Search code examples
azureterraformazure-cosmosdb

How to set Minimum TLS version in azure cosmos

Terraform allows for setting the minimal TLS version in some of the azure resources, for example:

resource "azurerm_linux_web_app" "myApp" {
  site_config {
    ...
    minimum_tls_version = "1.2"
  }
  ...

I could not find a way to set it for a cosmosdb_account resource with terraform configurations. Is there a way?

I can see the config exists in the azure portal: enter image description here

Solution

  • As mentioned in the github issue, currently setting TLS_version is not supported with the azurerm_cosmosdb_account. To enable it, you can use azapi_resource or azapi_update_resource if the resource is already existed.

    I tried below code to achieve your requirement and the deployment was successful as shown.

    terraform {
 required_providers {
   azapi = {
     source = "Azure/azapi"
   }
 }
}

provider "azapi" {
}

provider "azurerm"{
 features{}
}

data "azurerm_resource_group" "example" {
 name     = "DefaultResourceGroup-EUS"
}

data "azurerm_cosmosdb_account" "db" {
 name                = "newcb"
 resource_group_name = data.azurerm_resource_group.example.name
}

resource "azapi_update_resource" "azurerm_cosmosdb_account_tls_update" {
 type        = "Microsoft.DocumentDB/databaseAccounts@2023-03-15"
 resource_id = data.azurerm_cosmosdb_account.db.id
 body = jsonencode({
   properties = {
     minimalTlsVersion = "Tls12"
   }
 })
}

    Previously my cosmos dB account had minimum_tls_version set to TLS1.1

    enter image description here

    After the successful deployment with the above given code, it got upgraded to the TLS 1.2 as shown.

    enter image description here

    enter image description here

    Alternatively, as a workaround, you can use an Azure Policy to set TLS version settings for Cosmos DB accounts. To achieve it, create a policy that requires Cosmos DB accounts to use a specified TLS version, then attach it to your resource group.

    Once you have defined the policy with a set of rules and actions, assign it using New-AzPolicyAssignment along with the scope parameter as cosmos dB scope.

    $policy=New-AzPolicyDefinition -Name 'xxx' -Policy <policypath>
New-AzPolicyAssignment -Name 'xxxx' -PolicyDefinition  $Policy -Scope "cosmosdb account resourceID"

    Note: Create a policy rule as per your requirements.