Allow custom SSL policy for the Load Balancer Controller

Some servers may have more strict requirements for their TLS listeners. The `ELBSecurityPolicy-2016-08` policy is the default security policy for TLS listeners created using the AWS CLI. This change allows a customization on the Load Balancer Controller to specify a different security policy. [Reference](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html).
thoughtbot · Jul 18, 2024 · d2ef866 · d2ef866
1 parent 8e29883
commit d2ef866
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 8 deletions.
diff --git a/aws/platform/main.tf b/aws/platform/main.tf
@@ -69,14 +69,15 @@ module "common_platform" {
 module "aws_load_balancer_controller" {
   source = "./modules/load-balancer-controller"
 
-  aws_namespace     = [module.cluster_name.full]
-  aws_tags          = var.aws_tags
-  chart_values      = var.aws_load_balancer_controller_values
-  chart_version     = var.aws_load_balancer_controller_version
-  cluster_full_name = module.cluster_name.full
-  k8s_namespace     = var.k8s_namespace
-  oidc_issuer       = data.aws_ssm_parameter.oidc_issuer.value
-  vpc_cidr_block    = module.network.vpc.cidr_block
+  aws_namespace      = [module.cluster_name.full]
+  aws_tags           = var.aws_tags
+  chart_values       = var.aws_load_balancer_controller_values
+  chart_version      = var.aws_load_balancer_controller_version
+  cluster_full_name  = module.cluster_name.full
+  default_ssl_policy = var.default_ssl_policy
+  k8s_namespace      = var.k8s_namespace
+  oidc_issuer        = data.aws_ssm_parameter.oidc_issuer.value
+  vpc_cidr_block     = module.network.vpc.cidr_block
 
   depends_on = [module.common_platform]
 }

diff --git a/aws/platform/modules/load-balancer-controller/main.tf b/aws/platform/modules/load-balancer-controller/main.tf
@@ -90,6 +90,8 @@ locals {
           "eks.amazonaws.com/role-arn" = module.service_account_role.arn
         }
       }
+
+      defaultSSLPolicy = coalesce(var.default_ssl_policy, "ELBSecurityPolicy-TLS13-1-2-2021-06")
     })
   ]
 }
diff --git a/aws/platform/modules/load-balancer-controller/variables.tf b/aws/platform/modules/load-balancer-controller/variables.tf
@@ -66,3 +66,9 @@ variable "vpc_cidr_block" {
   type        = string
   description = "CIDR block for the AWS VPC in which the load balancer runs"
 }
+
+variable "default_ssl_policy" {
+  type        = string
+  description = "The default SSL policy to use for the load balancer"
+  default     = null
+}
diff --git a/aws/platform/variables.tf b/aws/platform/variables.tf
@@ -74,6 +74,12 @@ variable "custom_roles" {
   default     = {}
 }
 
+variable "default_ssl_policy" {
+  type        = string
+  description = "The default SSL policy to use for the load balancer"
+  default     = null
+}
+
 variable "domain_names" {
   type        = list(string)
   default     = []
-Original file line number
+Diff line change
@@ Expand Up / @@ -90,6 +90,8 @@ locals { @@
               "eks.amazonaws.com/role-arn" = module.service_account_role.arn
             }
           }
+          defaultSSLPolicy = coalesce(var.default_ssl_policy, "ELBSecurityPolicy-TLS13-1-2-2021-06")
         })
       ]
     }