Terraform-provider-aws: Can't set new ELB policy on classic ELB
_This issue was originally opened by @holtwilkins as hashicorp/terraform#15013. It was migrated here as part of the provider split. The original body of the issue is below._
Terraform Version
0.9.6
Terraform Snippet
variable "elb_security_policy" {
default = "ELBSecurityPolicy-TLS-1-2-2017-01"
}
resource "aws_elb" "vault_server" {
...
}
resource "aws_load_balancer_listener_policy" "vault_server_listener_policies" {
load_balancer_name = "${aws_elb.vault_server.name}"
load_balancer_port = 443
policy_names = [
"${var.elb_security_policy}",
]
}
Load balancer policies description
Output of aws elb describe-load-balancer-policies --query "PolicyDescriptions[?PolicyTypeName=='SSLNegotiationPolicyType'].{PolicyName:PolicyName}" --output table showing the exact spelling
-----------------------------------------------
| DescribeLoadBalancerPolicies |
+---------------------------------------------+
| PolicyName |
+---------------------------------------------+
| ELBSecurityPolicy-2016-08 |
| ELBSecurityPolicy-TLS-1-2-2017-01 |
| ELBSecurityPolicy-TLS-1-1-2017-01 |
| ELBSecurityPolicy-2015-05 |
| ELBSecurityPolicy-2015-03 |
| ELBSecurityPolicy-2015-02 |
| ELBSecurityPolicy-2014-10 |
| ELBSecurityPolicy-2014-01 |
| ELBSecurityPolicy-2011-08 |
| ELBSample-ELBDefaultNegotiationPolicy |
| ELBSample-OpenSSLDefaultNegotiationPolicy |
+---------------------------------------------+
Terraform plan output
+ module.hashistack.aws_load_balancer_listener_policy.vault_server_listener_policies
load_balancer_name: "hashi-use1-stag-vault"
load_balancer_port: "443"
policy_names.#: "1"
policy_names.862661652: "ELBSecurityPolicy-TLS-1-2-2017-01"
Terraform run output
* aws_load_balancer_listener_policy.vault_server_listener_policies: Error setting LoadBalancerPoliciesOfListener: PolicyNotFound: There is no policy with name ELBSecurityPolicy-TLS-1-2-2017-01 for load balancer <LB Name>
status code: 400, request id: 73071667-4766-11e7-9237-915b3e1ad455
* module.hashistack.aws_load_balancer_listener_policy.nomad_server_listener_policies: 1 error(s) occurred:
Other info
It looks like someone found this on the mailing group: https://groups.google.com/forum/#!topic/terraform-tool/Kzx-leoJMuU, but as there's no resolution there and I couldn't find one elsewhere, decided to open an issue to track it / see if I'm just doing something wrong?
hashibot
All 10 comments
+1 as the default AWS policy for ELB (2016-08) is vulnerable to the SWEET32 Birthday attack.
mcquackers
on 15 Jun 2017
I think that you need to also have an aws_load_balancer_policy resource. So your example would look like this:
variable "elb_security_policy" {
default = "ELBSecurityPolicy-TLS-1-2-2017-01"
}
resource "aws_elb" "vault_server" {
# ...
listener {
lb_port = "443"
# ...
}
}
resource "aws_load_balancer_policy" "vault_server_listener_policy-tls-1-2" {
load_balancer_name = "${aws_elb.vault_server.name}"
policy_name = "my-tls-1-2"
policy_type_name = "SSLNegotiationPolicyType"
policy_attribute {
name = "Reference-Security-Policy"
value = "${var.elb_security_policy}"
}
}
resource "aws_load_balancer_listener_policy" "vault_server_listener_policies" {
load_balancer_name = "${aws_elb.vault_server.name}"
load_balancer_port = 443
policy_names = [
"${aws_load_balancer_policy.vault_server_listener_policy-tls-1-2.policy_name}",
]
}
I figured this out from a combination of the docs for aws_load_balancer_policy and the examples aws cli commands in the docs on updating ssl configuration for classic load balancers.
It's a bit confusing though, it might be nice for the Terraform docs to give an example that uses a reference to predefined SSL security policies.
b-dean
on 27 Jun 2017
@b-dean that worked for me thanks
JonCubed
on 23 Aug 2017
I believe this is resolved with the config change suggesting above. Please let us know if otherwise! Thanks!
catsby
on 23 Aug 2017
@catsby one thing I noticed today is that using the above config, terraform always thinks there is a change in amount of policy attributes.
~ aws_load_balancer_policy.jenkins_https_listener_policy
policy_attribute.#: "15" => "1"
policy_attribute.1157710355.name: "ECDHE-RSA-AES128-SHA256" => ""
policy_attribute.1157710355.value: "true" => ""
policy_attribute.1162508121.name: "ECDHE-RSA-AES128-GCM-SHA256" => ""
policy_attribute.1162508121.value: "true" => ""
policy_attribute.1374486838.name: "ECDHE-ECDSA-AES256-GCM-SHA384" => ""
policy_attribute.1374486838.value: "true" => ""
policy_attribute.1401804560.name: "ECDHE-ECDSA-AES256-SHA384" => ""
policy_attribute.1401804560.value: "true" => ""
policy_attribute.1636262000.name: "ECDHE-ECDSA-AES128-GCM-SHA256" => ""
policy_attribute.1636262000.value: "true" => ""
policy_attribute.1648049300.name: "ECDHE-RSA-AES256-SHA384" => ""
policy_attribute.1648049300.value: "true" => ""
policy_attribute.1958193559.name: "ECDHE-ECDSA-AES128-SHA256" => ""
policy_attribute.1958193559.value: "true" => ""
policy_attribute.1965037087.name: "ECDHE-RSA-AES256-GCM-SHA384" => ""
policy_attribute.1965037087.value: "true" => ""
policy_attribute.2179956068.name: "Protocol-TLSv1.2" => ""
policy_attribute.2179956068.value: "true" => ""
policy_attribute.2223865434.name: "AES128-SHA256" => ""
policy_attribute.2223865434.value: "true" => ""
policy_attribute.3306698813.name: "AES256-GCM-SHA384" => ""
policy_attribute.3306698813.value: "true" => ""
policy_attribute.3371002872.name: "Server-Defined-Cipher-Order" => ""
policy_attribute.3371002872.value: "true" => ""
policy_attribute.3454672421.name: "AES256-SHA256" => ""
policy_attribute.3454672421.value: "true" => ""
policy_attribute.3802307018.name: "Reference-Security-Policy" => "Reference-Security-Policy"
policy_attribute.3802307018.value: "ELBSecurityPolicy-TLS-1-2-2017-01" => "ELBSecurityPolicy-TLS-1-2-2017-01"
policy_attribute.4117911931.name: "AES128-GCM-SHA256" => ""
policy_attribute.4117911931.value: "true" => ""
Not sure if you would prefer a new ticket for this
JonCubed
on 24 Aug 2017
Hey @JonCubed or @b-dean , did you verify that this actually changed the cipher on the ELBs to the correct one? When I tried this fix, yes my terraform compiled and ran without error, but it set the policy to ELBSecurityPolicy-2016-08, which is the one which is fairly wide-open to lots of ciphers.
After TF converged, subsequent runs appear like it finally knows that the cipher policy is wrong, and so is trying to fix it, and that's why every TF run displays the behaviour that @JonCubed has posted directly above.
So, bottom line I guess, I don't think this problem is fixed @catsby .
holtwilkins
on 24 Aug 2017
@catsby the policies always changing is actually what #995 (which I opened) is about.
b-dean
on 24 Aug 2017
@holtwilkins, I checked one of ours set up this way and it had the policy set to ELBSecurityPolicy-TLS-1-2-2017-01 as expected. Note that we also were using a stickiness policy. Originally we made this one with the aws_lb_cookie_stickiness_policy resource but found that you can't mix that with aws_load_balancer_listener_policy. I don't know if that's your problem or not but using both would look something like:
variable "elb_security_policy" {
default = "ELBSecurityPolicy-TLS-1-2-2017-01"
}
variable "elb_stickiness" {
default = "1000"
}
resource "aws_elb" "vault_server" {
# ...
listener {
lb_port = "443"
# ...
}
}
resource "aws_load_balancer_policy" "vault_server_listener_policy-tls-1-2" {
load_balancer_name = "${aws_elb.vault_server.name}"
policy_name = "my-tls-1-2"
policy_type_name = "SSLNegotiationPolicyType"
policy_attribute {
name = "Reference-Security-Policy"
value = "${var.elb_security_policy}"
}
}
resource "aws_load_balancer_policy" "vault_server_listener_policy-stickiness" {
load_balancer_name = "${aws_elb.vault_server.name}"
policy_name = "cookie-stickiness"
policy_type_name = "LBCookieStickinessPolicyType"
policy_attribute {
name = "CookieExpirationPeriod"
value = "${var.elb_stickiness}"
}
}
resource "aws_load_balancer_listener_policy" "vault_server_listener_policies" {
load_balancer_name = "${aws_elb.vault_server.name}"
load_balancer_port = 443
policy_names = [
"${aws_load_balancer_policy.vault_server_listener_policy-tls-1-2.policy_name}",
"${aws_load_balancer_policy.vault_server_listener_policy-stickiness.policy_name}",
]
}
I'm not saying this is your exact problem, but maybe something like this? Maybe some other policy is changing what your end result? Might be worth seeing if there are other policies on there:
aws elb describe-load-balancer-policies --load-balancer-name foo_elb
@holtwilkins yes I did confirm that it changed before reporting that it worked for me. Reason that I'm seeing the change is that terraform is not recognising that the predefined policy is converted into multiple policy attributes, in this case 15.
JonCubed
on 25 Aug 2017
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 11 Apr 2020
Related issues
hazmeister
ยท
3Comments
joelittlejohn
ยท
3Comments
hashibot
ยท
3Comments
ghost
ยท
3Comments
carmas
ยท
3Comments
Most helpful comment
I think that you need to also have an
aws_load_balancer_policyresource. So your example would look like this:I figured this out from a combination of the docs for aws_load_balancer_policy and the examples aws cli commands in the docs on updating ssl configuration for classic load balancers.
It's a bit confusing though, it might be nice for the Terraform docs to give an example that uses a reference to predefined SSL security policies.