7 +298,7 @@ func resourceApiManagementService() *schema.Resource { Type: schema.TypeBool, Optional: true, Default: false, - ConflictsWith: []string{"security.triple_des_ciphers_enabled"}, + ConflictsWith: []string{"security.0.triple_des_ciphers_enabled"}, Deprecated: "this has been renamed to the boolean attribute `triple_des_ciphers_enabled`.", }, From c57121f128243e27894e99c8cda2ad304827891c Mon Sep 17 00:00:00 2001 From: Florian Mueller <46089838+flo-02-mu@users.noreply.github.com> Date: Tue, 12 Jan 2021 14:17:24 +0100 Subject: [PATCH 08/16] Update azurerm/internal/services/apimanagement/api_management_resource.go Co-authored-by: Tom Bamford --- .../internal/services/apimanagement/api_management_resource.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azurerm/internal/services/apimanagement/api_management_resource.go b/azurerm/internal/services/apimanagement/api_management_resource.go index f0c17d560508..ef095fdbb14e 100644 --- a/azurerm/internal/services/apimanagement/api_management_resource.go +++ b/azurerm/internal/services/apimanagement/api_management_resource.go @@ -306,7 +306,7 @@ func resourceApiManagementService() *schema.Resource { Type: schema.TypeBool, Optional: true, Default: false, - ConflictsWith: []string{"security.enable_triple_des_ciphers"}, + ConflictsWith: []string{"security.0.enable_triple_des_ciphers"}, }, "tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled": { From 91acc4812e34aebcd2a45ff918a4de7700ae4e36 Mon Sep 17 00:00:00 2001 From: Florian Mueller <46089838+flo-02-mu@users.noreply.github.com> Date: Tue, 12 Jan 2021 14:17:47 +0100 Subject: [PATCH 09/16] Update azurerm/internal/services/apimanagement/api_management_resource.go Co-authored-by: Tom Bamford --- .../services/apimanagement/api_management_resource.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/azurerm/internal/services/apimanagement/api_management_resource.go b/azurerm/internal/services/apimanagement/api_management_resource.go index ef095fdbb14e..10fff3bc279c 100644 --- a/azurerm/internal/services/apimanagement/api_management_resource.go +++ b/azurerm/internal/services/apimanagement/api_management_resource.go @@ -1254,10 +1254,10 @@ func expandApiManagementCustomProperties(d *schema.ResourceData, skuIsConsumptio frontendProtocolTls11 = v["enable_frontend_tls11"].(bool) // TODO: Remove and simplify after deprecation - if v, ok := d.GetOk("security.enable_triple_des_ciphers"); ok { + if v, exists := v["enable_triple_des_ciphers"]; exists { tripleDesCiphers = v.(bool) } - if v, ok := d.GetOk("security.triple_des_ciphers_enabled"); ok { + if v, exists := v["triple_des_ciphers_enabled"]; exists { tripleDesCiphers = v.(bool) } From cd34408e2d0966b8b95d4d927e49c2febbf1e81c Mon Sep 17 00:00:00 2001 From: Florian Mueller <46089838+flo-02-mu@users.noreply.github.com> Date: Tue, 12 Jan 2021 14:18:09 +0100 Subject: [PATCH 10/16] Update azurerm/internal/services/apimanagement/api_management_resource.go Co-authored-by: Tom Bamford --- .../internal/services/apimanagement/api_management_resource.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/azurerm/internal/services/apimanagement/api_management_resource.go b/azurerm/internal/services/apimanagement/api_management_resource.go index 10fff3bc279c..6530114deae0 100644 --- a/azurerm/internal/services/apimanagement/api_management_resource.go +++ b/azurerm/internal/services/apimanagement/api_management_resource.go @@ -1334,8 +1334,9 @@ func flattenApiManagementSecurityCustomProperties(input map[string]*string, skuI output["enable_backend_tls11"] = parseApiManagementNilableDictionary(input, apimBackendProtocolTls11) output["enable_frontend_tls10"] = parseApiManagementNilableDictionary(input, apimFrontendProtocolTls10) output["enable_frontend_tls11"] = parseApiManagementNilableDictionary(input, apimFrontendProtocolTls11) - output["enable_triple_des_ciphers"] = parseApiManagementNilableDictionary(input, apimTripleDesCiphers) output["triple_des_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTripleDesCiphers) + output["enable_triple_des_ciphers"] = output["triple_des_ciphers_enabled"] // TODO: remove in v3.0 + output["tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheEcdsaWithAes256CbcShaCiphers) output["tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheEcdsaWithAes128CbcShaCiphers) output["tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheRsaWithAes256CbcShaCiphers) From 937847a90365d8e1840deff74f2d9ebc077e9168 Mon Sep 17 00:00:00 2001 From: Florian Mueller <46089838+flo-02-mu@users.noreply.github.com> Date: Tue, 12 Jan 2021 14:18:21 +0100 Subject: [PATCH 11/16] Update azurerm/internal/services/apimanagement/api_management_resource.go Co-authored-by: Tom Bamford --- .../internal/services/apimanagement/api_management_resource.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azurerm/internal/services/apimanagement/api_management_resource.go b/azurerm/internal/services/apimanagement/api_management_resource.go index 6530114deae0..bb8d56d06967 100644 --- a/azurerm/internal/services/apimanagement/api_management_resource.go +++ b/azurerm/internal/services/apimanagement/api_management_resource.go @@ -293,7 +293,7 @@ func resourceApiManagementService() *schema.Resource { Default: false, }, - // TODO: Remove after deprecation + // TODO: Remove in v3.0 "enable_triple_des_ciphers": { Type: schema.TypeBool, Optional: true, From 4a8635b669f78f4c454b36733e2b2db9db0cfaa9 Mon Sep 17 00:00:00 2001 From: Florian Mueller Date: Tue, 12 Jan 2021 14:23:12 +0100 Subject: [PATCH 12/16] Remove non-existing property from documentation. --- website/docs/r/api_management.html.markdown | 4 ---- 1 file changed, 4 deletions(-) diff --git a/website/docs/r/api_management.html.markdown b/website/docs/r/api_management.html.markdown index 8fc753566fa2..7edc9ea11e14 100644 --- a/website/docs/r/api_management.html.markdown +++ b/website/docs/r/api_management.html.markdown @@ -281,10 +281,6 @@ A `security` block supports the following: -> **Note:** This property has been deprecated in favour of the `enable_frontend_tls11` property and will be removed in version 2.0 of the provider. -* `disable_triple_des_ciphers_enabled` - (Optional) Should the `TLS_RSA_WITH_3DES_EDE_CBC_SHA` cipher be disabled for alL TLS versions (1.0, 1.1 and 1.2)? This property was mistakenly inverted and `true` actually enables it. Defaults to `false`. - --> **Note:** This property has been deprecated in favour of the `triple_des_ciphers_enabled` property and will be removed in version 2.0 of the provider. - --- A `sign_in` block supports the following: From 841568f8e8c4db750ccfcf81f6f4bc436e8f6f40 Mon Sep 17 00:00:00 2001 From: Florian Mueller <46089838+flo-02-mu@users.noreply.github.com> Date: Tue, 12 Jan 2021 14:24:18 +0100 Subject: [PATCH 13/16] Update website/docs/r/api_management.html.markdown Co-authored-by: Tom Bamford --- website/docs/r/api_management.html.markdown | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/website/docs/r/api_management.html.markdown b/website/docs/r/api_management.html.markdown index 7edc9ea11e14..26c0bc20c8f4 100644 --- a/website/docs/r/api_management.html.markdown +++ b/website/docs/r/api_management.html.markdown @@ -251,7 +251,9 @@ A `security` block supports the following: -> **info:** This maps to the `Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA` field -* `enable_triple_des_ciphers` - (Optional / **Deprecated in favour of `triple_des_ciphers_enabled`**) Should the `TLS_RSA_WITH_3DES_EDE_CBC_SHA` cipher be enabled for alL TLS versions (1.0, 1.1 and 1.2)? Defaults to `false`. +* `enable_triple_des_ciphers` - (Optional) Should the `TLS_RSA_WITH_3DES_EDE_CBC_SHA` cipher be enabled for alL TLS versions (1.0, 1.1 and 1.2)? Defaults to `false`. + + -> **Note:** This property has been deprecated in favour of the `triple_des_ciphers_enabled` property and will be removed in version 3.0 of the provider. * `triple_des_ciphers_enabled` - (Optional) Should the `TLS_RSA_WITH_3DES_EDE_CBC_SHA` cipher be enabled for alL TLS versions (1.0, 1.1 and 1.2)? Defaults to `false`. From 668b0a1d283d77673aa21682310e6d66c7216144 Mon Sep 17 00:00:00 2001 From: Tom Bamford Date: Thu, 14 Jan 2021 20:25:05 +0000 Subject: [PATCH 14/16] azurerm_api_management: fix typo in test config --- .../services/apimanagement/api_management_resource_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azurerm/internal/services/apimanagement/api_management_resource_test.go b/azurerm/internal/services/apimanagement/api_management_resource_test.go index 645ac15a0ead..1203dbebbe60 100644 --- a/azurerm/internal/services/apimanagement/api_management_resource_test.go +++ b/azurerm/internal/services/apimanagement/api_management_resource_test.go @@ -756,7 +756,7 @@ resource "azurerm_api_management" "test" { tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers_enabled = true tls_rsa_with_aes128_cbc_sha256_ciphers_enabled = true tls_rsa_with_aes128_cbc_sha_ciphers_enabled = true - tls_rsa_with_aes128Gcm_sha256_ciphers_enabled = true + tls_rsa_with_aes128_gcm_sha256_ciphers_enabled = true tls_rsa_with_aes256_cbc_sha256_ciphers_enabled = true tls_rsa_with_aes256_cbc_sha_ciphers_enabled = true triple_des_ciphers_enabled = true From 22e4937d7045e48d8457aeacd189c2652b5df36a Mon Sep 17 00:00:00 2001 From: Florian Mueller Date: Thu, 14 Jan 2021 22:41:24 +0100 Subject: [PATCH 15/16] Exclude all cipher options for consumption sku --- .../apimanagement/api_management_resource.go | 89 +++++++++++++------ 1 file changed, 61 insertions(+), 28 deletions(-) diff --git a/azurerm/internal/services/apimanagement/api_management_resource.go b/azurerm/internal/services/apimanagement/api_management_resource.go index bb8d56d06967..cbb9e801781e 100644 --- a/azurerm/internal/services/apimanagement/api_management_resource.go +++ b/azurerm/internal/services/apimanagement/api_management_resource.go @@ -1278,29 +1278,64 @@ func expandApiManagementCustomProperties(d *schema.ResourceData, skuIsConsumptio if skuIsConsumption && tripleDesCiphers { return nil, fmt.Errorf("`enable_triple_des_ciphers` is not support for Sku Tier `Consumption`") } + + if skuIsConsumption && tlsEcdheEcdsaWithAes256CbcShaCiphers { + return nil, fmt.Errorf("`tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled` is not support for Sku Tier `Consumption`") + } + + if skuIsConsumption && tlsEcdheEcdsaWithAes128CbcShaCiphers { + return nil, fmt.Errorf("`tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled` is not support for Sku Tier `Consumption`") + } + + if skuIsConsumption && tlsEcdheRsaWithAes256CbcShaCiphers { + return nil, fmt.Errorf("`tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers_enabled` is not support for Sku Tier `Consumption`") + } + + if skuIsConsumption && tlsEcdheRsaWithAes128CbcShaCiphers { + return nil, fmt.Errorf("`tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers_enabled` is not support for Sku Tier `Consumption`") + } + + if skuIsConsumption && tlsRsaWithAes128GcmSha256Ciphers { + return nil, fmt.Errorf("`tls_rsa_with_aes128_gcm_sha256_ciphers_enabled` is not support for Sku Tier `Consumption`") + } + + if skuIsConsumption && tlsRsaWithAes256CbcSha256Ciphers { + return nil, fmt.Errorf("`tls_rsa_with_aes256_cbc_sha256_ciphers_enabled` is not support for Sku Tier `Consumption`") + } + + if skuIsConsumption && tlsRsaWithAes128CbcSha256Ciphers { + return nil, fmt.Errorf("`tls_rsa_with_aes128_cbc_sha256_ciphers_enabled` is not support for Sku Tier `Consumption`") + } + + if skuIsConsumption && tlsRsaWithAes256CbcShaCiphers { + return nil, fmt.Errorf("`tls_rsa_with_aes256_cbc_sha_ciphers_enabled` is not support for Sku Tier `Consumption`") + } + + if skuIsConsumption && tlsRsaWithAes128CbcShaCiphers { + return nil, fmt.Errorf("`tls_rsa_with_aes128_cbc_sha_ciphers_enabled` is not support for Sku Tier `Consumption`") + } } customProperties := map[string]*string{ - apimBackendProtocolSsl3: utils.String(strconv.FormatBool(backendProtocolSsl3)), - apimBackendProtocolTls10: utils.String(strconv.FormatBool(backendProtocolTls10)), - apimBackendProtocolTls11: utils.String(strconv.FormatBool(backendProtocolTls11)), - apimFrontendProtocolTls10: utils.String(strconv.FormatBool(frontendProtocolTls10)), - apimFrontendProtocolTls11: utils.String(strconv.FormatBool(frontendProtocolTls11)), - apimTripleDesCiphers: utils.String(strconv.FormatBool(tripleDesCiphers)), - apimTlsEcdheEcdsaWithAes256CbcShaCiphers: utils.String(strconv.FormatBool(tlsEcdheEcdsaWithAes256CbcShaCiphers)), - apimTlsEcdheEcdsaWithAes128CbcShaCiphers: utils.String(strconv.FormatBool(tlsEcdheEcdsaWithAes128CbcShaCiphers)), - apimTlsEcdheRsaWithAes256CbcShaCiphers: utils.String(strconv.FormatBool(tlsEcdheRsaWithAes256CbcShaCiphers)), - apimTlsEcdheRsaWithAes128CbcShaCiphers: utils.String(strconv.FormatBool(tlsEcdheRsaWithAes128CbcShaCiphers)), - apimTlsRsaWithAes128GcmSha256Ciphers: utils.String(strconv.FormatBool(tlsRsaWithAes128GcmSha256Ciphers)), - apimTlsRsaWithAes256CbcSha256Ciphers: utils.String(strconv.FormatBool(tlsRsaWithAes256CbcSha256Ciphers)), - apimTlsRsaWithAes128CbcSha256Ciphers: utils.String(strconv.FormatBool(tlsRsaWithAes128CbcSha256Ciphers)), - apimTlsRsaWithAes256CbcShaCiphers: utils.String(strconv.FormatBool(tlsRsaWithAes256CbcShaCiphers)), - apimTlsRsaWithAes128CbcShaCiphers: utils.String(strconv.FormatBool(tlsRsaWithAes128CbcShaCiphers)), + apimBackendProtocolSsl3: utils.String(strconv.FormatBool(backendProtocolSsl3)), + apimBackendProtocolTls10: utils.String(strconv.FormatBool(backendProtocolTls10)), + apimBackendProtocolTls11: utils.String(strconv.FormatBool(backendProtocolTls11)), + apimFrontendProtocolTls10: utils.String(strconv.FormatBool(frontendProtocolTls10)), + apimFrontendProtocolTls11: utils.String(strconv.FormatBool(frontendProtocolTls11)), } if !skuIsConsumption { customProperties[apimFrontendProtocolSsl3] = utils.String(strconv.FormatBool(frontendProtocolSsl3)) customProperties[apimTripleDesCiphers] = utils.String(strconv.FormatBool(tripleDesCiphers)) + customProperties[apimTlsEcdheEcdsaWithAes256CbcShaCiphers] = utils.String(strconv.FormatBool(tlsEcdheEcdsaWithAes256CbcShaCiphers)) + customProperties[apimTlsEcdheEcdsaWithAes128CbcShaCiphers] = utils.String(strconv.FormatBool(tlsEcdheEcdsaWithAes128CbcShaCiphers)) + customProperties[apimTlsEcdheRsaWithAes256CbcShaCiphers] = utils.String(strconv.FormatBool(tlsEcdheRsaWithAes256CbcShaCiphers)) + customProperties[apimTlsEcdheRsaWithAes128CbcShaCiphers] = utils.String(strconv.FormatBool(tlsEcdheRsaWithAes128CbcShaCiphers)) + customProperties[apimTlsRsaWithAes128GcmSha256Ciphers] = utils.String(strconv.FormatBool(tlsRsaWithAes128GcmSha256Ciphers)) + customProperties[apimTlsRsaWithAes256CbcSha256Ciphers] = utils.String(strconv.FormatBool(tlsRsaWithAes256CbcSha256Ciphers)) + customProperties[apimTlsRsaWithAes128CbcSha256Ciphers] = utils.String(strconv.FormatBool(tlsRsaWithAes128CbcSha256Ciphers)) + customProperties[apimTlsRsaWithAes256CbcShaCiphers] = utils.String(strconv.FormatBool(tlsRsaWithAes256CbcShaCiphers)) + customProperties[apimTlsRsaWithAes128CbcShaCiphers] = utils.String(strconv.FormatBool(tlsRsaWithAes128CbcShaCiphers)) } if vp := d.Get("protocols").([]interface{}); len(vp) > 0 { @@ -1334,22 +1369,20 @@ func flattenApiManagementSecurityCustomProperties(input map[string]*string, skuI output["enable_backend_tls11"] = parseApiManagementNilableDictionary(input, apimBackendProtocolTls11) output["enable_frontend_tls10"] = parseApiManagementNilableDictionary(input, apimFrontendProtocolTls10) output["enable_frontend_tls11"] = parseApiManagementNilableDictionary(input, apimFrontendProtocolTls11) - output["triple_des_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTripleDesCiphers) - output["enable_triple_des_ciphers"] = output["triple_des_ciphers_enabled"] // TODO: remove in v3.0 - - output["tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheEcdsaWithAes256CbcShaCiphers) - output["tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheEcdsaWithAes128CbcShaCiphers) - output["tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheRsaWithAes256CbcShaCiphers) - output["tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheRsaWithAes128CbcShaCiphers) - output["tls_rsa_with_aes128_gcm_sha256_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128GcmSha256Ciphers) - output["tls_rsa_with_aes256_cbc_sha256_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes256CbcSha256Ciphers) - output["tls_rsa_with_aes128_cbc_sha256_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128CbcSha256Ciphers) - output["tls_rsa_with_aes256_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes256CbcShaCiphers) - output["tls_rsa_with_aes128_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128CbcShaCiphers) if !skuIsConsumption { output["enable_frontend_ssl30"] = parseApiManagementNilableDictionary(input, apimFrontendProtocolSsl3) - output["enable_triple_des_ciphers"] = parseApiManagementNilableDictionary(input, apimTripleDesCiphers) + output["triple_des_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTripleDesCiphers) + output["enable_triple_des_ciphers"] = output["triple_des_ciphers_enabled"] // TODO: remove in v3.0 + output["tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheEcdsaWithAes256CbcShaCiphers) + output["tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheEcdsaWithAes128CbcShaCiphers) + output["tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheRsaWithAes256CbcShaCiphers) + output["tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheRsaWithAes128CbcShaCiphers) + output["tls_rsa_with_aes128_gcm_sha256_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128GcmSha256Ciphers) + output["tls_rsa_with_aes256_cbc_sha256_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes256CbcSha256Ciphers) + output["tls_rsa_with_aes128_cbc_sha256_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128CbcSha256Ciphers) + output["tls_rsa_with_aes256_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes256CbcShaCiphers) + output["tls_rsa_with_aes128_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128CbcShaCiphers) } return []interface{}{output} From 3cfe3db1176550fcc597c2662df9b6a8e6f77666 Mon Sep 17 00:00:00 2001 From: Tom Bamford Date: Mon, 18 Jan 2021 09:24:56 +0000 Subject: [PATCH 16/16] azurerm_api_management: use Computed for deprecated attribute --- .../services/apimanagement/api_management_resource.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/azurerm/internal/services/apimanagement/api_management_resource.go b/azurerm/internal/services/apimanagement/api_management_resource.go index cbb9e801781e..6e955ba8b978 100644 --- a/azurerm/internal/services/apimanagement/api_management_resource.go +++ b/azurerm/internal/services/apimanagement/api_management_resource.go @@ -297,7 +297,7 @@ func resourceApiManagementService() *schema.Resource { "enable_triple_des_ciphers": { Type: schema.TypeBool, Optional: true, - Default: false, + Computed: true, ConflictsWith: []string{"security.0.triple_des_ciphers_enabled"}, Deprecated: "this has been renamed to the boolean attribute `triple_des_ciphers_enabled`.", }, @@ -305,7 +305,7 @@ func resourceApiManagementService() *schema.Resource { "triple_des_ciphers_enabled": { Type: schema.TypeBool, Optional: true, - Default: false, + Computed: true, // TODO: v3.0 remove Computed and set Default: false ConflictsWith: []string{"security.0.enable_triple_des_ciphers"}, },