Storageaccount tlsversion (#207)

* add support for minimum_tls_version

plugins/module_utils/azure_rm_common.py

@@ -88,7 +88,7 @@ def default_api_version(self):
         ),
         'NetworkManagementClient': '2019-06-01',
         'ResourceManagementClient': '2017-05-10',
-        'StorageManagementClient': '2017-10-01',
+        'StorageManagementClient': '2019-06-01',
         'WebSiteManagementClient': '2018-02-01',
         'PostgreSQLManagementClient': '2017-12-01',
         'MySQLManagementClient': '2017-12-01',
@@ -307,7 +307,7 @@ def normalize_location_name(name):
 AZURE_PKG_VERSIONS = {
     'StorageManagementClient': {
         'package_name': 'storage',
-        'expected_version': '3.1.0'
+        'expected_version': '11.1.0'
     },
     'ComputeManagementClient': {
         'package_name': 'compute',
@@ -941,12 +941,12 @@ def storage_client(self):
         if not self._storage_client:
             self._storage_client = self.get_mgmt_svc_client(StorageManagementClient,
                                                             base_url=self._cloud_environment.endpoints.resource_manager,
-                                                            api_version='2018-07-01')
+                                                            api_version='2019-06-01')
         return self._storage_client
 
     @property
     def storage_models(self):
-        return StorageManagementClient.models("2018-07-01")
+        return StorageManagementClient.models("2019-06-01")
 
     @property
     def network_client(self):

plugins/modules/azure_rm_storageaccount.py

@@ -94,6 +94,16 @@
             -  Allows https traffic only to storage service when set to C(true).
         type: bool
         version_added: "2.8"
+    minimum_tls_version:
+        description:
+            - The minimum required version of Transport Layer Security (TLS) for requests to a storage account.
+        default: 'TLS1_0'
+        choices:
+            - TLS1_0
+            - TLS1_1
+            - TLS1_2
+        version_added: "2.10"
+
     network_acls:
         description:
             - Manages the Firewall and virtual networks settings of the storage account.
@@ -449,6 +459,7 @@ def __init__(self):
             kind=dict(type='str', default='Storage', choices=['Storage', 'StorageV2', 'BlobStorage', 'FileStorage', 'BlockBlobStorage']),
             access_tier=dict(type='str', choices=['Hot', 'Cool']),
             https_only=dict(type='bool', default=False),
+            minimum_tls_version=dict(type='str', default='TLS1_0', choices=['TLS1_0', 'TLS1_1', 'TLS1_2']),
             network_acls=dict(type='dict'),
             blob_cors=dict(type='list', options=cors_rule_spec, elements='dict')
         )
@@ -470,6 +481,7 @@ def __init__(self):
         self.kind = None
         self.access_tier = None
         self.https_only = None
+        self.minimum_tls_version = None
         self.network_acls = None
         self.blob_cors = None
 
@@ -558,8 +570,8 @@ def account_obj_to_dict(self, account_obj, blob_service_props=None):
             type=account_obj.type,
             access_tier=(account_obj.access_tier.value
                          if account_obj.access_tier is not None else None),
-            sku_tier=account_obj.sku.tier.value,
-            sku_name=account_obj.sku.name.value,
+            sku_tier=account_obj.sku.tier,
+            sku_name=account_obj.sku.name,
             provisioning_state=account_obj.provisioning_state.value,
             secondary_location=account_obj.secondary_location,
             status_of_primary=(account_obj.status_of_primary.value
@@ -568,6 +580,7 @@ def account_obj_to_dict(self, account_obj, blob_service_props=None):
                                  if account_obj.status_of_secondary is not None else None),
             primary_location=account_obj.primary_location,
             https_only=account_obj.enable_https_traffic_only,
+            minimum_tls_version=account_obj.minimum_tls_version,
             network_acls=account_obj.network_rule_set
         )
         account_dict['custom_domain'] = None
@@ -680,6 +693,18 @@ def update_account(self):
                 except Exception as exc:
                     self.fail("Failed to update account type: {0}".format(str(exc)))
 
+        if self.minimum_tls_version is not None and self.minimum_tls_version != self.account_dict.get('minimum_tls_version'):
+            self.results['changed'] = True
+            self.account_dict['minimum_tls_version'] = self.minimum_tls_version
+            if not self.check_mode:
+                try:
+                    parameters = self.storage_models.StorageAccountUpdateParameters(minimum_tls_version=self.minimum_tls_version)
+                    self.storage_client.storage_accounts.update(self.resource_group,
+                                                                self.name,
+                                                                parameters)
+                except Exception as exc:
+                    self.fail("Failed to update account type: {0}".format(str(exc)))
+
         if self.account_type:
             if self.account_type != self.account_dict['sku_name']:
                 # change the account type
@@ -771,6 +796,7 @@ def create_account(self):
                 name=self.name,
                 resource_group=self.resource_group,
                 enable_https_traffic_only=self.https_only,
+                minimum_tls_version=self.minimum_tls_version,
                 networks_acls=dict(),
                 tags=dict()
             )
@@ -789,6 +815,7 @@ def create_account(self):
                                                                         location=self.location,
                                                                         tags=self.tags,
                                                                         enable_https_traffic_only=self.https_only,
+                                                                        minimum_tls_version=self.minimum_tls_version,
                                                                         access_tier=self.access_tier)
         self.log(str(parameters))
         try:

plugins/modules/azure_rm_storageaccount_info.py

@@ -517,18 +517,19 @@ def account_obj_to_dict(self, account_obj, blob_service_props=None):
             id=account_obj.id,
             name=account_obj.name,
             location=account_obj.location,
-            access_tier=(account_obj.access_tier.value
+            access_tier=(account_obj.access_tier
                          if account_obj.access_tier is not None else None),
-            account_type=account_obj.sku.name.value,
-            kind=account_obj.kind.value if account_obj.kind else None,
-            provisioning_state=account_obj.provisioning_state.value,
+            account_type=account_obj.sku.name,
+            kind=account_obj.kind if account_obj.kind else None,
+            provisioning_state=account_obj.provisioning_state,
             secondary_location=account_obj.secondary_location,
-            status_of_primary=(account_obj.status_of_primary.value
+            status_of_primary=(account_obj.status_of_primary
                                if account_obj.status_of_primary is not None else None),
-            status_of_secondary=(account_obj.status_of_secondary.value
+            status_of_secondary=(account_obj.status_of_secondary
                                  if account_obj.status_of_secondary is not None else None),
             primary_location=account_obj.primary_location,
-            https_only=account_obj.enable_https_traffic_only
+            https_only=account_obj.enable_https_traffic_only,
+            minimum_tls_version=account_obj.minimum_tls_version
         )
 
         id_dict = self.parse_resource_to_dict(account_obj.id)

requirements-azure.txt

@@ -23,7 +23,7 @@ azure-mgmt-resource==2.1.0
 azure-mgmt-rdbms==1.4.1
 azure-mgmt-servicebus==0.5.3
 azure-mgmt-sql==0.10.0
-azure-mgmt-storage==3.1.0
+azure-mgmt-storage==11.1.0
 azure-mgmt-trafficmanager==0.50.0
 azure-mgmt-web==0.41.0
 azure-nspkg==2.0.0

tests/integration/targets/azure_rm_storageaccount/tasks/main.yml

@@ -48,7 +48,6 @@
          ip_rules:
            - value: '9.9.9.9'
              action: Allow
-
    register: output
 
  - name: Assert status succeeded and results include an Id value 
@@ -58,6 +57,7 @@
        - output.state.id is defined
        - output.state.blob_cors | length == 1
        - output.state.https_only
+       - output.state.minimum_tls_version == "TLS1_0" # default value
        - output.state.network_acls.bypass == "AzureServices"
        - output.state.network_acls.default_action == "Deny"
        - output.state.network_acls.ip_rules | length == 1
@@ -85,6 +85,7 @@
            test: test
            galaxy: galaxy
        https_only: yes
+       minimum_tls_version: "TLS1_0" 
        network_acls:
          bypass: AzureServices
          default_action: Deny
@@ -147,6 +148,19 @@
            - "output.state.tags.testing == 'testing'"
            - "output.state.tags.delete == 'never'"
 
+ - name: Update account minimum tls version
+   azure_rm_storageaccount:
+       resource_group: "{{ resource_group }}"
+       name: "{{ storage_account }}"
+       minimum_tls_version: "TLS1_2" 
+   register: output
+
+ - name: Assert status succeeded and results include an Id value 
+   assert:
+     that:
+       - output.changed
+       - output.state.minimum_tls_version == "TLS1_2"
+
  - name: Gather facts
    azure_rm_storageaccount_info:
        resource_group: "{{ resource_group }}"
@@ -162,6 +176,7 @@
            - output.storageaccounts[0].account_type == "Standard_GRS"
            - output.storageaccounts[0].primary_endpoints.blob.connectionstring
            - output.storageaccounts[0].blob_cors
+           - output.storageaccounts[0].minimum_tls_version == "TLS1_2" 
            #- output.storageaccounts[0].https_only
            #- output.storageaccounts[0].network_acls.bypass == "AzureServices"
            #- output.storageaccounts[0].network_acls.default_action == "Deny"