Update ALB listener policy
The security policy for your ALB listener should follow the recommendation from AWS.
Affected versions
All security polices not using the recommended version ELBSecurityPolicy-TLS13-1-2-2021-06
.
How do I know what version I am using?
See step #1 below
Related issues
The default ALB listener was updated in #865.
Step 1: Find all policies
In your IaC repository run the following command:
Or, to identify your current listeners:
-
If you use the
aws_lb_listener
Terraform resource:The SSL Policy is set up with
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
-
If you use the
terraform-aws-modules/alb/aws
module:The SSL policy is set up with
listener_ssl_policy_default = "ELBSecurityPolicy-TLS13-1-2-2021-06"
Step 2: Update policies
Update all your policies to ELBSecurityPolicy-TLS13-1-2-2021-06
, or the latest recommended version.
AWS maintain a list of all supported policies and the recommended version to use.
Step 3: Apply the changes
Run terraform plan
, you should get 1 change per policy:
# module.alb_public.aws_lb_listener.frontend_https[0] will be updated in-place
~ resource "aws_lb_listener" "frontend_https" {
id = "arn:aws:elasticloadbalancing:eu-west-1:1234567890:listener/app/your-app/2a6a828c9853ecb7/23492ae5804a36e9"
~ ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01" -> "ELBSecurityPolicy-TLS13-1-2-2021-06"
tags = {
"CreatedBy" = "ok-golden-path"
"Environment" = "environment-dev"
"Team" = "myteam"
}
}
Plan: 0 to add, 1 to change, 0 to destroy.
The update will not require downtime (Terraform updates the listener in-place)
Commit and push changes, repeat for each environment.