Terraform aws_lb_ssl_negotiation_policy using AWS Predefined SSL Security Policies

Question

According to: https://www.terraform.io/docs/providers/aws/r/lb_ssl_negotiation_policy.html

You can create a new resource in order to have a ELB SSL Policy so you can customized any Protocol and Ciphers you want. However, I am looking to use Predefined Security Policies set by Amazon as TLS-1-1-2017-01 or TLS-1-2-2017-01.

http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html

Is there a way to use predefined policies instead of set a new custom policy?

Answer 1

Looking to solve the same problem, I came across this snippet here: https://github.com/terraform-providers/terraform-provider-aws/issues/822#issuecomment-311448488

Basically, you need to create two resources, the aws_load_balancer_policy, and the aws_load_balancer_listener_policy. In the aws_load_balancer_policy you set the policy_attribute to reference the Predefined Security Policy, and then set your listener policy to reference that aws_load_balancer_policy.

I've added a Pull Request to the terraform AWS docs to make this more explicit here, but here's an example snippet:

resource "aws_load_balancer_policy" "listener_policy-tls-1-1" {
  load_balancer_name = "${aws_elb.elb.name}"
  policy_name        = "elb-tls-1-1"
  policy_type_name   = "SSLNegotiationPolicyType"

  policy_attribute {
    name  = "Reference-Security-Policy"
    value = "ELBSecurityPolicy-TLS-1-1-2017-01"
  }
}

resource "aws_load_balancer_listener_policy" "ssl_policy" {
  load_balancer_name = "${aws_elb.elb.name}"
  load_balancer_port = 443

  policy_names = [
    "${aws_load_balancer_policy.listener_policy-tls-1-1.policy_name}",
  ]
}

At first glance it appears that this is creating a custom policy that is based off of the predefined security policy, but when you look at what's created in the AWS console you'll see that it's actually just selected the appropriate Predefined Security Policy.