Allow custom SSL policy for the Load Balancer Controller

clarissalimab · clarissalimab · commit a63ff82b34c5 · 2024-07-18T18:13:54.000-03:00
Some servers may have more strict requirements for their TLS listeners. The `ELBSecurityPolicy-2016-08` policy is the default security policy for TLS listeners created using the AWS CLI. This change allows a customization on the Load Balancer Controller to specify a different security policy. [Reference](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html).
diff --git a/aws/platform/main.tf b/aws/platform/main.tf
@@ -69,14 +69,15 @@ module "common_platform" {
 module "aws_load_balancer_controller" {
   source = "./modules/load-balancer-controller"
 
-  aws_namespace     = [module.cluster_name.full]
-  aws_tags          = var.aws_tags
-  chart_values      = var.aws_load_balancer_controller_values
-  chart_version     = var.aws_load_balancer_controller_version
-  cluster_full_name = module.cluster_name.full
-  k8s_namespace     = var.k8s_namespace
-  oidc_issuer       = data.aws_ssm_parameter.oidc_issuer.value
-  vpc_cidr_block    = module.network.vpc.cidr_block
+  aws_namespace      = [module.cluster_name.full]
+  aws_tags           = var.aws_tags
+  chart_values       = var.aws_load_balancer_controller_values
+  chart_version      = var.aws_load_balancer_controller_version
+  cluster_full_name  = module.cluster_name.full
+  default_ssl_policy = var.default_ssl_policy
+  k8s_namespace      = var.k8s_namespace
+  oidc_issuer        = data.aws_ssm_parameter.oidc_issuer.value
+  vpc_cidr_block     = module.network.vpc.cidr_block
 
   depends_on = [module.common_platform]
 }
diff --git a/aws/platform/modules/load-balancer-controller/main.tf b/aws/platform/modules/load-balancer-controller/main.tf
@@ -90,6 +90,8 @@ locals {
           "eks.amazonaws.com/role-arn" = module.service_account_role.arn
         }
       }
+
+      defaultSSLPolicy = coalesce(var.default_ssl_policy, "ELBSecurityPolicy-2016-08")
     })
   ]
 }
diff --git a/aws/platform/modules/load-balancer-controller/variables.tf b/aws/platform/modules/load-balancer-controller/variables.tf
@@ -66,3 +66,9 @@ variable "vpc_cidr_block" {
   type        = string
   description = "CIDR block for the AWS VPC in which the load balancer runs"
 }
+
+variable "default_ssl_policy" {
+  type        = string
+  description = "The default SSL policy to use for the load balancer"
+  default     = null
+}
diff --git a/aws/platform/variables.tf b/aws/platform/variables.tf
@@ -74,6 +74,12 @@ variable "custom_roles" {
   default     = {}
 }
 
+variable "default_ssl_policy" {
+  type        = string
+  description = "The default SSL policy to use for the load balancer"
+  default     = null
+}
+
 variable "domain_names" {
   type        = list(string)
   default     = []

Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,8 @@ locals {`
`90`	`90`	`"eks.amazonaws.com/role-arn" = module.service_account_role.arn`
`91`	`91`	`}`
`92`	`92`	`}`
	`93`	`+`
	`94`	`+ defaultSSLPolicy = coalesce(var.default_ssl_policy, "ELBSecurityPolicy-2016-08")`
`93`	`95`	`})`
`94`	`96`	`]`
`95`	`97`	`}`