diff --git a/internal/services/appservice/helpers/function_app_schema.go b/internal/services/appservice/helpers/function_app_schema.go index 83aebea14f2d..6e901c8d4259 100644 --- a/internal/services/appservice/helpers/function_app_schema.go +++ b/internal/services/appservice/helpers/function_app_schema.go @@ -57,6 +57,7 @@ type SiteConfigLinuxFunctionApp struct { ApplicationStack []ApplicationStackLinuxFunctionApp `tfschema:"application_stack"` MinTlsVersion string `tfschema:"minimum_tls_version"` ScmMinTlsVersion string `tfschema:"scm_minimum_tls_version"` + MinTlsCipherSuite string `tfschema:"minimum_tls_cipher_suite"` Cors []CorsSetting `tfschema:"cors"` DetailedErrorLogging bool `tfschema:"detailed_error_logging_enabled"` LinuxFxVersion string `tfschema:"linux_fx_version"` @@ -313,6 +314,13 @@ func SiteConfigSchemaLinuxFunctionApp() *pluginsdk.Schema { Description: "Configures the minimum version of TLS required for SSL requests to the SCM site Possible values include: `1.0`, `1.1`, `1.2` and `1.3`. Defaults to `1.2`.", }, + "minimum_tls_cipher_suite": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice(webapps.PossibleValuesForTlsCipherSuites(), false), + Description: "Configures the minimum TLS cipher suite for the incoming requests to the Site.", + }, + "cors": CorsSettingsSchema(), "vnet_route_all_enabled": { @@ -507,6 +515,11 @@ func SiteConfigSchemaLinuxFunctionAppComputed() *pluginsdk.Schema { Computed: true, }, + "minimum_tls_cipher_suite": { + Type: pluginsdk.TypeString, + Computed: true, + }, + "cors": CorsSettingsSchemaComputed(), "vnet_route_all_enabled": { @@ -561,6 +574,7 @@ type SiteConfigWindowsFunctionApp struct { ApplicationStack []ApplicationStackWindowsFunctionApp `tfschema:"application_stack"` MinTlsVersion string `tfschema:"minimum_tls_version"` ScmMinTlsVersion string `tfschema:"scm_minimum_tls_version"` + MinTlsCipherSuite string `tfschema:"minimum_tls_cipher_suite"` Cors []CorsSetting `tfschema:"cors"` DetailedErrorLogging bool `tfschema:"detailed_error_logging_enabled"` WindowsFxVersion string `tfschema:"windows_fx_version"` @@ -800,6 +814,13 @@ func SiteConfigSchemaWindowsFunctionApp() *pluginsdk.Schema { Description: "Configures the minimum version of TLS required for SSL requests to the SCM site Possible values include: `1.0`, `1.1`, `1.2` and `1.3`. Defaults to `1.2`.", }, + "minimum_tls_cipher_suite": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice(webapps.PossibleValuesForTlsCipherSuites(), false), + Description: "Configures the minimum TLS cipher suite for the incoming requests to the Site.", + }, + "cors": CorsSettingsSchema(), "vnet_route_all_enabled": { @@ -983,6 +1004,11 @@ func SiteConfigSchemaWindowsFunctionAppComputed() *pluginsdk.Schema { Computed: true, }, + "minimum_tls_cipher_suite": { + Type: pluginsdk.TypeString, + Computed: true, + }, + "cors": CorsSettingsSchemaComputed(), "vnet_route_all_enabled": { @@ -1737,6 +1763,10 @@ func ExpandSiteConfigLinuxFunctionApp(siteConfig []SiteConfigLinuxFunctionApp, e expanded.ScmMinTlsVersion = pointer.To(webapps.SupportedTlsVersions(linuxSiteConfig.ScmMinTlsVersion)) } + if metadata.ResourceData.HasChange("site_config.0.minimum_tls_cipher_suite") { + expanded.MinTlsCipherSuite = pointer.To(webapps.TlsCipherSuites(linuxSiteConfig.MinTlsCipherSuite)) + } + if metadata.ResourceData.HasChange("site_config.0.cors") { cors := ExpandCorsSettings(linuxSiteConfig.Cors) expanded.Cors = cors @@ -1977,6 +2007,10 @@ func ExpandSiteConfigWindowsFunctionApp(siteConfig []SiteConfigWindowsFunctionAp expanded.ScmMinTlsVersion = pointer.To(webapps.SupportedTlsVersions(windowsSiteConfig.ScmMinTlsVersion)) } + if metadata.ResourceData.HasChange("site_config.0.minimum_tls_cipher_suite") { + expanded.MinTlsCipherSuite = pointer.To(webapps.TlsCipherSuites(windowsSiteConfig.MinTlsCipherSuite)) + } + if metadata.ResourceData.HasChange("site_config.0.cors") { cors := ExpandCorsSettings(windowsSiteConfig.Cors) expanded.Cors = cors @@ -2028,6 +2062,7 @@ func FlattenSiteConfigLinuxFunctionApp(functionAppSiteConfig *webapps.SiteConfig RuntimeScaleMonitoring: pointer.From(functionAppSiteConfig.FunctionsRuntimeScaleMonitoringEnabled), MinTlsVersion: string(pointer.From(functionAppSiteConfig.MinTlsVersion)), ScmMinTlsVersion: string(pointer.From(functionAppSiteConfig.ScmMinTlsVersion)), + MinTlsCipherSuite: string(pointer.From(functionAppSiteConfig.MinTlsCipherSuite)), PreWarmedInstanceCount: pointer.From(functionAppSiteConfig.PreWarmedInstanceCount), ElasticInstanceMinimum: pointer.From(functionAppSiteConfig.MinimumElasticInstanceCount), Use32BitWorker: pointer.From(functionAppSiteConfig.Use32BitWorkerProcess), @@ -2094,6 +2129,7 @@ func FlattenSiteConfigWindowsFunctionApp(functionAppSiteConfig *webapps.SiteConf RuntimeScaleMonitoring: pointer.From(functionAppSiteConfig.FunctionsRuntimeScaleMonitoringEnabled), MinTlsVersion: string(pointer.From(functionAppSiteConfig.MinTlsVersion)), ScmMinTlsVersion: string(pointer.From(functionAppSiteConfig.ScmMinTlsVersion)), + MinTlsCipherSuite: string(pointer.From(functionAppSiteConfig.MinTlsCipherSuite)), PreWarmedInstanceCount: pointer.From(functionAppSiteConfig.PreWarmedInstanceCount), ElasticInstanceMinimum: pointer.From(functionAppSiteConfig.MinimumElasticInstanceCount), Use32BitWorker: pointer.From(functionAppSiteConfig.Use32BitWorkerProcess), diff --git a/internal/services/appservice/helpers/function_app_slot_schema.go b/internal/services/appservice/helpers/function_app_slot_schema.go index d2a5b6f446df..e22f8b8196df 100644 --- a/internal/services/appservice/helpers/function_app_slot_schema.go +++ b/internal/services/appservice/helpers/function_app_slot_schema.go @@ -50,6 +50,7 @@ type SiteConfigWindowsFunctionAppSlot struct { ApplicationStack []ApplicationStackWindowsFunctionApp `tfschema:"application_stack"` MinTlsVersion string `tfschema:"minimum_tls_version"` ScmMinTlsVersion string `tfschema:"scm_minimum_tls_version"` + MinTlsCipherSuite string `tfschema:"minimum_tls_cipher_suite"` Cors []CorsSetting `tfschema:"cors"` DetailedErrorLogging bool `tfschema:"detailed_error_logging_enabled"` WindowsFxVersion string `tfschema:"windows_fx_version"` @@ -301,6 +302,13 @@ func SiteConfigSchemaWindowsFunctionAppSlot() *pluginsdk.Schema { Description: "Configures the minimum version of TLS required for SSL requests to the SCM site Possible values include: `1.0`, `1.1`, `1.2` and `1.3`. Defaults to `1.2`.", }, + "minimum_tls_cipher_suite": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice(webapps.PossibleValuesForTlsCipherSuites(), false), + Description: "Configures the minimum TLS cipher suite for the incoming requests to the Site.", + }, + "cors": CorsSettingsSchema(), "vnet_route_all_enabled": { @@ -362,6 +370,7 @@ type SiteConfigLinuxFunctionAppSlot struct { ApplicationStack []ApplicationStackLinuxFunctionApp `tfschema:"application_stack"` MinTlsVersion string `tfschema:"minimum_tls_version"` ScmMinTlsVersion string `tfschema:"scm_minimum_tls_version"` + MinTlsCipherSuite string `tfschema:"minimum_tls_cipher_suite"` Cors []CorsSetting `tfschema:"cors"` DetailedErrorLogging bool `tfschema:"detailed_error_logging_enabled"` LinuxFxVersion string `tfschema:"linux_fx_version"` @@ -627,6 +636,13 @@ func SiteConfigSchemaLinuxFunctionAppSlot() *pluginsdk.Schema { Description: "Configures the minimum version of TLS required for SSL requests to the SCM site Possible values include: `1.0`, `1.1`, `1.2` and `1.3`. Defaults to `1.2`.", }, + "minimum_tls_cipher_suite": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice(webapps.PossibleValuesForTlsCipherSuites(), false), + Description: "Configures the minimum TLS cipher suite for the incoming requests to the Site.", + }, + "cors": CorsSettingsSchema(), "vnet_route_all_enabled": { @@ -846,6 +862,10 @@ func ExpandSiteConfigWindowsFunctionAppSlot(siteConfig []SiteConfigWindowsFuncti expanded.ScmMinTlsVersion = pointer.To(webapps.SupportedTlsVersions(windowsSlotSiteConfig.ScmMinTlsVersion)) } + if metadata.ResourceData.HasChange("site_config.0.minimum_tls_cipher_suite") { + expanded.MinTlsCipherSuite = pointer.To(webapps.TlsCipherSuites(windowsSlotSiteConfig.MinTlsCipherSuite)) + } + if metadata.ResourceData.HasChange("site_config.0.cors") { cors := ExpandCorsSettings(windowsSlotSiteConfig.Cors) expanded.Cors = cors @@ -883,6 +903,7 @@ func FlattenSiteConfigWindowsFunctionAppSlot(functionAppSlotSiteConfig *webapps. RuntimeScaleMonitoring: pointer.From(functionAppSlotSiteConfig.FunctionsRuntimeScaleMonitoringEnabled), MinTlsVersion: string(pointer.From(functionAppSlotSiteConfig.MinTlsVersion)), ScmMinTlsVersion: string(pointer.From(functionAppSlotSiteConfig.ScmMinTlsVersion)), + MinTlsCipherSuite: string(pointer.From(functionAppSlotSiteConfig.MinTlsCipherSuite)), PreWarmedInstanceCount: pointer.From(functionAppSlotSiteConfig.PreWarmedInstanceCount), ElasticInstanceMinimum: pointer.From(functionAppSlotSiteConfig.MinimumElasticInstanceCount), Use32BitWorker: pointer.From(functionAppSlotSiteConfig.Use32BitWorkerProcess), @@ -1187,6 +1208,10 @@ func ExpandSiteConfigLinuxFunctionAppSlot(siteConfig []SiteConfigLinuxFunctionAp expanded.ScmMinTlsVersion = pointer.To(webapps.SupportedTlsVersions(linuxSlotSiteConfig.ScmMinTlsVersion)) } + if metadata.ResourceData.HasChange("site_config.0.minimum_tls_cipher_suite") { + expanded.MinTlsCipherSuite = pointer.To(webapps.TlsCipherSuites(linuxSlotSiteConfig.MinTlsCipherSuite)) + } + if metadata.ResourceData.HasChange("site_config.0.cors") { cors := ExpandCorsSettings(linuxSlotSiteConfig.Cors) expanded.Cors = cors @@ -1225,6 +1250,7 @@ func FlattenSiteConfigLinuxFunctionAppSlot(functionAppSlotSiteConfig *webapps.Si RuntimeScaleMonitoring: pointer.From(functionAppSlotSiteConfig.FunctionsRuntimeScaleMonitoringEnabled), MinTlsVersion: string(pointer.From(functionAppSlotSiteConfig.MinTlsVersion)), ScmMinTlsVersion: string(pointer.From(functionAppSlotSiteConfig.ScmMinTlsVersion)), + MinTlsCipherSuite: string(pointer.From(functionAppSlotSiteConfig.MinTlsCipherSuite)), PreWarmedInstanceCount: pointer.From(functionAppSlotSiteConfig.PreWarmedInstanceCount), ElasticInstanceMinimum: pointer.From(functionAppSlotSiteConfig.MinimumElasticInstanceCount), Use32BitWorker: pointer.From(functionAppSlotSiteConfig.Use32BitWorkerProcess), diff --git a/internal/services/appservice/helpers/linux_web_app_schema.go b/internal/services/appservice/helpers/linux_web_app_schema.go index 6d5301246800..38343206f257 100644 --- a/internal/services/appservice/helpers/linux_web_app_schema.go +++ b/internal/services/appservice/helpers/linux_web_app_schema.go @@ -48,6 +48,7 @@ type SiteConfigLinux struct { ApplicationStack []ApplicationStackLinux `tfschema:"application_stack"` MinTlsVersion string `tfschema:"minimum_tls_version"` ScmMinTlsVersion string `tfschema:"scm_minimum_tls_version"` + MinTlsCipherSuite string `tfschema:"minimum_tls_cipher_suite"` Cors []CorsSetting `tfschema:"cors"` DetailedErrorLogging bool `tfschema:"detailed_error_logging_enabled"` LinuxFxVersion string `tfschema:"linux_fx_version"` @@ -250,6 +251,13 @@ func SiteConfigSchemaLinux() *pluginsdk.Schema { ValidateFunc: validation.StringInSlice(webapps.PossibleValuesForSupportedTlsVersions(), false), }, + "minimum_tls_cipher_suite": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice(webapps.PossibleValuesForTlsCipherSuites(), false), + Description: "Configures the minimum TLS cipher suite for the incoming requests to the Site.", + }, + "cors": CorsSettingsSchema(), "vnet_route_all_enabled": { @@ -415,6 +423,11 @@ func SiteConfigSchemaLinuxComputed() *pluginsdk.Schema { Computed: true, }, + "minimum_tls_cipher_suite": { + Type: pluginsdk.TypeString, + Computed: true, + }, + "cors": CorsSettingsSchemaComputed(), "detailed_error_logging_enabled": { @@ -865,6 +878,7 @@ func (s *SiteConfigLinux) ExpandForCreate(appSettings map[string]string) (*webap expanded.MinTlsVersion = pointer.To(webapps.SupportedTlsVersions(s.MinTlsVersion)) expanded.ScmMinTlsVersion = pointer.To(webapps.SupportedTlsVersions(s.ScmMinTlsVersion)) expanded.AutoHealEnabled = pointer.To(false) + expanded.MinTlsCipherSuite = pointer.To(webapps.TlsCipherSuites(s.MinTlsCipherSuite)) expanded.VnetRouteAllEnabled = pointer.To(s.VnetRouteAllEnabled) expanded.IPSecurityRestrictionsDefaultAction = pointer.To(webapps.DefaultAction(s.IpRestrictionDefaultAction)) expanded.ScmIPSecurityRestrictionsDefaultAction = pointer.To(webapps.DefaultAction(s.ScmIpRestrictionDefaultAction)) @@ -1136,6 +1150,10 @@ func (s *SiteConfigLinux) ExpandForUpdate(metadata sdk.ResourceMetaData, existin expanded.ScmMinTlsVersion = pointer.To(webapps.SupportedTlsVersions(s.ScmMinTlsVersion)) } + if metadata.ResourceData.HasChange("site_config.0.minimum_tls_cipher_suite") { + expanded.MinTlsCipherSuite = pointer.To(webapps.TlsCipherSuites(s.MinTlsCipherSuite)) + } + if metadata.ResourceData.HasChange("site_config.0.cors") { cors := ExpandCorsSettings(s.Cors) if cors == nil { @@ -1179,6 +1197,7 @@ func (s *SiteConfigLinux) Flatten(appSiteConfig *webapps.SiteConfig) { s.RemoteDebuggingVersion = strings.ToUpper(pointer.From(appSiteConfig.RemoteDebuggingVersion)) s.ScmIpRestriction = FlattenIpRestrictions(appSiteConfig.ScmIPSecurityRestrictions) s.ScmMinTlsVersion = string(pointer.From(appSiteConfig.ScmMinTlsVersion)) + s.MinTlsCipherSuite = string(pointer.From(appSiteConfig.MinTlsCipherSuite)) s.ScmUseMainIpRestriction = pointer.From(appSiteConfig.ScmIPSecurityRestrictionsUseMain) s.Use32BitWorker = pointer.From(appSiteConfig.Use32BitWorkerProcess) s.UseManagedIdentityACR = pointer.From(appSiteConfig.AcrUseManagedIdentityCreds) diff --git a/internal/services/appservice/helpers/web_app_slot_schema.go b/internal/services/appservice/helpers/web_app_slot_schema.go index cbc350337f59..4a2b572679bf 100644 --- a/internal/services/appservice/helpers/web_app_slot_schema.go +++ b/internal/services/appservice/helpers/web_app_slot_schema.go @@ -48,6 +48,7 @@ type SiteConfigLinuxWebAppSlot struct { ApplicationStack []ApplicationStackLinux `tfschema:"application_stack"` MinTlsVersion string `tfschema:"minimum_tls_version"` ScmMinTlsVersion string `tfschema:"scm_minimum_tls_version"` + MinTlsCipherSuite string `tfschema:"minimum_tls_cipher_suite"` Cors []CorsSetting `tfschema:"cors"` DetailedErrorLogging bool `tfschema:"detailed_error_logging_enabled"` LinuxFxVersion string `tfschema:"linux_fx_version"` @@ -237,6 +238,13 @@ func SiteConfigSchemaLinuxWebAppSlot() *pluginsdk.Schema { ValidateFunc: validation.StringInSlice(webapps.PossibleValuesForSupportedTlsVersions(), false), }, + "minimum_tls_cipher_suite": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice(webapps.PossibleValuesForTlsCipherSuites(), false), + Description: "Configures the minimum TLS cipher suite for the incoming requests to the Site.", + }, + "cors": CorsSettingsSchema(), "auto_swap_slot_name": { @@ -299,6 +307,7 @@ type SiteConfigWindowsWebAppSlot struct { VirtualApplications []VirtualApplication `tfschema:"virtual_application"` MinTlsVersion string `tfschema:"minimum_tls_version"` ScmMinTlsVersion string `tfschema:"scm_minimum_tls_version"` + MinTlsCipherSuite string `tfschema:"minimum_tls_cipher_suite"` Cors []CorsSetting `tfschema:"cors"` DetailedErrorLogging bool `tfschema:"detailed_error_logging_enabled"` WindowsFxVersion string `tfschema:"windows_fx_version"` @@ -492,6 +501,13 @@ func SiteConfigSchemaWindowsWebAppSlot() *pluginsdk.Schema { ValidateFunc: validation.StringInSlice(webapps.PossibleValuesForSupportedTlsVersions(), false), }, + "minimum_tls_cipher_suite": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice(webapps.PossibleValuesForTlsCipherSuites(), false), + Description: "Configures the minimum TLS cipher suite for the incoming requests to the Site.", + }, + "cors": CorsSettingsSchema(), "handler_mapping": HandlerMappingSchema(), @@ -535,6 +551,7 @@ func (s *SiteConfigLinuxWebAppSlot) ExpandForCreate(appSettings map[string]strin expanded.MinTlsVersion = pointer.To(webapps.SupportedTlsVersions(s.MinTlsVersion)) expanded.ScmMinTlsVersion = pointer.To(webapps.SupportedTlsVersions(s.ScmMinTlsVersion)) expanded.AutoHealEnabled = pointer.To(false) + expanded.MinTlsCipherSuite = pointer.To(webapps.TlsCipherSuites(s.MinTlsCipherSuite)) expanded.VnetRouteAllEnabled = pointer.To(s.VnetRouteAllEnabled) expanded.IPSecurityRestrictionsDefaultAction = pointer.To(webapps.DefaultAction(s.IpRestrictionDefaultAction)) expanded.ScmIPSecurityRestrictionsDefaultAction = pointer.To(webapps.DefaultAction(s.ScmIpRestrictionDefaultAction)) @@ -818,6 +835,10 @@ func (s *SiteConfigLinuxWebAppSlot) ExpandForUpdate(metadata sdk.ResourceMetaDat expanded.ScmMinTlsVersion = pointer.To(webapps.SupportedTlsVersions(s.ScmMinTlsVersion)) } + if metadata.ResourceData.HasChange("site_config.0.minimum_tls_cipher_suite") { + expanded.MinTlsCipherSuite = pointer.To(webapps.TlsCipherSuites(s.MinTlsCipherSuite)) + } + if metadata.ResourceData.HasChange("site_config.0.cors") { cors := ExpandCorsSettings(s.Cors) if cors == nil { @@ -861,6 +882,7 @@ func (s *SiteConfigLinuxWebAppSlot) Flatten(appSiteSlotConfig *webapps.SiteConfi s.RemoteDebuggingVersion = strings.ToUpper(pointer.From(appSiteSlotConfig.RemoteDebuggingVersion)) s.ScmIpRestriction = FlattenIpRestrictions(appSiteSlotConfig.ScmIPSecurityRestrictions) s.ScmMinTlsVersion = string(pointer.From(appSiteSlotConfig.ScmMinTlsVersion)) + s.MinTlsCipherSuite = string(pointer.From(appSiteSlotConfig.MinTlsCipherSuite)) s.ScmUseMainIpRestriction = pointer.From(appSiteSlotConfig.ScmIPSecurityRestrictionsUseMain) s.Use32BitWorker = pointer.From(appSiteSlotConfig.Use32BitWorkerProcess) s.UseManagedIdentityACR = pointer.From(appSiteSlotConfig.AcrUseManagedIdentityCreds) @@ -970,6 +992,7 @@ func (s *SiteConfigWindowsWebAppSlot) ExpandForCreate(appSettings map[string]str expanded.RemoteDebuggingEnabled = pointer.To(s.RemoteDebugging) expanded.ScmIPSecurityRestrictionsUseMain = pointer.To(s.ScmUseMainIpRestriction) expanded.ScmMinTlsVersion = pointer.To(webapps.SupportedTlsVersions(s.ScmMinTlsVersion)) + expanded.MinTlsCipherSuite = pointer.To(webapps.TlsCipherSuites(s.MinTlsCipherSuite)) expanded.Use32BitWorkerProcess = pointer.To(s.Use32BitWorker) expanded.WebSocketsEnabled = pointer.To(s.WebSockets) expanded.HandlerMappings = expandHandlerMapping(s.HandlerMapping) @@ -1289,6 +1312,10 @@ func (s *SiteConfigWindowsWebAppSlot) ExpandForUpdate(metadata sdk.ResourceMetaD expanded.ScmMinTlsVersion = pointer.To(webapps.SupportedTlsVersions(s.ScmMinTlsVersion)) } + if metadata.ResourceData.HasChange("site_config.0.minimum_tls_cipher_suite") { + expanded.MinTlsCipherSuite = pointer.To(webapps.TlsCipherSuites(s.MinTlsCipherSuite)) + } + if metadata.ResourceData.HasChange("site_config.0.cors") { cors := ExpandCorsSettings(s.Cors) if cors == nil { @@ -1339,6 +1366,7 @@ func (s *SiteConfigWindowsWebAppSlot) Flatten(appSiteSlotConfig *webapps.SiteCon s.RemoteDebuggingVersion = strings.ToUpper(pointer.From(appSiteSlotConfig.RemoteDebuggingVersion)) s.ScmIpRestriction = FlattenIpRestrictions(appSiteSlotConfig.ScmIPSecurityRestrictions) s.ScmMinTlsVersion = string(pointer.From(appSiteSlotConfig.ScmMinTlsVersion)) + s.MinTlsCipherSuite = string(pointer.From(appSiteSlotConfig.MinTlsCipherSuite)) s.ScmType = string(pointer.From(appSiteSlotConfig.ScmType)) s.ScmUseMainIpRestriction = pointer.From(appSiteSlotConfig.ScmIPSecurityRestrictionsUseMain) s.Use32BitWorker = pointer.From(appSiteSlotConfig.Use32BitWorkerProcess) diff --git a/internal/services/appservice/helpers/windows_web_app_schema.go b/internal/services/appservice/helpers/windows_web_app_schema.go index 2a8ae81d0c7f..7ff0347bfccf 100644 --- a/internal/services/appservice/helpers/windows_web_app_schema.go +++ b/internal/services/appservice/helpers/windows_web_app_schema.go @@ -50,6 +50,7 @@ type SiteConfigWindows struct { VirtualApplications []VirtualApplication `tfschema:"virtual_application"` MinTlsVersion string `tfschema:"minimum_tls_version"` ScmMinTlsVersion string `tfschema:"scm_minimum_tls_version"` + MinTlsCipherSuite string `tfschema:"minimum_tls_cipher_suite"` Cors []CorsSetting `tfschema:"cors"` DetailedErrorLogging bool `tfschema:"detailed_error_logging_enabled"` WindowsFxVersion string `tfschema:"windows_fx_version"` @@ -260,6 +261,13 @@ func SiteConfigSchemaWindows() *pluginsdk.Schema { ValidateFunc: validation.StringInSlice(webapps.PossibleValuesForSupportedTlsVersions(), false), }, + "minimum_tls_cipher_suite": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice(webapps.PossibleValuesForTlsCipherSuites(), false), + Description: "Configures the minimum TLS cipher suite for the incoming requests to the Site.", + }, + "cors": CorsSettingsSchema(), "handler_mapping": HandlerMappingSchema(), @@ -434,6 +442,11 @@ func SiteConfigSchemaWindowsComputed() *pluginsdk.Schema { Computed: true, }, + "minimum_tls_cipher_suite": { + Type: pluginsdk.TypeString, + Computed: true, + }, + "cors": CorsSettingsSchemaComputed(), "handler_mapping": HandlerMappingSchemaComputed(), @@ -474,6 +487,7 @@ func (s *SiteConfigWindows) ExpandForCreate(appSettings map[string]string) (*web expanded.RemoteDebuggingEnabled = pointer.To(s.RemoteDebugging) expanded.ScmIPSecurityRestrictionsUseMain = pointer.To(s.ScmUseMainIpRestriction) expanded.ScmMinTlsVersion = pointer.To(webapps.SupportedTlsVersions(s.ScmMinTlsVersion)) + expanded.MinTlsCipherSuite = pointer.To(webapps.TlsCipherSuites(s.MinTlsCipherSuite)) expanded.Use32BitWorkerProcess = pointer.To(s.Use32BitWorker) expanded.WebSocketsEnabled = pointer.To(s.WebSockets) expanded.HandlerMappings = expandHandlerMapping(s.HandlerMapping) @@ -796,6 +810,10 @@ func (s *SiteConfigWindows) ExpandForUpdate(metadata sdk.ResourceMetaData, exist expanded.ScmMinTlsVersion = pointer.To(webapps.SupportedTlsVersions(s.ScmMinTlsVersion)) } + if metadata.ResourceData.HasChange("site_config.0.minimum_tls_cipher_suite") { + expanded.MinTlsCipherSuite = pointer.To(webapps.TlsCipherSuites(s.MinTlsCipherSuite)) + } + if metadata.ResourceData.HasChange("site_config.0.cors") { cors := ExpandCorsSettings(s.Cors) if cors == nil { @@ -841,6 +859,7 @@ func (s *SiteConfigWindows) Flatten(appSiteConfig *webapps.SiteConfig, currentSt s.RemoteDebugging = pointer.From(appSiteConfig.RemoteDebuggingEnabled) s.RemoteDebuggingVersion = strings.ToUpper(pointer.From(appSiteConfig.RemoteDebuggingVersion)) s.ScmIpRestriction = FlattenIpRestrictions(appSiteConfig.ScmIPSecurityRestrictions) + s.MinTlsCipherSuite = string(pointer.From(appSiteConfig.MinTlsCipherSuite)) s.ScmMinTlsVersion = string(pointer.From(appSiteConfig.ScmMinTlsVersion)) s.ScmType = string(pointer.From(appSiteConfig.ScmType)) s.ScmUseMainIpRestriction = pointer.From(appSiteConfig.ScmIPSecurityRestrictionsUseMain) diff --git a/internal/services/appservice/linux_function_app_resource_test.go b/internal/services/appservice/linux_function_app_resource_test.go index ff5f35dd3723..c3b2e94c25e5 100644 --- a/internal/services/appservice/linux_function_app_resource_test.go +++ b/internal/services/appservice/linux_function_app_resource_test.go @@ -1713,6 +1713,42 @@ func TestAccLinuxFunctionApp_publicNetworkAccessUpdate(t *testing.T) { }) } +func TestAccLinuxFunctionApp_tlsSettingUpdate(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_linux_function_app", "test") + r := LinuxFunctionAppResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.basic(data, SkuPremiumPlan), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.tlsCipherSuiteConfigured(data, SkuPremiumPlan, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.tlsCipherSuiteConfigured(data, SkuPremiumPlan, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.basic(data, SkuPremiumPlan), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + }) +} + // CustomDiff tests func TestAccLinuxFunctionApp_consumptionPlanBackupShouldError(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_linux_function_app", "test") @@ -4668,3 +4704,27 @@ data "azurerm_storage_account_sas" "test" { } `, r.template(data, planSKU), data.RandomInteger) } + +func (r LinuxFunctionAppResource) tlsCipherSuiteConfigured(data acceptance.TestData, planSku string, tlsCipherSuiteValue string) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} + +%s + +resource "azurerm_linux_function_app" "test" { + name = "acctest-WFA-%d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + service_plan_id = azurerm_service_plan.test.id + + storage_account_name = azurerm_storage_account.test.name + storage_account_access_key = azurerm_storage_account.test.primary_access_key + + site_config { + minimum_tls_cipher_suite = "%s" + } +} +`, r.template(data, planSku), data.RandomInteger, tlsCipherSuiteValue) +} diff --git a/internal/services/appservice/linux_function_app_slot_resource_test.go b/internal/services/appservice/linux_function_app_slot_resource_test.go index c2fe48dbd053..a90914f7c631 100644 --- a/internal/services/appservice/linux_function_app_slot_resource_test.go +++ b/internal/services/appservice/linux_function_app_slot_resource_test.go @@ -1447,6 +1447,42 @@ func TestAccLinuxFunctionAppSlot_basicWithTlsOnePointThree(t *testing.T) { }) } +func TestAccLinuxFunctionAppSlot_tlsSettingUpdate(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_linux_function_app_slot", "test") + r := LinuxFunctionAppSlotResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.basic(data, SkuStandardPlan), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.tlsCipherSuiteConfigured(data, SkuStandardPlan, "TLS_AES_128_GCM_SHA256"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.tlsCipherSuiteConfigured(data, SkuStandardPlan, "TLS_AES_256_GCM_SHA384"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.basic(data, SkuStandardPlan), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + }) +} + // Configs func (r LinuxFunctionAppSlotResource) Exists(ctx context.Context, client *clients.Client, state *pluginsdk.InstanceState) (*bool, error) { @@ -1487,6 +1523,27 @@ resource "azurerm_linux_function_app_slot" "test" { `, r.template(data, planSku), data.RandomInteger) } +func (r LinuxFunctionAppSlotResource) tlsCipherSuiteConfigured(data acceptance.TestData, planSku string, tlsCipherSuiteValue string) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} + +%s + +resource "azurerm_linux_function_app_slot" "test" { + name = "acctest-LFAS-%d" + function_app_id = azurerm_linux_function_app.test.id + storage_account_name = azurerm_storage_account.test.name + storage_account_access_key = azurerm_storage_account.test.primary_access_key + + site_config { + minimum_tls_cipher_suite = "%s" + } +} +`, r.template(data, planSku), data.RandomInteger, tlsCipherSuiteValue) +} + func (r LinuxFunctionAppSlotResource) healthCheckPath(data acceptance.TestData, planSku string) string { return fmt.Sprintf(` provider "azurerm" { @@ -2342,8 +2399,9 @@ resource "azurerm_linux_function_app_slot" "test" { python_version = "3.9" } - minimum_tls_version = "1.1" - scm_minimum_tls_version = "1.1" + minimum_tls_version = "1.1" + scm_minimum_tls_version = "1.1" + minimum_tls_cipher_suite = "TLS_AES_128_GCM_SHA256" cors { allowed_origins = [ @@ -2722,8 +2780,9 @@ resource "azurerm_linux_function_app_slot" "test" { health_check_eviction_time_in_min = 3 worker_count = 3 - minimum_tls_version = "1.1" - scm_minimum_tls_version = "1.1" + minimum_tls_version = "1.1" + scm_minimum_tls_version = "1.1" + minimum_tls_cipher_suite = "TLS_AES_128_GCM_SHA256" cors { allowed_origins = [ @@ -3084,8 +3143,9 @@ resource "azurerm_linux_function_app_slot" "test" { health_check_eviction_time_in_min = 3 worker_count = 3 - minimum_tls_version = "1.1" - scm_minimum_tls_version = "1.1" + minimum_tls_version = "1.1" + scm_minimum_tls_version = "1.1" + minimum_tls_cipher_suite = "TLS_AES_128_GCM_SHA256" cors { allowed_origins = [ diff --git a/internal/services/appservice/linux_web_app_resource_test.go b/internal/services/appservice/linux_web_app_resource_test.go index 508b9e7af122..db7cdbf51a30 100644 --- a/internal/services/appservice/linux_web_app_resource_test.go +++ b/internal/services/appservice/linux_web_app_resource_test.go @@ -1689,6 +1689,42 @@ func TestAccLinuxWebApp_publicNetworkAccessUpdate(t *testing.T) { }) } +func TestAccLinuxWebApp_tlsSettingUpdate(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_linux_web_app", "test") + r := LinuxWebAppResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.javaPremiumV3Plan(data, "8", "JBOSSEAP", "7.3"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.tlsCipherSuiteConfigured(data, "8", "JBOSSEAP", "7.3", "TLS_AES_128_GCM_SHA256"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.tlsCipherSuiteConfigured(data, "8", "JBOSSEAP", "7.3", "TLS_AES_256_GCM_SHA384"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.javaPremiumV3Plan(data, "8", "JBOSSEAP", "7.3"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + }) +} + // Exists func func (r LinuxWebAppResource) Exists(ctx context.Context, client *clients.Client, state *pluginsdk.InstanceState) (*bool, error) { @@ -3831,3 +3867,29 @@ resource "azurerm_linux_web_app" "test" { } `, r.baseTemplate(data), data.RandomInteger, data.RandomInteger) } + +func (r LinuxWebAppResource) tlsCipherSuiteConfigured(data acceptance.TestData, javaVersion, javaServer, javaServerVersion string, tlsCipherSuiteValue string) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} + +%s + +resource "azurerm_linux_web_app" "test" { + name = "acctestWA-%d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + service_plan_id = azurerm_service_plan.test.id + + site_config { + application_stack { + java_version = "%s" + java_server = "%s" + java_server_version = "%s" + } + minimum_tls_cipher_suite = "%s" + } +} +`, r.premiumV3PlanTemplate(data), data.RandomInteger, javaVersion, javaServer, javaServerVersion, tlsCipherSuiteValue) +} diff --git a/internal/services/appservice/linux_web_app_slot_resource_test.go b/internal/services/appservice/linux_web_app_slot_resource_test.go index 89fa4a95538a..c5feb309c109 100644 --- a/internal/services/appservice/linux_web_app_slot_resource_test.go +++ b/internal/services/appservice/linux_web_app_slot_resource_test.go @@ -1441,6 +1441,42 @@ func TestAccLinuxWebAppSlot_publicNetworkAccessUpdate(t *testing.T) { }) } +func TestAccLinuxWebAppSlot_tlsSettingUpdate(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_linux_web_app_slot", "test") + r := LinuxWebAppSlotResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.basic(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.tlsCipherSuiteConfigured(data, "TLS_AES_256_GCM_SHA384"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.tlsCipherSuiteConfigured(data, "TLS_AES_128_GCM_SHA256"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.basic(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + }) +} + // Exists func (r LinuxWebAppSlotResource) Exists(ctx context.Context, client *clients.Client, state *pluginsdk.InstanceState) (*bool, error) { @@ -1483,6 +1519,25 @@ resource "azurerm_linux_web_app_slot" "test" { `, r.baseTemplate(data), data.RandomInteger) } +func (r LinuxWebAppSlotResource) tlsCipherSuiteConfigured(data acceptance.TestData, tlsCipherSuiteValue string) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} + +%s + +resource "azurerm_linux_web_app_slot" "test" { + name = "acctestWAS-%d" + app_service_id = azurerm_linux_web_app.test.id + + site_config { + minimum_tls_cipher_suite = "%s" + } +} +`, r.baseTemplate(data), data.RandomInteger, tlsCipherSuiteValue) +} + func (r LinuxWebAppSlotResource) basicWithTags(data acceptance.TestData) string { return fmt.Sprintf(` provider "azurerm" { diff --git a/internal/services/appservice/windows_function_app_resource_test.go b/internal/services/appservice/windows_function_app_resource_test.go index 03c4814b8201..5f3befb5699e 100644 --- a/internal/services/appservice/windows_function_app_resource_test.go +++ b/internal/services/appservice/windows_function_app_resource_test.go @@ -1653,6 +1653,42 @@ func TestAccWindowsFunctionApp_basicOutputs(t *testing.T) { }) } +func TestAccWindowsFunctionApp_tlsSettingUpdate(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_windows_function_app", "test") + r := WindowsFunctionAppResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.basic(data, SkuPremiumPlan), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.tlsCipherSuiteConfigured(data, SkuPremiumPlan, "TLS_AES_256_GCM_SHA384"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.tlsCipherSuiteConfigured(data, SkuPremiumPlan, "TLS_AES_128_GCM_SHA256"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.basic(data, SkuPremiumPlan), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + }) +} + // Exists func (r WindowsFunctionAppResource) Exists(ctx context.Context, client *clients.Client, state *pluginsdk.InstanceState) (*bool, error) { @@ -2604,8 +2640,9 @@ resource "azurerm_windows_function_app" "test" { health_check_eviction_time_in_min = 7 worker_count = 3 - minimum_tls_version = "1.1" - scm_minimum_tls_version = "1.1" + minimum_tls_version = "1.1" + scm_minimum_tls_version = "1.1" + minimum_tls_cipher_suite = "TLS_AES_128_GCM_SHA256" cors { allowed_origins = [ @@ -4096,3 +4133,27 @@ data "azurerm_storage_account_sas" "test" { } `, r.template(data, planSKU), data.RandomInteger) } + +func (r WindowsFunctionAppResource) tlsCipherSuiteConfigured(data acceptance.TestData, planSku string, tlsCipherSuiteValue string) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} + +%s + +resource "azurerm_windows_function_app" "test" { + name = "acctest-WFA-%d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + service_plan_id = azurerm_service_plan.test.id + + storage_account_name = azurerm_storage_account.test.name + storage_account_access_key = azurerm_storage_account.test.primary_access_key + + site_config { + minimum_tls_cipher_suite = "%s" + } +} +`, r.template(data, planSku), data.RandomInteger, tlsCipherSuiteValue) +} diff --git a/internal/services/appservice/windows_function_app_slot_resource_test.go b/internal/services/appservice/windows_function_app_slot_resource_test.go index 774b571e2be2..5ff439859565 100644 --- a/internal/services/appservice/windows_function_app_slot_resource_test.go +++ b/internal/services/appservice/windows_function_app_slot_resource_test.go @@ -1303,6 +1303,42 @@ func TestAccWindowsFunctionAppSlot_publicNetworkAccessUpdate(t *testing.T) { }) } +func TestAccWindowsFunctionAppSlot_tlsSettingUpdate(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_windows_function_app_slot", "test") + r := WindowsFunctionAppSlotResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.basic(data, SkuStandardPlan), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.tlsCipherSuiteConfigured(data, SkuStandardPlan, "TLS_AES_256_GCM_SHA384"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.tlsCipherSuiteConfigured(data, SkuStandardPlan, "TLS_AES_128_GCM_SHA256"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.basic(data, SkuStandardPlan), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + }) +} + func TestAccWindowsFunctionAppSlot_basicWithTlsOnePointThree(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_windows_function_app_slot", "test") r := WindowsFunctionAppSlotResource{} @@ -1361,6 +1397,27 @@ resource "azurerm_windows_function_app_slot" "test" { `, r.template(data, planSku), data.RandomInteger) } +func (r WindowsFunctionAppSlotResource) tlsCipherSuiteConfigured(data acceptance.TestData, planSku string, tlsCipherSuiteValue string) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} + +%s + +resource "azurerm_windows_function_app_slot" "test" { + name = "acctest-WFAS-%d" + function_app_id = azurerm_windows_function_app.test.id + storage_account_name = azurerm_storage_account.test.name + storage_account_access_key = azurerm_storage_account.test.primary_access_key + + site_config { + minimum_tls_cipher_suite = "%s" + } +} +`, r.template(data, planSku), data.RandomInteger, tlsCipherSuiteValue) +} + func (r WindowsFunctionAppSlotResource) withIPRestrictions(data acceptance.TestData) string { return fmt.Sprintf(` provider "azurerm" { @@ -1730,8 +1787,9 @@ resource "azurerm_windows_function_app_slot" "test" { powershell_core_version = "7" } - minimum_tls_version = "1.1" - scm_minimum_tls_version = "1.1" + minimum_tls_version = "1.1" + scm_minimum_tls_version = "1.1" + minimum_tls_cipher_suite = "TLS_AES_128_GCM_SHA256" cors { allowed_origins = [ @@ -1915,8 +1973,9 @@ resource "azurerm_windows_function_app_slot" "test" { health_check_eviction_time_in_min = 3 worker_count = 3 - minimum_tls_version = "1.1" - scm_minimum_tls_version = "1.1" + minimum_tls_version = "1.1" + scm_minimum_tls_version = "1.1" + minimum_tls_cipher_suite = "TLS_AES_128_GCM_SHA256" cors { allowed_origins = [ @@ -2050,8 +2109,9 @@ resource "azurerm_windows_function_app_slot" "test" { health_check_eviction_time_in_min = 3 worker_count = 3 - minimum_tls_version = "1.1" - scm_minimum_tls_version = "1.1" + minimum_tls_version = "1.1" + scm_minimum_tls_version = "1.1" + minimum_tls_cipher_suite = "TLS_AES_128_GCM_SHA256" cors { allowed_origins = [ diff --git a/internal/services/appservice/windows_web_app_resource_test.go b/internal/services/appservice/windows_web_app_resource_test.go index 21723c6504ae..c65c7b22bf68 100644 --- a/internal/services/appservice/windows_web_app_resource_test.go +++ b/internal/services/appservice/windows_web_app_resource_test.go @@ -1675,6 +1675,42 @@ func TestAccWindowsWebApp_publicNetworkAccessUpdate(t *testing.T) { }) } +func TestAccWindowsWebApp_tlsSettingUpdate(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_windows_web_app", "test") + r := WindowsWebAppResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.basicPremiumPlan(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.tlsCipherSuiteConfigured(data, "TLS_AES_128_GCM_SHA256"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.tlsCipherSuiteConfigured(data, "TLS_AES_256_GCM_SHA384"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.basicPremiumPlan(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + }) +} + func (r WindowsWebAppResource) Exists(ctx context.Context, client *clients.Client, state *pluginsdk.InstanceState) (*bool, error) { id, err := commonids.ParseWebAppID(state.ID) if err != nil { @@ -1713,6 +1749,29 @@ resource "azurerm_windows_web_app" "test" { `, r.baseTemplate(data), data.RandomInteger) } +func (r WindowsWebAppResource) basicPremiumPlan(data acceptance.TestData) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} + +%s + +resource "azurerm_windows_web_app" "test" { + name = "acctestWA-%d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + service_plan_id = azurerm_service_plan.test.id + + site_config {} + + lifecycle { + ignore_changes = [webdeploy_publish_basic_authentication_enabled, ftp_publish_basic_authentication_enabled] + } +} +`, r.premiumV3PlanTemplate(data), data.RandomInteger) +} + func (r WindowsWebAppResource) basicWithTags(data acceptance.TestData) string { return fmt.Sprintf(` provider "azurerm" { @@ -3796,6 +3855,24 @@ resource "azurerm_service_plan" "test" { `, data.RandomInteger, data.Locations.Primary, data.RandomInteger) } +func (WindowsWebAppResource) premiumV3PlanTemplate(data acceptance.TestData) string { + return fmt.Sprintf(` + +resource "azurerm_resource_group" "test" { + name = "acctestRG-%d" + location = "%s" +} + +resource "azurerm_service_plan" "test" { + name = "acctestASP-%d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + sku_name = "P1v3" + os_type = "Windows" +} +`, data.RandomInteger, data.Locations.Primary, data.RandomInteger) +} + func (r WindowsWebAppResource) templateWithStorageAccount(data acceptance.TestData) string { return fmt.Sprintf(` @@ -4017,3 +4094,27 @@ resource "azurerm_windows_web_app" "test" { } `, r.baseTemplate(data), data.RandomInteger, data.RandomInteger) } + +func (r WindowsWebAppResource) tlsCipherSuiteConfigured(data acceptance.TestData, tlsCipherSuiteValue string) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} +%s + +resource "azurerm_windows_web_app" "test" { + name = "acctestWA-%d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + service_plan_id = azurerm_service_plan.test.id + + site_config { + minimum_tls_cipher_suite = "%s" + } + lifecycle { + ignore_changes = [webdeploy_publish_basic_authentication_enabled, ftp_publish_basic_authentication_enabled] + } +} + +`, r.premiumV3PlanTemplate(data), data.RandomInteger, tlsCipherSuiteValue) +} diff --git a/internal/services/appservice/windows_web_app_slot_resource_test.go b/internal/services/appservice/windows_web_app_slot_resource_test.go index 80d49e0106d5..6015be45d4a1 100644 --- a/internal/services/appservice/windows_web_app_slot_resource_test.go +++ b/internal/services/appservice/windows_web_app_slot_resource_test.go @@ -1206,6 +1206,42 @@ func TestAccWindowsWebAppSlot_handlerMappingsUpdate(t *testing.T) { }) } +func TestAccWindowsWebAppSlot_tlsSettingUpdate(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_windows_web_app_slot", "test") + r := WindowsWebAppSlotResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.basic(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.tlsCipherSuiteConfigured(data, "TLS_AES_256_GCM_SHA384"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.tlsCipherSuiteConfigured(data, "TLS_AES_128_GCM_SHA256"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + { + Config: r.basic(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("site_credential.0.password"), + }) +} + // Exists func (r WindowsWebAppSlotResource) Exists(ctx context.Context, client *clients.Client, state *pluginsdk.InstanceState) (*bool, error) { @@ -1248,6 +1284,25 @@ resource "azurerm_windows_web_app_slot" "test" { `, r.baseTemplate(data), data.RandomInteger) } +func (r WindowsWebAppSlotResource) tlsCipherSuiteConfigured(data acceptance.TestData, tlsCipherSuiteValue string) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} + +%s + +resource "azurerm_windows_web_app_slot" "test" { + name = "acctestWAS-%d" + app_service_id = azurerm_windows_web_app.test.id + + site_config { + minimum_tls_cipher_suite = "%s" + } +} +`, r.baseTemplate(data), data.RandomInteger, tlsCipherSuiteValue) +} + func (r WindowsWebAppSlotResource) basicWithTags(data acceptance.TestData) string { return fmt.Sprintf(` provider "azurerm" { diff --git a/website/docs/r/linux_function_app.html.markdown b/website/docs/r/linux_function_app.html.markdown index 9c1d3b1bca94..78fead9eead6 100644 --- a/website/docs/r/linux_function_app.html.markdown +++ b/website/docs/r/linux_function_app.html.markdown @@ -703,6 +703,8 @@ A `site_config` block supports the following: * `minimum_tls_version` - (Optional) The configures the minimum version of TLS required for SSL requests. Possible values include: `1.0`, `1.1`, `1.2` and `1.3`. Defaults to `1.2`. +* `minimum_tls_cipher_suite` - (Optional) The configures the minimum cipher suite of TLS required for SSL requests. Possible values include: `TLS_AES_128_GCM_SHA256`,`TLS_AES_256_GCM_SHA384"`,`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"`,`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"`,`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"`,`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"`,`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"`,`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"`,`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"`,`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"`,`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"`, `TLS_RSA_WITH_AES_128_CBC_SHA"`,`TLS_RSA_WITH_AES_128_CBC_SHA256"`,`TLS_RSA_WITH_AES_128_GCM_SHA256"`,`TLS_RSA_WITH_AES_256_CBC_SHA"`,`TLS_RSA_WITH_AES_256_CBC_SHA256"`,`TLS_RSA_WITH_AES_256_GCM_SHA384"`. + * `pre_warmed_instance_count` - (Optional) The number of pre-warmed instances for this function app. Only affects apps on an Elastic Premium plan. * `remote_debugging_enabled` - (Optional) Should Remote Debugging be enabled. Defaults to `false`. diff --git a/website/docs/r/linux_function_app_slot.html.markdown b/website/docs/r/linux_function_app_slot.html.markdown index 109f4cc90895..b8a533bcdc9d 100644 --- a/website/docs/r/linux_function_app_slot.html.markdown +++ b/website/docs/r/linux_function_app_slot.html.markdown @@ -511,6 +511,8 @@ A `site_config` block supports the following: * `scm_minimum_tls_version` - (Optional) Configures the minimum version of TLS required for SSL requests to the SCM site Possible values include: `1.0`, `1.1`, `1.2` and `1.3`. Defaults to `1.2`. +* `minimum_tls_cipher_suite` - (Optional) The configures the minimum cipher suite of TLS required for SSL requests. Possible values include: `TLS_AES_128_GCM_SHA256`,`TLS_AES_256_GCM_SHA384"`,`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"`,`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"`,`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"`,`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"`,`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"`,`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"`,`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"`,`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"`,`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"`, `TLS_RSA_WITH_AES_128_CBC_SHA"`,`TLS_RSA_WITH_AES_128_CBC_SHA256"`,`TLS_RSA_WITH_AES_128_GCM_SHA256"`,`TLS_RSA_WITH_AES_256_CBC_SHA"`,`TLS_RSA_WITH_AES_256_CBC_SHA256"`,`TLS_RSA_WITH_AES_256_GCM_SHA384"`. + * `scm_type` - The SCM Type in use by the Linux Function App. * `scm_use_main_ip_restriction` - (Optional) Should the Linux Function App `ip_restriction` configuration be used for the SCM also. diff --git a/website/docs/r/linux_web_app.html.markdown b/website/docs/r/linux_web_app.html.markdown index 800bc341f270..27232ab26b94 100644 --- a/website/docs/r/linux_web_app.html.markdown +++ b/website/docs/r/linux_web_app.html.markdown @@ -734,6 +734,8 @@ A `site_config` block supports the following: * `scm_minimum_tls_version` - (Optional) The configures the minimum version of TLS required for SSL requests to the SCM site Possible values include: `1.0`, `1.1`, and `1.2`. Defaults to `1.2`. +* `minimum_tls_cipher_suite` - (Optional) The configures the minimum cipher suite of TLS required for SSL requests. Possible values include: `TLS_AES_128_GCM_SHA256`,`TLS_AES_256_GCM_SHA384"`,`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"`,`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"`,`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"`,`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"`,`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"`,`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"`,`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"`,`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"`,`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"`, `TLS_RSA_WITH_AES_128_CBC_SHA"`,`TLS_RSA_WITH_AES_128_CBC_SHA256"`,`TLS_RSA_WITH_AES_128_GCM_SHA256"`,`TLS_RSA_WITH_AES_256_CBC_SHA"`,`TLS_RSA_WITH_AES_256_CBC_SHA256"`,`TLS_RSA_WITH_AES_256_GCM_SHA384"`. + * `scm_use_main_ip_restriction` - (Optional) Should the Linux Web App `ip_restriction` configuration be used for the SCM also. * `use_32_bit_worker` - (Optional) Should the Linux Web App use a 32-bit worker? Defaults to `true`. diff --git a/website/docs/r/linux_web_app_slot.html.markdown b/website/docs/r/linux_web_app_slot.html.markdown index 8ebb66c6a07b..4f71daddfa8c 100644 --- a/website/docs/r/linux_web_app_slot.html.markdown +++ b/website/docs/r/linux_web_app_slot.html.markdown @@ -738,6 +738,8 @@ A `site_config` block supports the following: * `scm_minimum_tls_version` - (Optional) The configures the minimum version of TLS required for SSL requests to the SCM site Possible values include: `1.0`, `1.1`, and `1.2`. Defaults to `1.2`. +* `minimum_tls_cipher_suite` - (Optional) The configures the minimum cipher suite of TLS required for SSL requests. Possible values include: `TLS_AES_128_GCM_SHA256`,`TLS_AES_256_GCM_SHA384"`,`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"`,`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"`,`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"`,`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"`,`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"`,`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"`,`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"`,`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"`,`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"`, `TLS_RSA_WITH_AES_128_CBC_SHA"`,`TLS_RSA_WITH_AES_128_CBC_SHA256"`,`TLS_RSA_WITH_AES_128_GCM_SHA256"`,`TLS_RSA_WITH_AES_256_CBC_SHA"`,`TLS_RSA_WITH_AES_256_CBC_SHA256"`,`TLS_RSA_WITH_AES_256_GCM_SHA384"`. + * `scm_use_main_ip_restriction` - (Optional) Should the Linux Web App `ip_restriction` configuration be used for the SCM also. * `use_32_bit_worker` - (Optional) Should the Linux Web App use a 32-bit worker? Defaults to `true`. diff --git a/website/docs/r/windows_function_app.html.markdown b/website/docs/r/windows_function_app.html.markdown index f29396cc5660..0dbb26cf35f1 100644 --- a/website/docs/r/windows_function_app.html.markdown +++ b/website/docs/r/windows_function_app.html.markdown @@ -689,6 +689,8 @@ A `site_config` block supports the following: * `scm_minimum_tls_version` - (Optional) Configures the minimum version of TLS required for SSL requests to the SCM site. Possible values include: `1.0`, `1.1`, `1.2` and `1.3`. Defaults to `1.2`. +* `minimum_tls_cipher_suite` - (Optional) The configures the minimum cipher suite of TLS required for SSL requests. Possible values include: `TLS_AES_128_GCM_SHA256`,`TLS_AES_256_GCM_SHA384"`,`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"`,`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"`,`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"`,`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"`,`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"`,`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"`,`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"`,`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"`,`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"`, `TLS_RSA_WITH_AES_128_CBC_SHA"`,`TLS_RSA_WITH_AES_128_CBC_SHA256"`,`TLS_RSA_WITH_AES_128_GCM_SHA256"`,`TLS_RSA_WITH_AES_256_CBC_SHA"`,`TLS_RSA_WITH_AES_256_CBC_SHA256"`,`TLS_RSA_WITH_AES_256_GCM_SHA384"`. + * `scm_use_main_ip_restriction` - (Optional) Should the Windows Function App `ip_restriction` configuration be used for the SCM also. * `use_32_bit_worker` - (Optional) Should the Windows Function App use a 32-bit worker process. Defaults to `true`. diff --git a/website/docs/r/windows_function_app_slot.html.markdown b/website/docs/r/windows_function_app_slot.html.markdown index 2a82d918efbd..0478f158f7c1 100644 --- a/website/docs/r/windows_function_app_slot.html.markdown +++ b/website/docs/r/windows_function_app_slot.html.markdown @@ -503,6 +503,8 @@ A `site_config` block supports the following: * `scm_minimum_tls_version` - (Optional) Configures the minimum version of TLS required for SSL requests to the SCM site Possible values include: `1.0`, `1.1`, `1.2` and `1.3`. Defaults to `1.2`. +* `minimum_tls_cipher_suite` - (Optional) The configures the minimum cipher suite of TLS required for SSL requests. Possible values include: `TLS_AES_128_GCM_SHA256`,`TLS_AES_256_GCM_SHA384"`,`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"`,`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"`,`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"`,`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"`,`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"`,`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"`,`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"`,`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"`,`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"`, `TLS_RSA_WITH_AES_128_CBC_SHA"`,`TLS_RSA_WITH_AES_128_CBC_SHA256"`,`TLS_RSA_WITH_AES_128_GCM_SHA256"`,`TLS_RSA_WITH_AES_256_CBC_SHA"`,`TLS_RSA_WITH_AES_256_CBC_SHA256"`,`TLS_RSA_WITH_AES_256_GCM_SHA384"`. + * `scm_type` - The SCM Type in use by the Windows Function App. * `scm_use_main_ip_restriction` - (Optional) Should the Windows Function App `ip_restriction` configuration be used for the SCM also. diff --git a/website/docs/r/windows_web_app.html.markdown b/website/docs/r/windows_web_app.html.markdown index 0b4556eb3370..6e8d746468f6 100644 --- a/website/docs/r/windows_web_app.html.markdown +++ b/website/docs/r/windows_web_app.html.markdown @@ -754,6 +754,8 @@ A `site_config` block supports the following: * `scm_minimum_tls_version` - (Optional) The configures the minimum version of TLS required for SSL requests to the SCM site Possible values include: `1.0`, `1.1`, and `1.2`. Defaults to `1.2`. +* `minimum_tls_cipher_suite` - (Optional) The configures the minimum cipher suite of TLS required for SSL requests. Possible values include: `TLS_AES_128_GCM_SHA256`,`TLS_AES_256_GCM_SHA384"`,`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"`,`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"`,`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"`,`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"`,`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"`,`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"`,`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"`,`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"`,`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"`, `TLS_RSA_WITH_AES_128_CBC_SHA"`,`TLS_RSA_WITH_AES_128_CBC_SHA256"`,`TLS_RSA_WITH_AES_128_GCM_SHA256"`,`TLS_RSA_WITH_AES_256_CBC_SHA"`,`TLS_RSA_WITH_AES_256_CBC_SHA256"`,`TLS_RSA_WITH_AES_256_GCM_SHA384"`. + * `scm_use_main_ip_restriction` - (Optional) Should the Windows Web App `ip_restriction` configuration be used for the SCM also. * `use_32_bit_worker` - (Optional) Should the Windows Web App use a 32-bit worker. Defaults to `true`. diff --git a/website/docs/r/windows_web_app_slot.html.markdown b/website/docs/r/windows_web_app_slot.html.markdown index cfc40b750ad3..f4bab2258252 100644 --- a/website/docs/r/windows_web_app_slot.html.markdown +++ b/website/docs/r/windows_web_app_slot.html.markdown @@ -750,6 +750,8 @@ A `site_config` block supports the following: * `scm_minimum_tls_version` - (Optional) The configures the minimum version of TLS required for SSL requests to the SCM site Possible values include: `1.0`, `1.1`, and `1.2`. Defaults to `1.2`. +* `minimum_tls_cipher_suite` - (Optional) The configures the minimum cipher suite of TLS required for SSL requests. Possible values include: `TLS_AES_128_GCM_SHA256`,`TLS_AES_256_GCM_SHA384"`,`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"`,`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"`,`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"`,`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"`,`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"`,`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"`,`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"`,`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"`,`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"`, `TLS_RSA_WITH_AES_128_CBC_SHA"`,`TLS_RSA_WITH_AES_128_CBC_SHA256"`,`TLS_RSA_WITH_AES_128_GCM_SHA256"`,`TLS_RSA_WITH_AES_256_CBC_SHA"`,`TLS_RSA_WITH_AES_256_CBC_SHA256"`,`TLS_RSA_WITH_AES_256_GCM_SHA384"`. + * `scm_use_main_ip_restriction` - (Optional) Should the Windows Web App Slot `ip_restriction` configuration be used for the SCM also. * `use_32_bit_worker` - (Optional) Should the Windows Web App Slot use a 32-bit worker. The default value varies from different service plans.