[Modules] Minimum TLS version for SQL server (#1618)

* Adding param for min tls version * update namePrefix * reverting name prefix
Azure · Jun 27, 2022 · 85bb232 · 85bb232
1 parent b8902d0
commit 85bb232
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 0 deletions.
diff --git a/modules/Microsoft.Sql/servers/.parameters/parameters.json b/modules/Microsoft.Sql/servers/.parameters/parameters.json
@@ -27,6 +27,9 @@
         "location": {
             "value": "westeurope"
         },
+        "minimalTlsVersion": {
+            "value": "1.2"
+        },
         "roleAssignments": {
             "value": [
                 {

diff --git a/modules/Microsoft.Sql/servers/deploy.bicep b/modules/Microsoft.Sql/servers/deploy.bicep
@@ -46,6 +46,14 @@ param securityAlertPolicies array = []
 @description('Conditional. The Azure Active Directory (AAD) administrator authentication. Required if no `administratorLogin` & `administratorLoginPassword` is provided.')
 param administrators object = {}
 
+@allowed([
+  '1.0'
+  '1.1'
+  '1.2'
+])
+@description('Optional. Minimal TLS version allowed.')
+param minimalTlsVersion string = '1.2'
+
 @description('Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.')
 param privateEndpoints array = []
 
@@ -90,6 +98,7 @@ resource server 'Microsoft.Sql/servers@2021-05-01-preview' = {
       tenantId: administrators.tenantId
     } : null
     version: '12.0'
+    minimalTlsVersion: minimalTlsVersion
   }
 }
 

diff --git a/modules/Microsoft.Sql/servers/readme.md b/modules/Microsoft.Sql/servers/readme.md
@@ -46,6 +46,7 @@ This module deploys a SQL server.
 | `firewallRules` | _[firewallRules](firewallRules/readme.md)_ array | `[]` |  | The firewall rules to create in the server. |
 | `location` | string | `[resourceGroup().location]` |  | Location for all resources. |
 | `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. |
+| `minimalTlsVersion` | string | `'1.2'` | `[1.0, 1.1, 1.2]` | Minimal TLS version allowed. |
 | `privateEndpoints` | array | `[]` |  | Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. |
 | `roleAssignments` | array | `[]` |  | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
 | `securityAlertPolicies` | _[securityAlertPolicies](securityAlertPolicies/readme.md)_ array | `[]` |  | The security alert policies to create in the server. |
@@ -405,6 +406,9 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = {
         "location": {
             "value": "westeurope"
         },
+        "minimalTlsVersion": {
+            "value": "1.2"
+        },
         "roleAssignments": {
             "value": [
                 {
@@ -504,6 +508,7 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = {
     administratorLogin: kv1.getSecret('administratorLogin')
     administratorLoginPassword: kv1.getSecret('administratorLoginPassword')
     location: 'westeurope'
+    minimalTlsVersion: '1.2'
     roleAssignments: [
       {
         roleDefinitionIdOrName: 'Reader'