[HOWTO] Set Minimum TLS Cipher Suite of Azure App Service using Terraform

Recently, an application I was involved in developing was subjected to a pentest. There was an interesting finding in the audit report that I wanted to fix.

The testers detected weak SSL/TLS cipher suites and recommended to reconfigure the server (in our case Azure App Service(s)) to disable cipher suites without forward secrecy. Only modern cipher suites which provide forward secrecy (ECDHE or DHE based ones) should be retained. The main reason for this recommendation is to reduce exposure to key exchange vulnerabilities and to ensure forward secrecy.

To do so, all TLS_RSA_* cipher suites need to be eliminated. But how? And can this be configured on Azure App Services? Fortunately yes! The configuration feature is called Minimum TLS Cipher Suite and is available through both, the API and the Azure portal.

As I prefer automation over manual configuration, I wanted to fix this finding using Terraform. I then recognized that setting minTlsCipherSuite is not yet available in azurerm Terraform provider (see here) but you can set it by using azapi_resource_action from azapi Terraform provider as follows.

# WORKAROUND - to be done directly in the azurerm_linux_web_app resource once supported
# See the following links for more information
# https://github.com/hashicorp/terraform-provider-azurerm/issues/24223
# https://github.com/Azure/terraform-provider-azapi/issues/557
data "azapi_resource_id" "appsrvconfig" {
  type         = "Microsoft.Web/sites/config@2023-12-01"
  parent_id = azurerm_linux_web_app.appsrv.id
  name       = "web"
}

resource "azapi_resource_action" "setMinTlsCipherSuite" {
  type            = "Microsoft.Web/sites/config@2023-12-01"
  resource_id = data.azapi_resource_id.appsrvconfig.id
  method       = "PATCH"

  body = {
    name        = "web"
    properties = {
      minTlsCipherSuite = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
    }
  }
}

This blog post relies on the following versions.

  • Terraform: 1.10.4
  • AzAPI provider: 2.2.0

NOTE: I used PATCH instead of PUT because PATCH allows to update a single attribute. The disadvantage of azapi_resource_action which uses PATCH under the hood is, that it does not track changes. For more details see here.

To ensure the setting is applied/reapplied every time terraform is applied, I forced recreation of the resource while plan and apply by providing the following option:

-replace azapi_resource_action.setMinTlsCipherSuite

After successful execution of terraform apply the Azure App Service configuration looks as follows.

Leave a comment

Website Powered by WordPress.com.

Up ↑