azurerm_front_door - Add minimum_tls_version property

azurerm/internal/services/frontdoor/resource_arm_front_door.go

@@ -408,6 +408,15 @@ func resourceArmFrontDoor() *schema.Resource {
 										}, false),
 										Default: string(frontdoor.CertificateSourceFrontDoor),
 									},
+									"minimum_tls_version": {
+										Type:     schema.TypeString,
+										Optional: true,
+										ValidateFunc: validation.StringInSlice([]string{
+											string(frontdoor.OneFullStopTwo),
+											string(frontdoor.OneFullStopZero),
+										}, false),
+										Default: string(frontdoor.OneFullStopZero), // TODO: Update default to TLS 1.2 in version 2.0
+									},
 									"provisioning_state": {
 										Type:     schema.TypeString,
 										Computed: true,
@@ -1265,6 +1274,8 @@ func flattenArmFrontDoorFrontendEndpoint(d *schema.ResourceData, input *[]frontd
 						chc["certificate_source"] = string(frontdoor.CertificateSourceFrontDoor)
 					}
 
+					chc["minimum_tls_version"] = string(customHTTPSConfiguration.MinimumTLSVersion)
+
 					if provisioningState := properties.CustomHTTPSProvisioningState; provisioningState != "" {
 						chc["provisioning_state"] = provisioningState
 						if provisioningState == frontdoor.CustomHTTPSProvisioningStateEnabled || provisioningState == frontdoor.CustomHTTPSProvisioningStateEnabling {
@@ -1502,8 +1513,11 @@ func makeCustomHttpsConfiguration(customHttpsConfiguration map[string]interface{
 	// https://github.com/Azure/azure-sdk-for-go/issues/6882
 	defaultProtocolType := "ServerNameIndication"
 
+	minTLSVersion := customHttpsConfiguration["minimum_tls_version"].(string)
+
 	customHTTPSConfigurationUpdate := frontdoor.CustomHTTPSConfiguration{
-		ProtocolType: &defaultProtocolType,
+		ProtocolType:      &defaultProtocolType,
+		MinimumTLSVersion: frontdoor.MinimumTLSVersion(minTLSVersion),
 	}
 
 	if customHttpsConfiguration["certificate_source"].(string) == "AzureKeyVault" {

website/docs/guides/2.0-upgrade-guide.html.markdown

@@ -299,6 +299,10 @@ The deprecated `location` field will be removed, since this is no longer used.
 
 The deprecated `internal_public_ip_address_id` field in the `ip_configuration` block will be removed. This field has been replaced by the `public_ip_address_id` field in the `ip_configuration` block.
 
+### Resource: `azurerm_frontdoor`
+
+The default value of the `minimum_tls_version` field in the `custom_https_configuration` block will be changed from `1.0` to `1.2` to align with [updates to the Azure platform defaults](https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq#what-tls-versions-are-supported-by-azure-front-door-service)
+
 ### Resource: `azurerm_iothub`
 
 The deprecated `sku.tier` property will be remove.

website/docs/r/front_door.html.markdown

@@ -229,6 +229,8 @@ The `custom_https_configuration` block supports the following:
 
 * `certificate_source` - (Optional) Certificate source to encrypted `HTTPS` traffic with. Allowed values are `FrontDoor` or `AzureKeyVault`. Defaults to `FrontDoor`.
 
+* `minimum_tls_version` - (Optional) Minimum TLS version required for clients to connect. Allowed values are `1.0` or `1.2`. Defaults to `1.0`.
+
 The following attributes are only valid if `certificate_source` is set to `AzureKeyVault`:
 
 * `azure_key_vault_certificate_vault_id` - (Required) The ID of the Key Vault containing the SSL certificate.