---
title: Ensure MySQL is using the latest version of TLS encryption
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Ensure MySQL is using the latest version of
  TLS encryption
---

# Ensure MySQL is using the latest version of TLS encryption

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `terraform-azure-mysql-not-using-latest-tls` 

**Provider:** Azure

**Platform:** Terraform

**Severity:** High

**Category:** Networking and Firewall

#### Learn More{% #learn-more %}

- [Provider Reference](https://registry.terraform.io/providers/hashicorp/azurerm/3.117.1/docs/resources/mysql_server#ssl_minimal_tls_version_enforced-2)

### Description{% #description %}

Outdated TLS versions (TLS 1.0/1.1) contain vulnerabilities that can be exploited by attackers to intercept sensitive data transmitted between the client and the MySQL server. When TLS 1.0/1.1 is used, your database traffic becomes vulnerable to man-in-the-middle attacks, potentially exposing usernames, passwords, and sensitive data. Using TLS 1.2 addresses these security weaknesses and provides stronger encryption algorithms and more secure cipher suites. To ensure proper configuration, replace `ssl_minimal_tls_version_enforced = ["TLS1_0"]` with `ssl_minimal_tls_version_enforced = ["TLS1_2"]` in your Azure MySQL server resource.

## Compliant Code Examples{% #compliant-code-examples %}

```terraform
resource "azurerm_mysql_server" "good_example" {
  name                = "good-mysql-server"
  location            = "East US"
  resource_group_name = "example-rg"

  ssl_minimal_tls_version_enforced = ["TLS1_2"] # ✅ Correct TLS version
}
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```terraform
resource "azurerm_mysql_server" "bad_example" {
  name                = "bad-mysql-server"
  location            = "East US"
  resource_group_name = "example-rg"

  ssl_minimal_tls_version_enforced = ["TLS1_0"] # ❌ Outdated TLS version
}
```