2

My terraform code doesn't do what I expect when I try to set the cipher on the load balancer listener...

Rev1, if I don't set the cipher I can use namespace settings like this (several of them really) in the body of the aws_elastic_beanstalk_environment resource:

setting {
    namespace = "aws:elb:listener:443"
    name      = "ListenerProtocol"
    value     = "HTTPS"
  }

And that works as expected, but the listeners get the default cipher.

There isn't an option in that namespace for the cipher. There is one however in the aws:elbv2:listener:443 namespace

setting {
    namespace = "aws:elbv2:listener:443"
    name      = "SSLPolicy"
    value     = "ELBSecurityPolicy-TLS-1-2-2017-01"
  }

But when I switch to using elbv2 the resulting elastic beanstalk app only has the default port 80 listener on http. It's like my elbv2 namesspace had no effect at all and it just feel back to the default.

Could be a bug in terraform I guess, but I am more inclined to believe I am doing something wrong. Anyone have any ideas?

Jack-of-some
  • 309
  • 3
  • 12
  • 1
    `aws:elb:listener` is for classic load balancer. `aws:elbv2:listener` is for application load balancer. Can you verify that you are actually using ALB (not only using this option), rather then CLB? – Marcin Jul 17 '20 at 04:46
  • 1
    Dang, I totally am using a classic load balancer... I guess that explains why it doesn't work... Looking back at the docs I was referring to I now see that specific namespace says for application load balancers. I missed that :(. Any chance you know the right way to configure the cipher for the listener of a classic load balancer... – Jack-of-some Jul 17 '20 at 05:37
  • 1
    Sadly, its not supported for CLB. Have to switch to ALB. Buy the way, if you don't mind I would like to provide an answser for future reference. – Marcin Jul 17 '20 at 05:41
  • 1
    Guess I will have to look into switching I guess. And go for it. Thanks for the help. – Jack-of-some Jul 17 '20 at 05:53
  • I was wrong about CLB not supporting it. Just double checked it, and I think you can setup it up with different options. Sorry, for the original mistake :-( – Marcin Jul 17 '20 at 06:10

1 Answers1

1

Based on the comments.

The issue was that the aws:elbv2:listener is only for Application Load Balancer. However, the EB environment used utilizes the Classic Load Balancer.

This explains why the option did not have an expected effect.

CLB supports SSL security policies:

The setting for CLB in EB is aws:elb:policies:policy_name, with options of SSLProtocols and SSLReferencePolicy.

How to use them is shown in the following SO answer.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • @Randell Glad to hear. Originally I got confused with changing health check HTTP codes, which is actually not supported in CLB. – Marcin Jul 17 '20 at 06:47