Ensure Azure MariaDB server is using latest TLS (1.2)

Documentos > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Ensure Azure MariaDB server is using latest TLS (1.2)

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Metadata

Id: 8f0e6b2d-3c9a-4f1e-8d2a-7b6c5d4e3f21

Cloud Provider: Azure

Platform: Terraform

Severity: High

Category: Encryption

Learn More

Provider Reference

Description

Using outdated TLS versions in Azure MariaDB servers exposes your database to known vulnerabilities and encryption weaknesses, potentially allowing attackers to intercept and decrypt sensitive data. Without proper SSL enforcement and TLS 1.2 (or higher) configuration, your database communications remain susceptible to man-in-the-middle attacks and other security exploits that have been addressed in newer TLS versions.

To secure your Azure MariaDB server, you must set both the ssl_enforcement_enabled flag to true and ssl_minimal_tls_version_enforced to TLS1_2, as shown in the following example:

resource "azurerm_mariadb_server" "good_example" {
  name                = "good-mariadb-server"
  location            = "East US"
  resource_group_name = "example-rg"

  ssl_enforcement_enabled          = ["true"]
  ssl_minimal_tls_version_enforced = ["TLS1_2"]
}

Compliant Code Examples

# Passing example: ssl_minimal_tls_version_enforced not defined (defaults to TLS1_2)
resource "azurerm_mariadb_server" "good_example_default" {
  name                = "good-mariadb-server-default"
  location            = "East US"
  resource_group_name = "example-rg"

  ssl_enforcement_enabled = ["true"]
  # ssl_minimal_tls_version_enforced not specified → defaults to TLS1_2
}

# Passing example: Correct enforcement and TLS settings
resource "azurerm_mariadb_server" "good_example" {
  name                = "good-mariadb-server"
  location            = "East US"
  resource_group_name = "example-rg"

  ssl_enforcement_enabled          = ["true"]
  ssl_minimal_tls_version_enforced = ["TLS1_2"] # Correct setting
}

Non-Compliant Code Examples

# Failing example: ssl_enforcement_enabled is not "true"
resource "azurerm_mariadb_server" "bad_example" {
  name                = "bad-mariadb-server"
  location            = "East US"
  resource_group_name = "example-rg"

  ssl_enforcement_enabled          = ["false"]  # ❌ Incorrect value
  ssl_minimal_tls_version_enforced = ["TLS1_2"] # Even if TLS is correct, enforcement flag is wrong
}

# Failing example: ssl_enforcement_enabled is "true" but minimal TLS is set incorrectly
resource "azurerm_mariadb_server" "bad_example2" {
  name                = "bad-mariadb-server-2"
  location            = "East US"
  resource_group_name = "example-rg"

  ssl_enforcement_enabled          = ["true"]
  ssl_minimal_tls_version_enforced = ["TLS1_0"] # ❌ Incorrect TLS version
}