Skip to content

Databases should have the minimum TLS set for connections

Default Severity: medium

Explanation

You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

Possible Impact

Outdated TLS policies increase exposure to known issues

Suggested Resolution

Use the most modern TLS policies available

Insecure Example

The following example will fail the azure-database-secure-tls-policy check.

 resource "azurerm_mssql_server" "bad_example" {
   name                         = "mssqlserver"
   resource_group_name          = azurerm_resource_group.example.name
   location                     = azurerm_resource_group.example.location
   version                      = "12.0"
   administrator_login          = "missadministrator"
   administrator_login_password = "thisIsKat11"
   minimum_tls_version          = "1.1"
 }

 resource "azurerm_postgresql_server" "bad_example" {
    name                = "bad_example"

    public_network_access_enabled    = true
    ssl_enforcement_enabled          = false
    ssl_minimal_tls_version_enforced = "TLS1_1"
   }

Secure Example

The following example will pass the azure-database-secure-tls-policy check.

 resource "azurerm_mssql_server" "good_example" {
   name                         = "mssqlserver"
   resource_group_name          = azurerm_resource_group.example.name
   location                     = azurerm_resource_group.example.location
   version                      = "12.0"
   administrator_login          = "missadministrator"
   administrator_login_password = "thisIsKat11"
   minimum_tls_version          = "1.2"
 }

 resource "azurerm_postgresql_server" "good_example" {
   name                = "bad_example"

   public_network_access_enabled    = true
   ssl_enforcement_enabled          = false
   ssl_minimal_tls_version_enforced = "TLS1_2"
 }