Login/Register
terraform aws_elastic_beanstalk_environment SSL PolicyNames
Asked Answered
amazon-elastic-beanstalkterraformsetting
F

4

6

Using terraform, does anyone know how to set a predefined SSL Security Policy for an ELB, from within the aws_elastic_beanstalk_environment resource?

I've tried various permutations of parameters, branching out from something like the below, but have had no luck. ```

setting {
    name = "PolicyNames"
    namespace = "aws:elb:listener"
    value = "ELBSecurityPolicy-TLS-1-2-2017-01"
}

```

Can this be done using the setting syntax?

regards Michael

Fibre answered 1/8, 2017 at 1:43 Comment(0)
G
13

Following works for classic ELB, LoadBalancerPorts is also required to set to 443 for the predefined policy to take effect.

setting {
  namespace = "aws:elb:policies:sslpolicy"
  name      = "SSLReferencePolicy"
  value     = "ELBSecurityPolicy-TLS-1-2-2017-01"
}

setting {
  namespace = "aws:elb:policies:sslpolicy"
  name      = "LoadBalancerPorts"
  value     = "443"
}
Gauntlet answered 13/5, 2018 at 6:31 Comment(2)
This answer really should be marked as accepted. Changing the TLS policy requires both the SSLReferencePolicy and LoadBalancerPorts options. This is the answer that helped me.Perigordian
I got the error "Policy names must only contain alphanumeric characters or dashes." without the LoadBalancerPorts setting. The documentation for these options from AWS is unbelievably poor.Chita
M
1

Try this:

setting {
    name = "SSLReferencePolicy"
    namespace = "aws:elb:policies:policy_name"
    value = "ELBSecurityPolicy-TLS-1-2-2017-01"
}

SSLReferencePolicy

The name of a predefined security policy that adheres to AWS security best practices and that you want to enable for a SSLNegotiationPolicyType policy that defines the ciphers and protocols that will be accepted by the load balancer. This policy can be associated only with HTTPS/SSL listeners.

Refer:

aws:elb:policies:policy_name

Mcclellan answered 1/8, 2017 at 12:19 Comment(4)
Hi, Thanks for that - but no luck there. I get this error message. Reason: Policy names must only contain alphanumeric characters or dashes. Regards MichaelFibre
So that's something else. At least the message you provide proved this aws:elb:policies:policy_name works. Can you check if you can replace with simpler policy name?Mcclellan
Hey - yep I did give that a crack right away. I receive the same error regardless of the "value" of the name. IE if it is a valid value, with dashes, or simply an invalid valid with only text, the result is the same. IEFibre
setting { name = "SSLReferencePolicy" namespace = "aws:elb:policies:policy_name" value = "ELBSecurityPolicyWithNoPunctuation" } still gives * 2017-08-10 03:29:20.656 +0000 UTC (e-6pscazhkrg) : Updating load balancer named: awseb-e-6-AWSEBLoa-QXCM4ZPPQDJF failed Reason: Policy names must only contain alphanumeric characters or dashes. * 2017-08-10 03:29:20.927 +0000 UTC (e-6pscazhkrg) : Failed to deploy configuration.Fibre
C
0

I finally got an answer from AWS Premium Support:

option_settings:
  aws:elb:listener:
    PolicyNames: sslpolicy
  aws:elb:policies:sslpolicy:
    LoadBalancerPorts: 443
    SSLReferencePolicy: 'ELBSecurityPolicy-TLS-1-2-2017-01'

Basically, aws:elb:policies:policy_name is not a valid namespace, which is why you get an error like "Updating load balancer named: awseb-e-6-AWSEBLoa-QXCM4ZPPQDJF failed Reason: Policy names must only contain alphanumeric characters or dashes" - policy_name needs to replaced with a name of your choice (in my case sslpolicy) and then listed as a policy in the aws:elb:listener namespace. The LoadBalancerPorts entry is needed to make the new SSLReferencePolicy actually take effect.

Caw answered 7/12, 2023 at 6:15 Comment(0)
B
-1

This works:

setting {
    name = "SSLReferencePolicy"
    namespace = "aws:elb:policies:SSLReferencePolicy"
    value = "ELBSecurityPolicy-TLS-1-2-2017-01"
}
Barthold answered 11/12, 2017 at 12:46 Comment(1)
Adding some explanation to why it works will help more then just saying it works.Carbajal

© 2022 - 2024 — McMap. All rights reserved.