From 381bf54edcd33423ce5d0cf1f957cf10d98920ad Mon Sep 17 00:00:00 2001 From: Guy Harwood Date: Fri, 10 Jan 2025 14:42:01 +0000 Subject: [PATCH 1/3] CLI script to set TLS v1.3 on web apps --- deploy/app-service/set-tls-v1.3.sh | 35 ++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100755 deploy/app-service/set-tls-v1.3.sh diff --git a/deploy/app-service/set-tls-v1.3.sh b/deploy/app-service/set-tls-v1.3.sh new file mode 100755 index 0000000000..d4fcb5b704 --- /dev/null +++ b/deploy/app-service/set-tls-v1.3.sh @@ -0,0 +1,35 @@ +#!/bin/bash +set -e + +#!/bin/bash + +# Get all App Services across all resource groups +echo "Retrieving all App Services..." +app_services=$(az webapp list --query "[].{name:name,resourceGroup:resourceGroup}" -o json) +echo $app_services +exit 0; + +# Parse the JSON output and configure TLS for each app service +echo $app_services | jq -c '.[]' | while read -r app; do + name=$(echo $app | jq -r '.name') + rg=$(echo $app | jq -r '.resourceGroup') + + echo "Configuring TLS 1.3 for App Service: $name in Resource Group: $rg" + + # Configure minimum TLS version to 1.3 + az webapp config set \ + --name $name \ + --resource-group $rg \ + --min-tls-version 1.3 + + # Disable older TLS/SSL protocols + az webapp config set \ + --name $name \ + --resource-group $rg \ + --ftps-state Disabled \ + --http20-enabled true + + echo "Completed TLS configuration for $name" +done + +echo "Configuration complete for all App Services" From 7663cc092048ae52faf182882fc69ae748992c85 Mon Sep 17 00:00:00 2001 From: Guy Harwood Date: Mon, 13 Jan 2025 14:08:55 +0000 Subject: [PATCH 2/3] target a resource group rather than subscription --- deploy/app-service/set-tls-v1.3.sh | 41 ++++++++++++++++++++---------- 1 file changed, 28 insertions(+), 13 deletions(-) diff --git a/deploy/app-service/set-tls-v1.3.sh b/deploy/app-service/set-tls-v1.3.sh index d4fcb5b704..a3965a370e 100755 --- a/deploy/app-service/set-tls-v1.3.sh +++ b/deploy/app-service/set-tls-v1.3.sh @@ -1,35 +1,50 @@ #!/bin/bash set -e -#!/bin/bash - -# Get all App Services across all resource groups -echo "Retrieving all App Services..." -app_services=$(az webapp list --query "[].{name:name,resourceGroup:resourceGroup}" -o json) -echo $app_services -exit 0; +# Check if resource group parameter is provided +if [ $# -eq 0 ]; then + echo "Error: Resource group name is required" + echo "Usage: $0 " + exit 1 +fi + +RESOURCE_GROUP=$1 + +# Verify resource group exists +if ! az group show --name "$RESOURCE_GROUP" &>/dev/null; then + echo "Error: Resource group '$RESOURCE_GROUP' not found" + exit 1 +fi + +# Get all App Services in the specified resource group +echo "Retrieving App Services in resource group: $RESOURCE_GROUP..." +app_services=$(az webapp list --resource-group "$RESOURCE_GROUP" --query "[].{name:name,resourceGroup:resourceGroup}" -o json) + +if [ "$(echo $app_services | jq '. | length')" -eq 0 ]; then + echo "No App Services found in resource group: $RESOURCE_GROUP" + exit 0 +fi # Parse the JSON output and configure TLS for each app service echo $app_services | jq -c '.[]' | while read -r app; do name=$(echo $app | jq -r '.name') - rg=$(echo $app | jq -r '.resourceGroup') - echo "Configuring TLS 1.3 for App Service: $name in Resource Group: $rg" + echo "Configuring TLS 1.3 for App Service: $name" # Configure minimum TLS version to 1.3 az webapp config set \ --name $name \ - --resource-group $rg \ + --resource-group $RESOURCE_GROUP \ --min-tls-version 1.3 # Disable older TLS/SSL protocols az webapp config set \ --name $name \ - --resource-group $rg \ + --resource-group $RESOURCE_GROUP \ --ftps-state Disabled \ --http20-enabled true - echo "Completed TLS configuration for $name" + echo "Completed TLS configuration for $name" done -echo "Configuration complete for all App Services" +echo "Configuration complete for all App Services in resource group: $RESOURCE_GROUP" From 41d83007f070b4d45c14d1e8dd3f0e868a4db9ef Mon Sep 17 00:00:00 2001 From: Guy Harwood Date: Tue, 14 Jan 2025 16:39:01 +0000 Subject: [PATCH 3/3] scripts for functions and app service to set HTTP config --- ...ls-v1.3.sh => app-service-set-tls-v1.3.sh} | 0 deploy/functions/functions-set-tls-v1.3.sh | 50 +++++++++++++++++++ 2 files changed, 50 insertions(+) rename deploy/app-service/{set-tls-v1.3.sh => app-service-set-tls-v1.3.sh} (100%) create mode 100755 deploy/functions/functions-set-tls-v1.3.sh diff --git a/deploy/app-service/set-tls-v1.3.sh b/deploy/app-service/app-service-set-tls-v1.3.sh similarity index 100% rename from deploy/app-service/set-tls-v1.3.sh rename to deploy/app-service/app-service-set-tls-v1.3.sh diff --git a/deploy/functions/functions-set-tls-v1.3.sh b/deploy/functions/functions-set-tls-v1.3.sh new file mode 100755 index 0000000000..3e2f2caa7f --- /dev/null +++ b/deploy/functions/functions-set-tls-v1.3.sh @@ -0,0 +1,50 @@ +#!/bin/bash +set -e + +# Check if resource group parameter is provided +if [ $# -eq 0 ]; then + echo "Error: Resource group name is required" + echo "Usage: $0 " + exit 1 +fi + +RESOURCE_GROUP=$1 + +# Verify resource group exists +if ! az group show --name "$RESOURCE_GROUP" &>/dev/null; then + echo "Error: Resource group '$RESOURCE_GROUP' not found" + exit 1 +fi + +# Get all Functions in the specified resource group +echo "Retrieving Functions in resource group: $RESOURCE_GROUP..." +app_services=$(az functionapp list --resource-group "$RESOURCE_GROUP" --query "[].{name:name,resourceGroup:resourceGroup}" -o json) + +if [ "$(echo $app_services | jq '. | length')" -eq 0 ]; then + echo "No Functions found in resource group: $RESOURCE_GROUP" + exit 0 +fi + +# Parse the JSON output and configure TLS for each function +echo $app_services | jq -c '.[]' | while read -r app; do + name=$(echo $app | jq -r '.name') + + echo "Configuring TLS 1.3 for Function: $name" + + # Configure minimum TLS version to 1.3 + az functionapp config set \ + --name $name \ + --resource-group $RESOURCE_GROUP \ + --min-tls-version 1.3 + + # Disable older TLS/SSL protocols + az functionapp config set \ + --name $name \ + --resource-group $RESOURCE_GROUP \ + --ftps-state Disabled \ + --http20-enabled true + + echo "Completed TLS configuration for $name" +done + +echo "Configuration complete for all Functions in resource group: $RESOURCE_GROUP"