From 10d92b247aad568943cf10b34e63db187292b726 Mon Sep 17 00:00:00 2001 From: Ritika Patil <94649368+riragh@users.noreply.github.com> Date: Tue, 13 Jun 2023 11:09:48 -0500 Subject: [PATCH] docs: (IAC-1064) Document FIPS support (#321) --- docs/CONFIG-VARS.md | 17 +++++++++++++++++ variables.tf | 6 ++---- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md index cfff666e..c6c0f2a6 100644 --- a/docs/CONFIG-VARS.md +++ b/docs/CONFIG-VARS.md @@ -9,6 +9,7 @@ Supported configuration variables are listed in the tables below. All variables - [Required Variables](#required-variables) - [Azure Authentication](#azure-authentication) - [Admin Access](#admin-access) + - [Security](#security) - [Networking](#networking) - [Use Existing](#use-existing) - [General](#general) @@ -77,6 +78,22 @@ You can use `default_public_access_cidrs` to set a default range for all created **NOTE:** In a SCIM environment, the AzureActiveDirectory service tag must be granted access to port 443/HTTPS for the Ingress IP address. +## Security + +The Federal Information Processing Standard (FIPS) 140 is a US government standard that defines minimum security requirements for cryptographic modules in information technology products and systems. Azure Kubernetes Service (AKS) allows the creation of node pools with FIPS 140-2 enabled. Deployments running on FIPS-enabled node pools provide increased security and help meet security controls as part of FedRAMP compliance. For more information on FIPS 140-2, see [Federal Information Processing Standard (FIPS) 140](https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-fips-140-2). + +To enable the FIPS support in your subscription, you first need to accept the legal terms of the `Ubuntu Pro FIPS 20.04 LTS` image that will be used in the deployment. For details see [Ubuntu Pro FIPS 20.04 LTS](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/canonical.0001-com-ubuntu-pro-focal-fips?tab=Overview). + +To accept the terms please run following az command before deploying cluster: + +```bash +az vm image terms accept --urn Canonical:0001-com-ubuntu-pro-focal-fips:pro-fips-20_04-gen2:latest --subscription $subscription_id +``` + +| Name | Description | Type | Default | Notes | +| :--- | ---: | ---: | ---: | ---: | +| fips_enabled | Enables the Federal Information Processing Standard for all the nodes and VMs in this cluster | bool | false | Make sure to accept terms mentioned above before deploying. | + ## Networking | Name | Description | Type | Default | Notes | diff --git a/variables.tf b/variables.tf index 02b97028..a81a31bb 100644 --- a/variables.tf +++ b/variables.tf @@ -69,11 +69,9 @@ variable "aks_cluster_sku_tier" { } } -## Enable FIPS support - Experimental -## Before your subscription can be used to enable the FIPS support, you need to accept the legal terms of the image. To accept the terms please run following az command before deploying cluster: -### `az vm image terms accept --urn Canonical:0001-com-ubuntu-pro-focal-fips:pro-fips-20_04-gen2:latest --subscription $subscription_id` +## Enable FIPS support variable "fips_enabled" { - description = "Enables the Federal Information Processing Standard for the nodes in this cluster's Node Pool. Changing this forces a new resource to be created." + description = "Enables the Federal Information Processing Standard for the nodes and VMs in this cluster. Changing this forces a new resource to be created." type = bool default = false }