Update ALB listener policy

The security policy for your ALB listener should follow the recommendation from AWS.

Affected versions

All security polices not using the recommended version ELBSecurityPolicy-TLS13-1-2-2021-06.

How do I know what version I am using?

See step #1 below

The default ALB listener was updated in #865.

Step 1: Find all policies

In your IaC repository run the following command:

git grep ELBSecurityPolicy

Or, to identify your current listeners:

If you use the aws_lb_listener Terraform resource:
```
git grep aws_lb_listener
```
The SSL Policy is set up with ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
If you use the terraform-aws-modules/alb/aws module:
```
git grep listener_ssl_policy_default
```
The SSL policy is set up with listener_ssl_policy_default = "ELBSecurityPolicy-TLS13-1-2-2021-06"

Step 2: Update policies

Update all your policies to ELBSecurityPolicy-TLS13-1-2-2021-06, or the latest recommended version.

AWS maintain a list of all supported policies and the recommended version to use.

Step 3: Apply the changes

Run terraform plan, you should get 1 change per policy:

# module.alb_public.aws_lb_listener.frontend_https[0] will be updated in-place
~ resource "aws_lb_listener" "frontend_https" {
    id                = "arn:aws:elasticloadbalancing:eu-west-1:1234567890:listener/app/your-app/2a6a828c9853ecb7/23492ae5804a36e9"
  ~ ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01" -> "ELBSecurityPolicy-TLS13-1-2-2021-06"
    tags              = {
        "CreatedBy"   = "ok-golden-path"
        "Environment" = "environment-dev"
        "Team"        = "myteam"
    }
}

Plan: 0 to add, 1 to change, 0 to destroy.

The update will not require downtime (Terraform updates the listener in-place)

Commit and push changes, repeat for each environment.

Update ALB listener policy

Affected versions

Related issues

Step 1: Find all policies

Step 2: Update policies

Step 3: Apply the changes