Skip to content
/ terraform-azure-mtasts Public

Use Terraform and Azure DevOps to create and maintain your MTA-STS record configuration

License

CC0-1.0 license
0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

MattWhite-personal/terraform-azure-mtasts

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

56 Commits
.github/workflows
.github/workflows
 
 
terraform
terraform
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

MTA-STS/TLS-RPT Azure code

This repo is inspired by the UK NCSC terraform-aws-mtasts module to deploy MTS-STS and TLS-RPT policy for a domin in Microsoft Azure using Terraform.

The module requires the following core configuration to be in place already:

  • existing Azure Resource Group that will be used to deploy the configuration
  • DNS zone for the domain in scope to reside in the same resource group

The module then deploys the following additional resources:

  • Storage account to host the mta-sts policy file
  • Static website linked to the storage account
  • CDN Profile and endpoint to support hosting the custom mta-sts.domain.com record
  • DNS CNAME records in the existing dns zone for the CDN endpoint
  • DNS TXT records to setup TLS-RPT and MTA-STS policy entries

Limitations of current code

As discussed on the azurerm_cdn_endpoint_custom_domain docs pages it is not possible to enable HTTPs using Terraform and this just needs to be enabled once after initial deployment.

To get around this a single Azure CLI command can be run to enable the HTTPS endpoint on the custom domain, substitute the resouregroup name

How to use this Module

This module assumes that all the following required resources already exist within an accessible Azure subscription. Use the code block below to add to your existing Terraform configuration to deploy the code and repeat for each domain in scope

module "mtastspolicy_tftest" {
  source          = "github.com/MattWhite-personal/terraform-azure-mtasts/terraform"
  resource_group  = "resource-group-name"
  DOMAIN          = "domainname.co.uk"
  MTASTSMODE      = "testing"
  MX              = ["mx1.domain.com","mx2.domain.com"]
  REPORTING_EMAIL = "tls-rpt"
}

After the initial deployment you can enable the HTTPs custom domain on the CDN Endpoint using the following Azure CLI command, substituting the relevant variables

az cdn custom-domain enable-https -g <<resource_group>> --profile-name cdnmtasts --endpoint-name mtasts-endpoint -n cdncd-mtastsendpoint --min-tls-version 1.2

Issues that need further work

Title Status Assignee Body
Review dependency on cname record when removing resources ✳️ Code deploys without issue however when a module is removed the destroy fails because the mta-sts cname record linked to the cdn endpoint still exists.

Workaround - manually delete the mta-sts cname record and then re-run terraform apply and the resources are cleaned up
Integrate support for https ✳️ - [ ] review the logic for the azurerm terraform provider to complete this natively
- [ ] add capability for the output of the module to share code for the end user to run it manually

About

Use Terraform and Azure DevOps to create and maintain your MTA-STS record configuration

Topics

azure terraform terraform-module mta-sts tlsrpt

Resources

Readme

License

CC0-1.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages