Remove TLS1.0/1.1 support

[jonnyry]

Scanning the Azure TRE web portal shows TLS1.0 & 1.1 are enabled:

TLS 1.0 and 1.1 are generally considered insecure and should be removed from internet exposed web endpoints (managed by the App Gateway), leaving TLS 1.2 and above available.

App Gateway TLS config documentation: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview

By default, the TRE is using 20150501 and should move to at least 20220101

The Azure App Gateway does not specify a TLS policy version explicitly:

https://github.com/microsoft/AzureTRE/blob/main/core/terraform/appgateway/appgateway.tf

And so relies on the default:

https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview

Defaults:

20150501 for Az API version < 2023-02-01
20220101 for Az API version >= 2023-02-01

Given Azure resources are created by terraform, we are reliant on the Azure API version used by the Terraform Azure Provider to determine the above default. Terraform does not easily reveal which API version it is using under the hood.

See Terraform Azure Provider ticket relating to this exact issue: hashicorp/terraform-provider-azurerm#23995 (comment)

Therefore, suggest we explicitly set the TLS policy version in Terraform, to prevent picking up the default.

[jonnyry]

View from the App Gateway in the Azure Portal:

[tim-p-allen]

@jonnyry are you able to do a PR, if not we will get the work scheduled. Thanks.

[jonnyry]

@tim-allen-ck Happy to do a PR if you are in agreement that AppGwSslPolicy20220101 would be appropriate?

https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview#predefined-tls-policy

[tim-p-allen]

Yes AppGwSslPolicy20220101 is fine

[jonnyry]

@tim-allen-ck PR tested & submitted