azurerm_mariadb_server - add support for "ssl_minimal_tls_version_enf…

…orced" (hashicorp#20782)
xiaxyi · Mar 7, 2023 · 6956b22 · 6956b22
1 parent 584d52e
commit 6956b22
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 13 deletions.
diff --git a/internal/services/mariadb/mariadb_server_resource.go b/internal/services/mariadb/mariadb_server_resource.go
@@ -159,7 +159,12 @@ func resourceMariaDbServer() *pluginsdk.Resource {
 					validation.IntDivisibleBy(1024),
 				),
 			},
-
+			"ssl_minimal_tls_version_enforced": {
+				Type:         pluginsdk.TypeString,
+				Optional:     true,
+				Default:      string(servers.MinimalTlsVersionEnumTLSOneTwo),
+				ValidateFunc: validation.StringInSlice(servers.PossibleValuesForMinimalTlsVersionEnum(), false),
+			},
 			"tags": commonschema.Tags(),
 
 			"version": {
@@ -215,6 +220,11 @@ func resourceMariaDbServerCreate(d *pluginsdk.ResourceData, meta interface{}) er
 		ssl = servers.SslEnforcementEnumDisabled
 	}
 
+	tlsMin := servers.MinimalTlsVersionEnum(d.Get("ssl_minimal_tls_version_enforced").(string))
+	if ssl == servers.SslEnforcementEnumDisabled && tlsMin != servers.MinimalTlsVersionEnumTLSEnforcementDisabled {
+		return fmt.Errorf("`ssl_minimal_tls_version_enforced` must be set to `TLSEnforcementDisabled` if `ssl_enforcement_enabled` is set to `false`")
+	}
+
 	storage := expandMariaDbStorageProfile(d)
 
 	var props servers.ServerPropertiesForCreate
@@ -238,6 +248,7 @@ func resourceMariaDbServerCreate(d *pluginsdk.ResourceData, meta interface{}) er
 			AdministratorLogin:         admin,
 			AdministratorLoginPassword: pass,
 			PublicNetworkAccess:        &publicAccess,
+			MinimalTlsVersion:          &tlsMin,
 			SslEnforcement:             &ssl,
 			StorageProfile:             storage,
 			Version:                    &version,
@@ -316,12 +327,19 @@ func resourceMariaDbServerUpdate(d *pluginsdk.ResourceData, meta interface{}) er
 		ssl = servers.SslEnforcementEnumDisabled
 	}
 
+	tlsMin := servers.MinimalTlsVersionEnum(d.Get("ssl_minimal_tls_version_enforced").(string))
+
+	if ssl == servers.SslEnforcementEnumDisabled && tlsMin != servers.MinimalTlsVersionEnumTLSEnforcementDisabled {
+		return fmt.Errorf("`ssl_minimal_tls_version_enforced` must be set to `TLSEnforcementDisabled` if `ssl_enforcement_enabled` is set to `false`")
+	}
+
 	storageProfile := expandMariaDbStorageProfile(d)
 	serverVersion := servers.ServerVersion(d.Get("version").(string))
 	properties := servers.ServerUpdateParameters{
 		Properties: &servers.ServerUpdateParametersProperties{
 			AdministratorLoginPassword: utils.String(d.Get("administrator_login_password").(string)),
 			PublicNetworkAccess:        &publicAccess,
+			MinimalTlsVersion:          &tlsMin,
 			SslEnforcement:             &ssl,
 			StorageProfile:             storageProfile,
 			Version:                    &serverVersion,
@@ -370,6 +388,7 @@ func resourceMariaDbServerRead(d *pluginsdk.ResourceData, meta interface{}) erro
 
 		if props := model.Properties; props != nil {
 			d.Set("administrator_login", props.AdministratorLogin)
+			d.Set("ssl_minimal_tls_version_enforced", props.MinimalTlsVersion)
 
 			publicNetworkAccess := false
 			if props.PublicNetworkAccess != nil {

diff --git a/internal/services/mariadb/mariadb_server_resource_test.go b/internal/services/mariadb/mariadb_server_resource_test.go
@@ -290,13 +290,14 @@ resource "azurerm_mariadb_server" "test" {
   sku_name            = "B_Gen5_2"
   version             = "%s"
 
-  administrator_login          = "acctestun"
-  administrator_login_password = "H@Sh1CoR3!"
-  auto_grow_enabled            = true
-  backup_retention_days        = 7
-  geo_redundant_backup_enabled = false
-  ssl_enforcement_enabled      = true
-  storage_mb                   = 51200
+  administrator_login          		= "acctestun"
+  administrator_login_password 		= "H@Sh1CoR3!"
+  auto_grow_enabled            		= true
+  backup_retention_days        		= 7
+  geo_redundant_backup_enabled 		= false
+  ssl_enforcement_enabled      		= true
+  ssl_minimal_tls_version_enforced      = "TLS1_2"
+  storage_mb                   		= 51200
 }
 `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, version)
 }

diff --git a/website/docs/r/mariadb_server.html.markdown b/website/docs/r/mariadb_server.html.markdown
@@ -34,11 +34,12 @@ resource "azurerm_mariadb_server" "example" {
   storage_mb = 5120
   version    = "10.2"
 
-  auto_grow_enabled             = true
-  backup_retention_days         = 7
-  geo_redundant_backup_enabled  = false
-  public_network_access_enabled = false
-  ssl_enforcement_enabled       = true
+  auto_grow_enabled                = true
+  backup_retention_days            = 7
+  geo_redundant_backup_enabled     = false
+  public_network_access_enabled    = false
+  ssl_enforcement_enabled          = true
+  ssl_minimal_tls_version_enforced = "TLS1_2"
 }
 ```
 
@@ -76,6 +77,10 @@ The following arguments are supported:
 
 * `ssl_enforcement_enabled` - (Required) Specifies if SSL should be enforced on connections. Possible values are `true` and `false`.
 
+-> **NOTE:** `ssl_minimal_tls_version_enforced` must be set to `TLSEnforcementDisabled` when `ssl_enforcement_enabled` is set to `false`.
+
+* `ssl_minimal_tls_version_enforced` - (Optional) The minimum TLS version to support on the sever. Possible values are `TLSEnforcementDisabled`, `TLS1_0`, `TLS1_1`, and `TLS1_2`. Defaults to `TLS1_2`.
+
 * `storage_mb` - (Optional) Max storage allowed for a server. Possible values are between `5120` MB (5GB) and `1024000`MB (1TB) for the Basic SKU and between `5120` MB (5GB) and `4096000` MB (4TB) for General Purpose/Memory Optimized SKUs. For more information see the [product documentation](https://docs.microsoft.com/rest/api/mariadb/servers/create#storageprofile).
 
 * `tags` - (Optional) A mapping of tags to assign to the resource.