From 0513f591aa88a4a1065dfec7254fb21344ba850b Mon Sep 17 00:00:00 2001 From: Justin DeFrank Date: Tue, 27 Feb 2024 17:32:08 -0500 Subject: [PATCH] `azurerm_cosmosdb_account` - add support for `minimal_tls_version` (#24966) --- .../cosmos/cosmosdb_account_resource.go | 23 ++++++- .../cosmos/cosmosdb_account_resource_test.go | 63 +++++++++++++++++++ website/docs/r/cosmosdb_account.html.markdown | 2 + 3 files changed, 87 insertions(+), 1 deletion(-) diff --git a/internal/services/cosmos/cosmosdb_account_resource.go b/internal/services/cosmos/cosmosdb_account_resource.go index f2dae067718e8..4001cad6415ec 100644 --- a/internal/services/cosmos/cosmosdb_account_resource.go +++ b/internal/services/cosmos/cosmosdb_account_resource.go @@ -242,6 +242,15 @@ func resourceCosmosDbAccount() *pluginsdk.Resource { }, }, + // TODO: 4.0 - set the default to Tls12 + // per Microsoft's documentation, as of April 1 2023 the default minimal TLS version for all new accounts is 1.2 + "minimal_tls_version": { + Type: pluginsdk.TypeString, + Optional: true, + Computed: true, + ValidateFunc: validation.StringInSlice(cosmosdb.PossibleValuesForMinimalTlsVersion(), false), + }, + "create_mode": { Type: pluginsdk.TypeString, Optional: true, @@ -852,6 +861,7 @@ func resourceCosmosDbAccountCreate(d *pluginsdk.ResourceData, meta interface{}) ConsistencyPolicy: expandAzureRmCosmosDBAccountConsistencyPolicy(d), Locations: geoLocations, Capabilities: capabilities, + MinimalTlsVersion: pointer.To(cosmosdb.MinimalTlsVersion(d.Get("minimal_tls_version").(string))), VirtualNetworkRules: expandAzureRmCosmosDBAccountVirtualNetworkRules(d), EnableMultipleWriteLocations: utils.Bool(enableMultipleWriteLocations), EnablePartitionMerge: pointer.To(partitionMergeEnabled), @@ -929,6 +939,15 @@ func resourceCosmosDbAccountCreate(d *pluginsdk.ResourceData, meta interface{}) return fmt.Errorf("creating %s: %+v", id, err) } + // NOTE: this is to work around the issue here: https://github.com/Azure/azure-rest-api-specs/issues/27596 + // Once the above issue is resolved we shouldn't need this check and update anymore + if d.Get("create_mode").(string) == string(cosmosdb.CreateModeRestore) { + err = resourceCosmosDbAccountApiCreateOrUpdate(client, ctx, id, account, d) + if err != nil { + return fmt.Errorf("updating %s: %+v", id, err) + } + } + d.SetId(id.ID()) return resourceCosmosDbAccountRead(d, meta) @@ -1051,7 +1070,7 @@ func resourceCosmosDbAccountUpdate(d *pluginsdk.ResourceData, meta interface{}) "capacity", "create_mode", "restore", "key_vault_key_id", "mongo_server_version", "public_network_access_enabled", "ip_range_filter", "offer_type", "is_virtual_network_filter_enabled", "kind", "tags", "enable_free_tier", "enable_automatic_failover", "analytical_storage_enabled", - "local_authentication_disabled", "partition_merge_enabled") { + "local_authentication_disabled", "partition_merge_enabled", "minimal_tls_version") { updateRequired = true } @@ -1085,6 +1104,7 @@ func resourceCosmosDbAccountUpdate(d *pluginsdk.ResourceData, meta interface{}) IsVirtualNetworkFilterEnabled: isVirtualNetworkFilterEnabled, EnableFreeTier: enableFreeTier, EnableAutomaticFailover: enableAutomaticFailover, + MinimalTlsVersion: pointer.To(cosmosdb.MinimalTlsVersion(d.Get("minimal_tls_version").(string))), Capabilities: capabilities, ConsistencyPolicy: expandAzureRmCosmosDBAccountConsistencyPolicy(d), Locations: cosmosLocations, @@ -1381,6 +1401,7 @@ func resourceCosmosDbAccountRead(d *pluginsdk.ResourceData, meta interface{}) er d.Set("analytical_storage_enabled", props.EnableAnalyticalStorage) d.Set("public_network_access_enabled", pointer.From(props.PublicNetworkAccess) == cosmosdb.PublicNetworkAccessEnabled) d.Set("default_identity_type", props.DefaultIdentity) + d.Set("minimal_tls_version", pointer.From(props.MinimalTlsVersion)) d.Set("create_mode", pointer.From(props.CreateMode)) d.Set("partition_merge_enabled", pointer.From(props.EnablePartitionMerge)) diff --git a/internal/services/cosmos/cosmosdb_account_resource_test.go b/internal/services/cosmos/cosmosdb_account_resource_test.go index d0e73d01f0e75..03fd73f82c394 100644 --- a/internal/services/cosmos/cosmosdb_account_resource_test.go +++ b/internal/services/cosmos/cosmosdb_account_resource_test.go @@ -224,6 +224,28 @@ func TestAccCosmosDBAccount_updateTagsWithUserAssignedDefaultIdentity(t *testing }) } +func TestAccCosmosDBAccount_minimalTlsVersion(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_cosmosdb_account", "test") + r := CosmosDBAccountResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.basicMinimalTlsVersion(data, cosmosdb.MinimalTlsVersionTls), + Check: acceptance.ComposeAggregateTestCheckFunc( + check.That(data.ResourceName).Key("minimal_tls_version").HasValue("Tls"), + ), + }, + data.ImportStep(), + { + Config: r.basicMinimalTlsVersion(data, cosmosdb.MinimalTlsVersionTlsOneOne), + Check: acceptance.ComposeAggregateTestCheckFunc( + check.That(data.ResourceName).Key("minimal_tls_version").HasValue("Tls11"), + ), + }, + data.ImportStep(), + }) +} + func TestAccCosmosDBAccount_updateDefaultIdentity(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_cosmosdb_account", "test") r := CosmosDBAccountResource{} @@ -1295,6 +1317,7 @@ func TestAccCosmosDBAccount_restoreCreateMode(t *testing.T) { Config: r.restoreCreateMode(data, cosmosdb.DatabaseAccountKindMongoDB, cosmosdb.DefaultConsistencyLevelSession), Check: acceptance.ComposeAggregateTestCheckFunc( checkAccCosmosDBAccount_basic(data, cosmosdb.DefaultConsistencyLevelSession, 1), + check.That(data.ResourceName).Key("minimal_tls_version").HasValue("Tls12"), ), }, data.ImportStep(), @@ -1452,6 +1475,37 @@ resource "azurerm_cosmosdb_account" "test" { `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, string(kind), string(consistency)) } +func (CosmosDBAccountResource) basicMinimalTlsVersion(data acceptance.TestData, tls cosmosdb.MinimalTlsVersion) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "test" { + name = "acctestRG-cosmos-%d" + location = "%s" +} + +resource "azurerm_cosmosdb_account" "test" { + name = "acctest-ca-%d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + offer_type = "Standard" + kind = "GlobalDocumentDB" + minimal_tls_version = "%s" + + consistency_policy { + consistency_level = "Eventual" + } + + geo_location { + location = azurerm_resource_group.test.location + failover_priority = 0 + } +} +`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, string(tls)) +} + func (CosmosDBAccountResource) basicMongoDB(data acceptance.TestData, consistency cosmosdb.DefaultConsistencyLevel) string { return fmt.Sprintf(` provider "azurerm" { @@ -4133,6 +4187,7 @@ resource "azurerm_cosmosdb_account" "test1" { resource_group_name = azurerm_resource_group.test.name offer_type = "Standard" kind = "MongoDB" + minimal_tls_version = "Tls12" capabilities { name = "EnableMongo" @@ -4168,6 +4223,14 @@ resource "azurerm_cosmosdb_mongo_collection" "test" { keys = ["_id"] unique = true } + + // indices can cause test to be inconsistent + // I believe there is a bug within the azurerm_cosmosdb_mongo_collection that causes inconsistent results on read + lifecycle { + ignore_changes = [ + index + ] + } } data "azurerm_cosmosdb_restorable_database_accounts" "test" { diff --git a/website/docs/r/cosmosdb_account.html.markdown b/website/docs/r/cosmosdb_account.html.markdown index 3c6c18afa4279..0970ddbe7e9be 100644 --- a/website/docs/r/cosmosdb_account.html.markdown +++ b/website/docs/r/cosmosdb_account.html.markdown @@ -114,6 +114,8 @@ The following arguments are supported: * `tags` - (Optional) A mapping of tags to assign to the resource. +* `minimal_tls_version` - (Optional) Specifies the minimal TLS version for the CosmosDB account. Possible values are: `Tls`, `Tls11`, and `Tls12`. Defaults to `Tls12`. + * `offer_type` - (Required) Specifies the Offer Type to use for this CosmosDB Account; currently, this can only be set to `Standard`. * `analytical_storage` - (Optional) An `analytical_storage` block as defined below.