Update azurerm_api_management - Support more cipher options
#9276
Conversation
| @@ -294,6 +303,52 @@ func resourceArmApiManagementService() *schema.Resource { | |||
| Optional: true, | |||
| Default: false, | |||
| }, | |||
|
|
|||
| "enable_tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers": { | |||
There was a problem hiding this comment.
Could we put enabled on the end of all these properties? this is how we name booleans now:
| "enable_tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers": { | |
| "tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled": { |
There was a problem hiding this comment.
Done. Note: I renamed also the one cipher that was already there (enable_triple_des_ciphers) to have at least all cipher flags consistent. Technically this is a breaking change then.
# Conflicts: # azurerm/internal/services/apimanagement/api_management_resource.go
| @@ -291,7 +300,53 @@ func resourceArmApiManagementService() *schema.Resource { | |||
| Default: false, | |||
| }, | |||
|
|
|||
| "enable_triple_des_ciphers": { | |||
There was a problem hiding this comment.
@flo-02-mu You can maintain compatibility by keeping the existing property, adding the Deprecated field, and checking for both in the expandApiManagementCustomProperties() function (preferring the new one).
There was a problem hiding this comment.
Added. Not sure if the d.GetOk(...) works for the nested block as expected though.
|
@manicminer , @katbyte Any chance to get this one pushed? |
|
@flo-02-mu If you can resolve the merge conflicts I'll take another look, thanks! |
…flags # Conflicts: # azurerm/internal/services/apimanagement/api_management_resource.go
@manicminer Sorry, I did not realize that. It's updated now. |
There was a problem hiding this comment.
@flo-02-mu Thanks for that, this is mostly looking good. I've made some suggestions, some are necessary for the renamed property to work. Once these are addressed this should be good to merge.
azurerm/internal/services/apimanagement/api_management_resource.go
Outdated
Show resolved
Hide resolved
azurerm/internal/services/apimanagement/api_management_resource.go
Outdated
Show resolved
Hide resolved
azurerm/internal/services/apimanagement/api_management_resource.go
Outdated
Show resolved
Hide resolved
azurerm/internal/services/apimanagement/api_management_resource.go
Outdated
Show resolved
Hide resolved
azurerm/internal/services/apimanagement/api_management_resource.go
Outdated
Show resolved
Hide resolved
…e.go Co-authored-by: Tom Bamford <[email protected]>
…e.go Co-authored-by: Tom Bamford <[email protected]>
…e.go Co-authored-by: Tom Bamford <[email protected]>
…e.go Co-authored-by: Tom Bamford <[email protected]>
…e.go Co-authored-by: Tom Bamford <[email protected]>
Co-authored-by: Tom Bamford <[email protected]>
There was a problem hiding this comment.
Thanks @flo-02-mu, LGTM! Awaiting final test results and then we can merge this.
There was a problem hiding this comment.
@flo-02-mu The TestAccApiManagement_complete is now passing, however there's an issue with the APIM Consumption SKU which doesn't support custom ciphers. These likely need to be conditionally omitted from the request.
Error: creating/updating API Management Service "acctestAM-210114203058931793" (Resource Group "acctestRG-210114203058931793"): apimanagement.ServiceClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="NotSupported" Message="'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA,Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256,Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256,Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA,Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256,Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168' customProperties are not supported in SkuType Consumption."
@manicminer I included all cipher options inside the conditional SKU block. Where can I check the test results? |
|
Thanks @flo-02-mu, this LGTM. I'm re-running the tests now; they aren't public at this time since we run them with private Azure credentials. |
|
This has been released in version 2.44.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example: provider "azurerm" {
version = "~> 2.44.0"
}
# ... other configuration ... |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
ghost
locked as resolved and limited conversation to collaborators
Cipher options that can be disabled according to https://docs.microsoft.com/en-us/rest/api/apimanagement/2019-12-01/apimanagementservice/update#apimanagementserviceupdateparameters are added. As most of them are considered to be insecure, they are defaulting to false if not enabled.