From 24533da3371d0287bed856c56dbfc25c5c7ac6aa Mon Sep 17 00:00:00 2001
From: Zach Wasserman <zach@fleetdm.com>
Date: Thu, 30 Mar 2023 10:52:42 -0700
Subject: [PATCH] Require TLS 1.2 in Terraform ALB listener (#10887)

This should fix tfsec
https://aquasecurity.github.io/tfsec/v1.0.8/checks/aws/elb/use-secure-tls-policy/
by configuring
https://registry.terraform.io/modules/terraform-aws-modules/alb/aws/6.4.0#input_listener_ssl_policy_default.
---
 terraform/byo-vpc/byo-db/main.tf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/terraform/byo-vpc/byo-db/main.tf b/terraform/byo-vpc/byo-db/main.tf
index bb0bf7d6e6..a1279c7891 100644
--- a/terraform/byo-vpc/byo-db/main.tf
+++ b/terraform/byo-vpc/byo-db/main.tf
@@ -53,6 +53,9 @@ module "alb" {
       }
     }
   ]
+  
+  # Require TLS 1.2 as earlier versions are insecure
+  listener_ssl_policy_default = "TLS-1-2-2017-01"
 
   https_listeners = [
     {