terraform aws_elastic_beanstalk_environment SSL PolicyNames

Question

Using terraform, does anyone know how to set a predefined SSL Security Policy for an ELB, from within the aws_elastic_beanstalk_environment resource?

I've tried various permutations of parameters, branching out from something like the below, but have had no luck. ```

setting {
    name = "PolicyNames"
    namespace = "aws:elb:listener"
    value = "ELBSecurityPolicy-TLS-1-2-2017-01"
}

```

Can this be done using the setting syntax?

regards Michael

score 12 · Answer 1 · answered May 13 '18 at 06:31

12

Following works for classic ELB, LoadBalancerPorts is also required to set to 443 for the predefined policy to take effect.

setting {
  namespace = "aws:elb:policies:sslpolicy"
  name      = "SSLReferencePolicy"
  value     = "ELBSecurityPolicy-TLS-1-2-2017-01"
}

setting {
  namespace = "aws:elb:policies:sslpolicy"
  name      = "LoadBalancerPorts"
  value     = "443"
}

answered May 13 '18 at 06:31

HengJun

121
1
3

1

This answer really should be marked as accepted. Changing the TLS policy requires both the SSLReferencePolicy and LoadBalancerPorts options. This is the answer that helped me. – Neybar Jun 21 '18 at 05:08
I got the error "Policy names must only contain alphanumeric characters or dashes." without the `LoadBalancerPorts` setting. The documentation for these options from AWS is unbelievably poor. – Josh Apr 20 '21 at 20:46

score 0 · Answer 2 · answered Aug 01 '17 at 12:19

0

Try this:

setting {
    name = "SSLReferencePolicy"
    namespace = "aws:elb:policies:policy_name"
    value = "ELBSecurityPolicy-TLS-1-2-2017-01"
}

SSLReferencePolicy

The name of a predefined security policy that adheres to AWS security best practices and that you want to enable for a SSLNegotiationPolicyType policy that defines the ciphers and protocols that will be accepted by the load balancer. This policy can be associated only with HTTPS/SSL listeners.

Refer:

aws:elb:policies:policy_name

answered Aug 01 '17 at 12:19

BMW

42,880
12
99
116

Hi, Thanks for that - but no luck there. I get this error message. Reason: Policy names must only contain alphanumeric characters or dashes. Regards Michael – Michael Andrewes Aug 03 '17 at 01:01
So that's something else. At least the message you provide proved this `aws:elb:policies:policy_name` works. Can you check if you can replace with simpler policy name? – BMW Aug 03 '17 at 04:54
Hey - yep I did give that a crack right away. I receive the same error regardless of the "value" of the name. IE if it is a valid value, with dashes, or simply an invalid valid with only text, the result is the same. IE – Michael Andrewes Aug 10 '17 at 03:30
setting { name = "SSLReferencePolicy" namespace = "aws:elb:policies:policy_name" value = "ELBSecurityPolicyWithNoPunctuation" } still gives * 2017-08-10 03:29:20.656 +0000 UTC (e-6pscazhkrg) : Updating load balancer named: awseb-e-6-AWSEBLoa-QXCM4ZPPQDJF failed Reason: Policy names must only contain alphanumeric characters or dashes. * 2017-08-10 03:29:20.927 +0000 UTC (e-6pscazhkrg) : Failed to deploy configuration. – Michael Andrewes Aug 10 '17 at 03:31

score -1 · Answer 3 · answered Dec 11 '17 at 12:46

-1

This works:

setting {
    name = "SSLReferencePolicy"
    namespace = "aws:elb:policies:SSLReferencePolicy"
    value = "ELBSecurityPolicy-TLS-1-2-2017-01"
}

answered Dec 11 '17 at 12:46

Stefan Lipinski

3
1

1

Adding some explanation to why it works will help more then just saying it works. – Granny Dec 11 '17 at 13:06

terraform aws_elastic_beanstalk_environment SSL PolicyNames

3 Answers3

Linked