feat: add variable to set SSL listener policy (#150)

antonbabenko · web-flow · commit 742cabf2e6d0 · 2020-08-18T10:57:47.000+02:00
diff --git a/README.md b/README.md
@@ -186,6 +186,7 @@ allow_github_webhooks        = true
 | alb\_http\_security\_group\_tags | Additional tags to put on the http security group | `map(string)` | `{}` | no |
 | alb\_https\_security\_group\_tags | Additional tags to put on the https security group | `map(string)` | `{}` | no |
 | alb\_ingress\_cidr\_blocks | List of IPv4 CIDR ranges to use on all ingress rules of the ALB. | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| alb\_listener\_ssl\_policy\_default | The security policy if using HTTPS externally on the load balancer. [See](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html). | `string` | `"ELBSecurityPolicy-2016-08"` | no |
 | alb\_log\_bucket\_name | S3 bucket (externally created) for storing load balancer access logs. Required if alb\_logging\_enabled is true. | `string` | `""` | no |
 | alb\_log\_location\_prefix | S3 prefix within the log\_bucket\_name under which logs are stored. | `string` | `""` | no |
 | alb\_logging\_enabled | Controls if the ALB will log requests to S3. | `bool` | `false` | no |
diff --git a/examples/github-complete/README.md b/examples/github-complete/README.md
@@ -39,12 +39,12 @@ No requirements.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| alb\_ingress\_cidr\_blocks | List of IPv4 CIDR ranges to use on all ingress rules of the ALB - use your personal IP in the form of `x.x.x.x/32` for restricted testing | `list(string)` | n/a | yes |
 | allowed\_repo\_names | Repositories that Atlantis will listen for events from and a webhook will be installed | `list(string)` | n/a | yes |
 | domain | Route53 domain name to use for ACM certificate. Route53 zone for this domain should be created in advance | `string` | n/a | yes |
 | github\_organization | Github organization | `string` | n/a | yes |
 | github\_token | Github token | `string` | n/a | yes |
 | github\_user | Github user for Atlantis to utilize when performing Github activities | `string` | n/a | yes |
-| personal\_ip | Your current, personally ip to restrict access to Atlantis UI ending with `/32` for subnet | `string` | n/a | yes |
 | region | AWS region where resources will be created | `string` | `"us-east-1"` | no |
 
 ## Outputs
diff --git a/examples/github-complete/main.tf b/examples/github-complete/main.tf
@@ -69,10 +69,11 @@ module "atlantis" {
   atlantis_allowed_repo_names = var.allowed_repo_names
 
   # ALB access
-  alb_ingress_cidr_blocks = [var.personal_ip]
-  alb_logging_enabled     = true
-  alb_log_bucket_name     = module.atlantis_access_log_bucket.this_s3_bucket_id
-  alb_log_location_prefix = "atlantis-alb"
+  alb_ingress_cidr_blocks         = var.alb_ingress_cidr_blocks
+  alb_logging_enabled             = true
+  alb_log_bucket_name             = module.atlantis_access_log_bucket.this_s3_bucket_id
+  alb_log_location_prefix         = "atlantis-alb"
+  alb_listener_ssl_policy_default = "ELBSecurityPolicy-TLS-1-2-2017-01"
 
   allow_unauthenticated_access = true
   allow_github_webhooks        = true
diff --git a/examples/github-complete/terraform.tfvars.sample b/examples/github-complete/terraform.tfvars.sample
@@ -1,6 +1,6 @@
 region = "eu-west-1"
 domain = "mydomain.com"
-personal_ip = "x.x.x.x/32"
+alb_ingress_cidr_blocks = ["x.x.x.x/32"]
 github_organization = "myorg"
 github_user = "atlantis"
 github_token = "mygithubpersonalaccesstokenforatlantis"
diff --git a/examples/github-complete/variables.tf b/examples/github-complete/variables.tf
@@ -9,9 +9,9 @@ variable "domain" {
   type        = string
 }
 
-variable "personal_ip" {
-  description = "Your current, personally ip to restrict access to Atlantis UI ending with `/32` for subnet"
-  type        = string
+variable "alb_ingress_cidr_blocks" {
+  description = "List of IPv4 CIDR ranges to use on all ingress rules of the ALB - use your personal IP in the form of `x.x.x.x/32` for restricted testing"
+  type        = list(string)
 }
 
 variable "github_token" {
diff --git a/main.tf b/main.tf
@@ -198,6 +198,7 @@ module "alb" {
     prefix  = var.alb_log_location_prefix
   }
 
+  listener_ssl_policy_default = var.alb_listener_ssl_policy_default
   https_listeners = [
     {
       target_group_index   = 0
diff --git a/variables.tf b/variables.tf
@@ -150,6 +150,12 @@ variable "whitelist_unauthenticated_cidr_blocks" {
   default     = []
 }
 
+variable "alb_listener_ssl_policy_default" {
+  description = "The security policy if using HTTPS externally on the load balancer. [See](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html)."
+  type        = string
+  default     = "ELBSecurityPolicy-2016-08"
+}
+
 # ACM
 variable "certificate_arn" {
   description = "ARN of certificate issued by AWS ACM. If empty, a new ACM certificate will be created and validated using Route53 DNS"

Original file line number	Diff line number	Diff line change
`@@ -9,9 +9,9 @@ variable "domain" {`
`9`	`9`	`type = string`
`10`	`10`	`}`
`11`	`11`
`12`		`-variable "personal_ip" {`
`13`		- description = "Your current, personally ip to restrict access to Atlantis UI ending with `/32` for subnet"
`14`		`- type = string`
	`12`	`+variable "alb_ingress_cidr_blocks" {`
	`13`	+ description = "List of IPv4 CIDR ranges to use on all ingress rules of the ALB - use your personal IP in the form of `x.x.x.x/32` for restricted testing"
	`14`	`+ type = list(string)`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`variable "github_token" {`
Original file line number	Diff line number	Diff line change
`@@ -198,6 +198,7 @@ module "alb" {`
`198`	`198`	`prefix = var.alb_log_location_prefix`
`199`	`199`	`}`
`200`	`200`
	`201`	`+ listener_ssl_policy_default = var.alb_listener_ssl_policy_default`
`201`	`202`	`https_listeners = [`
`202`	`203`	`{`
`203`	`204`	`target_group_index = 0`