From f1e2a8729771deaa1b11d03f6aef0672ff76d0ad Mon Sep 17 00:00:00 2001 From: ziyeqf <51212351+ziyeqf@users.noreply.github.com> Date: Wed, 11 Dec 2024 15:21:40 +1100 Subject: [PATCH] `azurerm_postgresql_server` - deprecate `ssl_enforcement_enabled` and `ssl_minimal_tls_version_enforced` no longer accpets `TLSEnforcementDisabled`, `TLS1_0` or `TLS1_1` as a value --- .../postgres/postgresql_server_resource.go | 56 +++++--- .../postgresql_server_resource_test.go | 124 +++++++++++++----- website/docs/5.0-upgrade-guide.html.markdown | 5 + .../docs/r/postgresql_server.html.markdown | 2 + 4 files changed, 138 insertions(+), 49 deletions(-) diff --git a/internal/services/postgres/postgresql_server_resource.go b/internal/services/postgres/postgresql_server_resource.go index d68d5963fa20..0e64ec22550f 100644 --- a/internal/services/postgres/postgresql_server_resource.go +++ b/internal/services/postgres/postgresql_server_resource.go @@ -22,6 +22,7 @@ import ( "github.com/hashicorp/go-azure-sdk/resource-manager/postgresql/2017-12-01/serversecurityalertpolicies" "github.com/hashicorp/terraform-provider-azurerm/helpers/tf" "github.com/hashicorp/terraform-provider-azurerm/internal/clients" + "github.com/hashicorp/terraform-provider-azurerm/internal/features" "github.com/hashicorp/terraform-provider-azurerm/internal/locks" "github.com/hashicorp/terraform-provider-azurerm/internal/services/postgres/migration" "github.com/hashicorp/terraform-provider-azurerm/internal/services/postgres/validate" @@ -59,7 +60,7 @@ var skuList = []string{ } func resourcePostgreSQLServer() *pluginsdk.Resource { - return &pluginsdk.Resource{ + resource := &pluginsdk.Resource{ Create: resourcePostgreSQLServerCreate, Read: resourcePostgreSQLServerRead, Update: resourcePostgreSQLServerUpdate, @@ -217,15 +218,12 @@ func resourcePostgreSQLServer() *pluginsdk.Resource { }, "ssl_minimal_tls_version_enforced": { - Type: pluginsdk.TypeString, - Optional: true, - Default: string(servers.MinimalTlsVersionEnumTLSOneTwo), - ValidateFunc: validation.StringInSlice(servers.PossibleValuesForMinimalTlsVersionEnum(), false), - }, - - "ssl_enforcement_enabled": { - Type: pluginsdk.TypeBool, - Required: true, + Type: pluginsdk.TypeString, + Optional: true, + Default: string(servers.MinimalTlsVersionEnumTLSOneTwo), + ValidateFunc: validation.StringInSlice([]string{ + string(servers.MinimalTlsVersionEnumTLSOneZero), + }, false), }, "threat_detection_policy": { @@ -360,6 +358,22 @@ func resourcePostgreSQLServer() *pluginsdk.Resource { }), ), } + + if !features.FivePointOhBeta() { + resource.Schema["ssl_minimal_tls_version_enforced"] = &pluginsdk.Schema{ + Type: pluginsdk.TypeString, + Optional: true, + Default: string(servers.MinimalTlsVersionEnumTLSOneTwo), + ValidateFunc: validation.StringInSlice(servers.PossibleValuesForMinimalTlsVersionEnum(), false), + } + resource.Schema["ssl_enforcement_enabled"] = &pluginsdk.Schema{ + Deprecated: "The `ssl_enforcement_enabled` is deprecated as Azure services will require TLS1.2+ to connect.", + Type: pluginsdk.TypeBool, + Required: true, + } + } + + return resource } func resourcePostgreSQLServerCreate(d *pluginsdk.ResourceData, meta interface{}) error { @@ -403,8 +417,10 @@ func resourcePostgreSQLServerCreate(d *pluginsdk.ResourceData, meta interface{}) } ssl := servers.SslEnforcementEnumEnabled - if v := d.Get("ssl_enforcement_enabled"); !v.(bool) { - ssl = servers.SslEnforcementEnumDisabled + if !features.FivePointOhBeta() { + if v := d.Get("ssl_enforcement_enabled"); !v.(bool) { + ssl = servers.SslEnforcementEnumDisabled + } } tlsMin := servers.MinimalTlsVersionEnum(d.Get("ssl_minimal_tls_version_enforced").(string)) @@ -622,8 +638,10 @@ func resourcePostgreSQLServerUpdate(d *pluginsdk.ResourceData, meta interface{}) } ssl := servers.SslEnforcementEnumEnabled - if v := d.Get("ssl_enforcement_enabled"); !v.(bool) { - ssl = servers.SslEnforcementEnumDisabled + if !features.FivePointOhBeta() { + if v := d.Get("ssl_enforcement_enabled"); !v.(bool) { + ssl = servers.SslEnforcementEnumDisabled + } } tlsMin := servers.MinimalTlsVersionEnum(d.Get("ssl_minimal_tls_version_enforced").(string)) @@ -755,11 +773,13 @@ func resourcePostgreSQLServerRead(d *pluginsdk.ResourceData, meta interface{}) e } d.Set("public_network_access_enabled", publicNetworkAccess) - sslEnforcement := false - if props.SslEnforcement != nil { - sslEnforcement = *props.SslEnforcement == servers.SslEnforcementEnumEnabled + if !features.FivePointOhBeta() { + sslEnforcement := false + if props.SslEnforcement != nil { + sslEnforcement = *props.SslEnforcement == servers.SslEnforcementEnumEnabled + } + d.Set("ssl_enforcement_enabled", sslEnforcement) } - d.Set("ssl_enforcement_enabled", sslEnforcement) if storage := props.StorageProfile; storage != nil { d.Set("storage_mb", storage.StorageMB) diff --git a/internal/services/postgres/postgresql_server_resource_test.go b/internal/services/postgres/postgresql_server_resource_test.go index 0604b3653bc4..8802abd8880c 100644 --- a/internal/services/postgres/postgresql_server_resource_test.go +++ b/internal/services/postgres/postgresql_server_resource_test.go @@ -13,6 +13,7 @@ import ( "github.com/hashicorp/terraform-provider-azurerm/internal/acceptance" "github.com/hashicorp/terraform-provider-azurerm/internal/acceptance/check" "github.com/hashicorp/terraform-provider-azurerm/internal/clients" + "github.com/hashicorp/terraform-provider-azurerm/internal/features" "github.com/hashicorp/terraform-provider-azurerm/internal/tf/pluginsdk" "github.com/hashicorp/terraform-provider-azurerm/utils" ) @@ -363,6 +364,9 @@ func TestAccPostgreSQLServer_threatDetectionEmptyAttrs(t *testing.T) { } func TestMinTlsVersionOnServerUpdate(t *testing.T) { + if features.FivePointOhBeta() { + t.Skipf("Skip this test since there is only one possible value `TLS1_2` for `ssl_minimal_tls_version_enforced`.") + } data := acceptance.BuildTestData(t, "azurerm_postgresql_server", "test") r := PostgreSQLServerResource{} data.ResourceTest(t, r, []acceptance.TestStep{ @@ -402,6 +406,10 @@ func (t PostgreSQLServerResource) Exists(ctx context.Context, clients *clients.C } func (PostgreSQLServerResource) template(data acceptance.TestData, sku, version string) string { + sslEnabledBlock := `` + if !features.FivePointOhBeta() { + sslEnabledBlock = `ssl_enforcement_enabled = true` + } return fmt.Sprintf(` provider "azurerm" { features {} @@ -424,9 +432,9 @@ resource "azurerm_postgresql_server" "test" { version = "%s" storage_mb = 51200 - ssl_enforcement_enabled = true + %s } -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, sku, version) +`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, sku, version, sslEnabledBlock) } func (r PostgreSQLServerResource) basic(data acceptance.TestData, version string) string { @@ -434,6 +442,10 @@ func (r PostgreSQLServerResource) basic(data acceptance.TestData, version string } func (PostgreSQLServerResource) basicWithIdentity(data acceptance.TestData, version string) string { + sslEnabledBlock := `` + if !features.FivePointOhBeta() { + sslEnabledBlock = `ssl_enforcement_enabled = true` + } return fmt.Sprintf(` provider "azurerm" { features {} @@ -456,13 +468,13 @@ resource "azurerm_postgresql_server" "test" { version = "%s" storage_mb = 51200 - ssl_enforcement_enabled = true + %s identity { type = "SystemAssigned" } } -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, version) +`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, version, sslEnabledBlock) } func (r PostgreSQLServerResource) mo(data acceptance.TestData, version string) string { @@ -474,6 +486,10 @@ func (r PostgreSQLServerResource) gp(data acceptance.TestData, version string) s } func (PostgreSQLServerResource) autogrow(data acceptance.TestData, version string) string { + sslEnabledBlock := `` + if !features.FivePointOhBeta() { + sslEnabledBlock = `ssl_enforcement_enabled = true` + } return fmt.Sprintf(` provider "azurerm" { features {} @@ -496,12 +512,16 @@ resource "azurerm_postgresql_server" "test" { version = "%s" auto_grow_enabled = true - ssl_enforcement_enabled = true + %s } -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, version) +`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, version, sslEnabledBlock) } func (r PostgreSQLServerResource) requiresImport(data acceptance.TestData) string { + sslEnabledBlock := `` + if !features.FivePointOhBeta() { + sslEnabledBlock = `ssl_enforcement_enabled = azurerm_postgresql_server.test.ssl_enforcement_enabled` + } return fmt.Sprintf(` %s @@ -517,12 +537,17 @@ resource "azurerm_postgresql_server" "import" { version = azurerm_postgresql_server.test.version storage_mb = azurerm_postgresql_server.test.storage_mb - ssl_enforcement_enabled = azurerm_postgresql_server.test.ssl_enforcement_enabled +%s + } -`, r.basic(data, "10.0")) +`, r.basic(data, "10.0"), sslEnabledBlock) } func (PostgreSQLServerResource) complete(data acceptance.TestData) string { + sslEnabledBlock := `` + if !features.FivePointOhBeta() { + sslEnabledBlock = `ssl_enforcement_enabled = true` + } return fmt.Sprintf(` provider "azurerm" { features {} @@ -563,8 +588,8 @@ resource "azurerm_postgresql_server" "test" { infrastructure_encryption_enabled = true public_network_access_enabled = false - ssl_enforcement_enabled = true ssl_minimal_tls_version_enforced = "TLS1_2" + %s threat_detection_policy { enabled = true @@ -578,10 +603,15 @@ resource "azurerm_postgresql_server" "test" { "ENV" = "test" } } -`, data.RandomInteger, data.Locations.Primary) +`, data.RandomInteger, data.Locations.Primary, sslEnabledBlock) } func (PostgreSQLServerResource) complete2(data acceptance.TestData, version string) string { + sslEnabledBlock := `` + if !features.FivePointOhBeta() { + sslEnabledBlock = `ssl_enforcement_enabled = false` + } + return fmt.Sprintf(` provider "azurerm" { features {} @@ -618,8 +648,8 @@ resource "azurerm_postgresql_server" "test" { infrastructure_encryption_enabled = true public_network_access_enabled = true - ssl_enforcement_enabled = false - ssl_minimal_tls_version_enforced = "TLSEnforcementDisabled" + %s + ssl_minimal_tls_version_enforced = "TLSEnforcementDisabled" threat_detection_policy { enabled = true @@ -630,10 +660,14 @@ resource "azurerm_postgresql_server" "test" { retention_days = 7 } } -`, data.RandomInteger, data.Locations.Primary, version) +`, data.RandomInteger, data.Locations.Primary, version, sslEnabledBlock) } func (PostgreSQLServerResource) sku(data acceptance.TestData, version, sku string) string { + sslEnabledBlock := `` + if !features.FivePointOhBeta() { + sslEnabledBlock = `ssl_enforcement_enabled = true` + } return fmt.Sprintf(` provider "azurerm" { features {} @@ -655,13 +689,17 @@ resource "azurerm_postgresql_server" "test" { sku_name = "%s" storage_mb = 51200 version = "%s" + %s - ssl_enforcement_enabled = true } -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, sku, version) +`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, sku, version, sslEnabledBlock) } func (r PostgreSQLServerResource) createReplica(data acceptance.TestData, sku string) string { + sslEnabledBlock := `` + if !features.FivePointOhBeta() { + sslEnabledBlock = `ssl_enforcement_enabled = true` + } return fmt.Sprintf(` %[1]s @@ -682,12 +720,16 @@ resource "azurerm_postgresql_server" "replica" { creation_source_server_id = azurerm_postgresql_server.test.id public_network_access_enabled = false - ssl_enforcement_enabled = true + %[5]s } -`, r.template(data, sku, "11"), data.RandomInteger, data.Locations.Secondary, sku) +`, r.template(data, sku, "11"), data.RandomInteger, data.Locations.Secondary, sku, sslEnabledBlock) } func (r PostgreSQLServerResource) updateReplicaToDefault(data acceptance.TestData, sku string) string { + sslEnabledBlock := `` + if !features.FivePointOhBeta() { + sslEnabledBlock = `ssl_enforcement_enabled = true` + } return fmt.Sprintf(` %[1]s @@ -706,12 +748,16 @@ resource "azurerm_postgresql_server" "replica" { create_mode = "Default" public_network_access_enabled = false - ssl_enforcement_enabled = true + %[5]s } -`, r.template(data, sku, "11"), data.RandomInteger, data.Locations.Secondary, sku) +`, r.template(data, sku, "11"), data.RandomInteger, data.Locations.Secondary, sku, sslEnabledBlock) } func (r PostgreSQLServerResource) updateReplicaToDefaultSetPassword(data acceptance.TestData, sku string) string { + sslEnabledBlock := `` + if !features.FivePointOhBeta() { + sslEnabledBlock = `ssl_enforcement_enabled = true` + } return fmt.Sprintf(` %[1]s @@ -732,12 +778,16 @@ resource "azurerm_postgresql_server" "replica" { create_mode = "Default" public_network_access_enabled = false - ssl_enforcement_enabled = true + %[5]s } -`, r.template(data, sku, "11"), data.RandomInteger, data.Locations.Secondary, sku) +`, r.template(data, sku, "11"), data.RandomInteger, data.Locations.Secondary, sku, sslEnabledBlock) } func (r PostgreSQLServerResource) createReplicas(data acceptance.TestData, sku string) string { + sslEnabledBlock := `` + if !features.FivePointOhBeta() { + sslEnabledBlock = `ssl_enforcement_enabled = true` + } return fmt.Sprintf(` %[1]s @@ -757,7 +807,7 @@ resource "azurerm_postgresql_server" "replica1" { create_mode = "Replica" creation_source_server_id = azurerm_postgresql_server.test.id - ssl_enforcement_enabled = true + %[5]s } resource "azurerm_postgresql_server" "replica2" { @@ -771,12 +821,16 @@ resource "azurerm_postgresql_server" "replica2" { create_mode = "Replica" creation_source_server_id = azurerm_postgresql_server.test.id - ssl_enforcement_enabled = true + %[5]s } -`, r.template(data, sku, "11"), data.RandomInteger, data.Locations.Secondary, sku) +`, r.template(data, sku, "11"), data.RandomInteger, data.Locations.Secondary, sku, sslEnabledBlock) } func (r PostgreSQLServerResource) createPointInTimeRestore(data acceptance.TestData, version, restoreTime string) string { + sslEnabledBlock := `` + if !features.FivePointOhBeta() { + sslEnabledBlock = `ssl_enforcement_enabled = true` + } return fmt.Sprintf(` %[1]s @@ -793,10 +847,10 @@ resource "azurerm_postgresql_server" "restore" { creation_source_server_id = azurerm_postgresql_server.test.id restore_point_in_time = "%[3]s" - ssl_enforcement_enabled = true + %[5]s public_network_access_enabled = false } -`, r.gp(data, version), data.RandomInteger, restoreTime, version) +`, r.gp(data, version), data.RandomInteger, restoreTime, version, sslEnabledBlock) } func (PostgreSQLServerResource) emptyAttrs(data acceptance.TestData, version string) string { @@ -823,7 +877,7 @@ resource "azurerm_postgresql_server" "test" { storage_mb = 640000 ssl_enforcement_enabled = false - ssl_minimal_tls_version_enforced = "TLSEnforcementDisabled" + ssl_minimal_tls_version_enforced = "TLS1_2" threat_detection_policy { enabled = true @@ -836,6 +890,10 @@ resource "azurerm_postgresql_server" "test" { } func (PostgreSQLServerResource) beforeUpdate(data acceptance.TestData, version string, tlsVersion string) string { + sslEnabledBlock := `` + if !features.FivePointOhBeta() { + sslEnabledBlock = `ssl_enforcement_enabled = true` + } return fmt.Sprintf(` provider "azurerm" { features {} @@ -862,13 +920,17 @@ resource "azurerm_postgresql_server" "test" { auto_grow_enabled = true public_network_access_enabled = false - ssl_enforcement_enabled = true ssl_minimal_tls_version_enforced = "%[4]s" + %[5]s } -`, data.RandomInteger, data.Locations.Primary, version, tlsVersion) +`, data.RandomInteger, data.Locations.Primary, version, tlsVersion, sslEnabledBlock) } func (PostgreSQLServerResource) afterUpdate(data acceptance.TestData, version string, tlsVersion string) string { + sslEnabledBlock := `` + if !features.FivePointOhBeta() { + sslEnabledBlock = `ssl_enforcement_enabled = true` + } return fmt.Sprintf(` provider "azurerm" { features {} @@ -894,9 +956,9 @@ resource "azurerm_postgresql_server" "test" { backup_retention_days = 7 auto_grow_enabled = true - ssl_enforcement_enabled = true ssl_minimal_tls_version_enforced = "%[4]s" + %[5]s } -`, data.RandomInteger, data.Locations.Primary, version, tlsVersion) +`, data.RandomInteger, data.Locations.Primary, version, tlsVersion, sslEnabledBlock) } diff --git a/website/docs/5.0-upgrade-guide.html.markdown b/website/docs/5.0-upgrade-guide.html.markdown index ad99f58f0470..b3d788d3b09c 100644 --- a/website/docs/5.0-upgrade-guide.html.markdown +++ b/website/docs/5.0-upgrade-guide.html.markdown @@ -128,6 +128,11 @@ Please follow the format in the example below for listing breaking changes in re * The deprecated `managed_resource_group` property has been removed. +### `azurerm_postgresql_server` + +* The deprecated `ssl_enforcement_enabled` property has been removed. +* The property `ssl_minimal_tls_version_enforced` property no longer accepts `TLSEnforcementDisabled`, `TLS1_0` or `TLS1_1` as a value. + ### `azurerm_sentinel_alert_rule_fusion` * The deprecated `name` property has been removed. diff --git a/website/docs/r/postgresql_server.html.markdown b/website/docs/r/postgresql_server.html.markdown index d83548a27889..2fa8bc2d3ae8 100644 --- a/website/docs/r/postgresql_server.html.markdown +++ b/website/docs/r/postgresql_server.html.markdown @@ -86,6 +86,8 @@ The following arguments are supported: * `ssl_minimal_tls_version_enforced` - (Optional) The minimum TLS version to support on the sever. Possible values are `TLSEnforcementDisabled`, `TLS1_0`, `TLS1_1`, and `TLS1_2`. Defaults to `TLS1_2`. +~> **NOTE:** Azure Services will require TLS 1.2+ by August 2025, please see this [announcement](https://azure.microsoft.com/en-us/updates/v2/update-retirement-tls1-0-tls1-1-versions-azure-services/) for more. + * `storage_mb` - (Optional) Max storage allowed for a server. Possible values are between `5120` MB(5GB) and `1048576` MB(1TB) for the Basic SKU and between `5120` MB(5GB) and `16777216` MB(16TB) for General Purpose/Memory Optimized SKUs. For more information see the [product documentation](https://docs.microsoft.com/azure/postgresql/concepts-pricing-tiers#storage). * `threat_detection_policy` - (Optional) Threat detection policy configuration, known in the API as Server Security Alerts Policy. The `threat_detection_policy` block supports fields documented below.