Support for minimalTlsVersion in azurerm_cosmosdb_account

[heller-tobias]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I would like to request a new feature for the azurerm_cosmosdb_account in the Azure Resource Manager API. With the release of the 2022-11-15 API version of the Azure Cosmos DB Resource Provider API, it is now possible to set the minimum TLS version for Cosmos DB accounts.

Currently, the only way to set the minimum TLS version is through the Azure API. However, it would be beneficial for users to have the ability to set the minimum TLS value to 1.2 through the azurerm_cosmosdb_account resource.

Although it is a standard for new Cosmos DB accounts to have a minimum TLS version of 1.2 since April 1, 2023, this feature would still be useful for users who have existing Cosmos DB accounts and need to update the minimum TLS version.
Possible values for minimalTlsVersion could be:

• Tls for setting the minimum version to TLS 1.0.
• Tls11 for setting the minimum version to TLS 1.1.
• Tls12 for setting the minimum version to TLS 1.1.

I believe that adding this feature to azurerm_cosmosdb_account would greatly improve the user experience for managing Cosmos DB accounts through the Azure Resource Manager API.

Thank you for considering my feature request.

New or Affected Resource(s)/Data Source(s)

azurerm_cosmosdb_account

Potential Terraform Configuration

resource "azurerm_cosmosdb_account" "db" {
  name                = "tfex-cosmos-db-${random_integer.ri.result}"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  offer_type          = "Standard"
  kind                = "MongoDB"

  minimalTlsVersion   = "Tls12"
}

References

Azure TLS version enforcement documentation: https://learn.microsoft.com/en-us/azure/cosmos-db/self-serve-minimum-tls-enforcement

[jfilburn]

I just wanted to give an update that the Azure Portal now allows for this setting to be changed as a quick workaround unit TF supports it, if you want to skip using the Azure API.

The setting can be found here:
CosmosDB resource -> Networking -> Connectivity tab

[heller-tobias]

Hi @jfilburn
Thank you for the input!
Unfortunately this is not really feasible if you have a lot of cosmos db accounts deployed,
Therefore I think it is still a good idea to implement it in tf.

[kkarballof]

Any updates on this. I am trying with the below no but luck so far:
`resource "azapi_update_resource" "qs101" {
type = "Microsoft.DocumentDB/databaseAccounts@2023-04-15"
name = "default"
parent_id = data.azurerm_cosmosdb_account.cosmos.id

body = jsonencode({
properties = {
minimalTlsVersion = "Tls12"

}

})
}`

[heller-tobias]

Any updates on this. I am trying with the below no but luck so far: `resource "azapi_update_resource" "qs101" { type = "Microsoft.DocumentDB/databaseAccounts@2023-04-15" name = "default" parent_id = data.azurerm_cosmosdb_account.cosmos.id

body = jsonencode({ properties = { minimalTlsVersion = "Tls12"

}

}) }`

For me, this worked with the following code:

resource "azapi_update_resource" "azurerm_cosmosdb_account_update_tls_to_1_2" {
  type        = "Microsoft.DocumentDB/databaseAccounts@2023-03-15"
  resource_id = COSMOSDBACCOUNT_ID
  body = jsonencode({
    properties = {
      minimalTlsVersion = "Tls12"
    }
  })

  depends_on = [
    azurerm_cosmosdb_sql_container.container1
  ]
}

[kkarballof]

@heller-tobias
It does work!
thanks
C

[biodrone]

For me, this worked with the following code:

resource "azapi_update_resource" "azurerm_cosmosdb_account_update_tls_to_1_2" {
  type        = "Microsoft.DocumentDB/databaseAccounts@2023-03-15"
  resource_id = COSMOSDBACCOUNT_ID
  body = jsonencode({
    properties = {
      minimalTlsVersion = "Tls12"
    }
  })

  depends_on = [
    azurerm_cosmosdb_sql_container.container1
  ]
}

Appreciate the workaround, I'm still very much for your original idea of getting an official argument for it (especially as existing accounts seems to default to TLS1).

[dmdport]

When attempting the above solution, I get the error:
Could not retrieve the list of available versions for provider hashicorp/azureapi: provider registry registry.terraform.io does not have a provider named registry.terraform.io/hashicorp/azureapi
Any idea what could be causing this? My code is below:

resource "azapi_update_resource" "azurerm_cosmosdb_account_update_tls_to_1_2" {
  depends_on = [azurerm_cosmosdb_account.db]
  type        = "Microsoft.DocumentDB/databaseAccounts@2023-04-15"
  resource_id = azurerm_cosmosdb_account.db.id
  body = jsonencode({
    properties = {
      minimalTlsVersion = "Tls12"
    }
  })
  provider = azureapi.tlsfix
}

terraform {
  required_providers {
    azapi = {
      source  = "Azure/azapi"
    }
  }
}
provider "azapi" {
  alias           = "tlsfix"
  use_msi         = true
  tenant_id       = "************************************"
  subscription_id = "************************************"
}

[heller-tobias]

When attempting the above solution, I get the error: Could not retrieve the list of available versions for provider hashicorp/azureapi: provider registry registry.terraform.io does not have a provider named registry.terraform.io/hashicorp/azureapi Any idea what could be causing this? My code is below:

resource "azapi_update_resource" "azurerm_cosmosdb_account_update_tls_to_1_2" {
  depends_on = [azurerm_cosmosdb_account.db]
  type        = "Microsoft.DocumentDB/databaseAccounts@2023-04-15"
  resource_id = azurerm_cosmosdb_account.db.id
  body = jsonencode({
    properties = {
      minimalTlsVersion = "Tls12"
    }
  })
  provider = azureapi.tlsfix
}

terraform {
  required_providers {
    azapi = {
      source  = "Azure/azapi"
    }
  }
}
provider "azapi" {
  alias           = "tlsfix"
  use_msi         = true
  tenant_id       = "************************************"
  subscription_id = "************************************"
}

Are you calling the azapi_update_resource within a module? If yes you need to add the provider inside of the module as well.

[dmdport]

When attempting the above solution, I get the error: Could not retrieve the list of available versions for provider hashicorp/azureapi: provider registry registry.terraform.io does not have a provider named registry.terraform.io/hashicorp/azureapi Any idea what could be causing this? My code is below:

resource "azapi_update_resource" "azurerm_cosmosdb_account_update_tls_to_1_2" {
  depends_on = [azurerm_cosmosdb_account.db]
  type        = "Microsoft.DocumentDB/databaseAccounts@2023-04-15"
  resource_id = azurerm_cosmosdb_account.db.id
  body = jsonencode({
    properties = {
      minimalTlsVersion = "Tls12"
    }
  })
  provider = azureapi.tlsfix
}

terraform {
  required_providers {
    azapi = {
      source  = "Azure/azapi"
    }
  }
}
provider "azapi" {
  alias           = "tlsfix"
  use_msi         = true
  tenant_id       = "************************************"
  subscription_id = "************************************"
}

Are you calling the azapi_update_resource within a module? If yes you need to add the provider inside of the module as well.

I was initially but had moved it out of my module to get around the for_each limitation when declaring providers in child modules. Above error happens even when inside the root module.

[jan-mrm]

As far as I can see we would need an update of the provider's api version of the cosmos api to implement it into the azurerm_cosmosdb_account resource

[sehgalnamit]

The reason that the account didn't default to TLS1.2 is that the API version used to submit the request was not the minimum required 2022-11-15 (in this case, it had 2021-10-15). If Terraform doesn't use consistent API versions then it could result in such behavior.

[michasacuer]

Any status of that?

[adamsba3]

Second check if this needs a PR created to fix. or if the global version of API not to be version: 2021-10-15

Basically does this need a PR to add the field when calling the azure api?