azurerm_storage_account - minimum_tls_version no longer accepts `…

…TLS1_0` or `TLS1_1` as a value in 5.0
hashicorp · Jan 8, 2025 · d146017 · d146017
1 parent 09cb4bc
commit d146017
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 4 deletions.
diff --git a/internal/services/storage/storage_account_resource.go b/internal/services/storage/storage_account_resource.go
@@ -298,10 +298,12 @@ func resourceStorageAccount() *pluginsdk.Resource {
 			},
 
 			"min_tls_version": {
-				Type:         pluginsdk.TypeString,
-				Optional:     true,
-				Default:      string(storageaccounts.MinimumTlsVersionTLSOneTwo),
-				ValidateFunc: validation.StringInSlice(storageaccounts.PossibleValuesForMinimumTlsVersion(), false),
+				Type:     pluginsdk.TypeString,
+				Optional: true,
+				Default:  string(storageaccounts.MinimumTlsVersionTLSOneTwo),
+				ValidateFunc: validation.StringInSlice([]string{
+					string(storageaccounts.MinimumTlsVersionTLSOneTwo),
+				}, false),
 			},
 
 			"is_hns_enabled": {
@@ -1273,6 +1275,15 @@ func resourceStorageAccount() *pluginsdk.Resource {
 		Deprecated: "this block has been deprecated and superseded by the `azurerm_storage_account_queue_properties` resource and will be removed in v5.0 of the AzureRM provider",
 	}
 
+	if !features.FivePointOhBeta() {
+		resource.Schema["min_tls_version"] = &pluginsdk.Schema{
+			Type:         pluginsdk.TypeString,
+			Optional:     true,
+			Default:      string(storageaccounts.MinimumTlsVersionTLSOneTwo),
+			ValidateFunc: validation.StringInSlice(storageaccounts.PossibleValuesForMinimumTlsVersion(), false),
+		}
+	}
+
 	return resource
 }
 

diff --git a/internal/services/storage/storage_account_resource_test.go b/internal/services/storage/storage_account_resource_test.go
@@ -241,6 +241,9 @@ func TestAccStorageAccount_enableHttpsTrafficOnly(t *testing.T) {
 }
 
 func TestAccStorageAccount_minTLSVersion(t *testing.T) {
+	if features.FivePointOhBeta() {
+		t.Skipf("Skipping as the only possible value for `minimum_tls_version` is `1.2`")
+	}
 	data := acceptance.BuildTestData(t, "azurerm_storage_account", "test")
 	r := StorageAccountResource{}
 

diff --git a/website/docs/5.0-upgrade-guide.html.markdown b/website/docs/5.0-upgrade-guide.html.markdown
@@ -153,6 +153,7 @@ Please follow the format in the example below for listing breaking changes in re
 
 * The deprecated `queue_properties` block has been removed and superseded by the `azurerm_storage_account_queue_properties` resource.
 * The deprecated `static_website` block has been removed and superseded by the `azurerm_storage_account_static_website` resource.
+* The property `minimum_tls_version` no longer accepts `TLS1_0` or `TLS1_1` as a value.
 
 ### `azurerm_storage_container`
 

diff --git a/website/docs/r/storage_account.html.markdown b/website/docs/r/storage_account.html.markdown
@@ -104,6 +104,8 @@ The following arguments are supported:
 
 * `min_tls_version` - (Optional) The minimum supported TLS version for the storage account. Possible values are `TLS1_0`, `TLS1_1`, and `TLS1_2`. Defaults to `TLS1_2` for new storage accounts.
 
+~> **NOTE:** Azure Services will require TLS 1.2+ by August 2025, please see this [announcement](https://azure.microsoft.com/en-us/updates/v2/update-retirement-tls1-0-tls1-1-versions-azure-services/) for more.
+
 -> **Note:** At this time `min_tls_version` is only supported in the Public Cloud, China Cloud, and US Government Cloud.
 
 * `allow_nested_items_to_be_public` - (Optional) Allow or disallow nested items within this Account to opt into being public. Defaults to `true`.