Reputation: 61
terraform aws_elastic_beanstalk_environment SSL PolicyNames
Using terraform, does anyone know how to set a predefined SSL Security Policy for an ELB, from within the aws_elastic_beanstalk_environment resource?
I've tried various permutations of parameters, branching out from something like the below, but have had no luck. ```
setting {
name = "PolicyNames"
namespace = "aws:elb:listener"
value = "ELBSecurityPolicy-TLS-1-2-2017-01"
}
```
Can this be done using the setting syntax?
regards Michael
Upvotes: 6
Views: 1306
Answers (4)
Reputation: 3256
I finally got an answer from AWS Premium Support:
option_settings:
aws:elb:listener:
PolicyNames: sslpolicy
aws:elb:policies:sslpolicy:
LoadBalancerPorts: 443
SSLReferencePolicy: 'ELBSecurityPolicy-TLS-1-2-2017-01'
Basically, aws:elb:policies:policy_name is not a valid namespace, which is why you get an error like "Updating load balancer named: awseb-e-6-AWSEBLoa-QXCM4ZPPQDJF failed Reason: Policy names must only contain alphanumeric characters or dashes" - policy_name needs to replaced with a name of your choice (in my case sslpolicy) and then listed as a policy in the aws:elb:listener namespace. The LoadBalancerPorts entry is needed to make the new SSLReferencePolicy actually take effect.
Upvotes: 0
Reputation: 131
Following works for classic ELB, LoadBalancerPorts is also required to set to 443 for the predefined policy to take effect.
setting {
namespace = "aws:elb:policies:sslpolicy"
name = "SSLReferencePolicy"
value = "ELBSecurityPolicy-TLS-1-2-2017-01"
}
setting {
namespace = "aws:elb:policies:sslpolicy"
name = "LoadBalancerPorts"
value = "443"
}
Upvotes: 13
Reputation: 13
This works:
setting {
name = "SSLReferencePolicy"
namespace = "aws:elb:policies:SSLReferencePolicy"
value = "ELBSecurityPolicy-TLS-1-2-2017-01"
}
Upvotes: -1
Reputation: 45333
Try this:
setting {
name = "SSLReferencePolicy"
namespace = "aws:elb:policies:policy_name"
value = "ELBSecurityPolicy-TLS-1-2-2017-01"
}
SSLReferencePolicy
The name of a predefined security policy that adheres to AWS security best practices and that you want to enable for a SSLNegotiationPolicyType policy that defines the ciphers and protocols that will be accepted by the load balancer. This policy can be associated only with HTTPS/SSL listeners.
Refer:
Upvotes: 1
Related Questions
- How to pass aws_elastic_beanstalk_environment settings to a Terraform module
- terraform - error on creating AWS Elastic Beanstalk
- Terraform Elastic Beanstalk Environment - setting for encrypting S3 bucket?
- How would I define the URL/Domain for AWS Elastic Beanstalk on Terraform?
- httpserver in EC2 instance via terraform
- Terraform - The instance profile associated with the environment does not exist
- Terraform 12 unable to deploy beanstalk healthreporting settings
- Terraform setting Elastic beanstalk solution stack version to 0.1.0
- Terraform aws_lb_ssl_negotiation_policy using AWS Predefined SSL Security Policies
- Terraform elasticbeanstalk deploy