From d2ef86651375d75f8ec54a3583bb8927550cfc8e Mon Sep 17 00:00:00 2001
From: Clarissa Borges <cborges@thoughtbot.com>
Date: Wed, 17 Jul 2024 15:09:25 -0300
Subject: [PATCH] Allow custom SSL policy for the Load Balancer Controller

Some servers may have more strict requirements for their TLS listeners.
The `ELBSecurityPolicy-2016-08` policy is the default security policy
for TLS listeners created using the AWS CLI.

This change allows a customization on the Load Balancer Controller to
specify a different security policy.

[Reference](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html).
---
 aws/platform/main.tf                            | 17 +++++++++--------
 .../modules/load-balancer-controller/main.tf    |  2 ++
 .../load-balancer-controller/variables.tf       |  6 ++++++
 aws/platform/variables.tf                       |  6 ++++++
 4 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/aws/platform/main.tf b/aws/platform/main.tf
index ea4ccce0..9afad7c2 100644
--- a/aws/platform/main.tf
+++ b/aws/platform/main.tf
@@ -69,14 +69,15 @@ module "common_platform" {
 module "aws_load_balancer_controller" {
   source = "./modules/load-balancer-controller"
 
-  aws_namespace     = [module.cluster_name.full]
-  aws_tags          = var.aws_tags
-  chart_values      = var.aws_load_balancer_controller_values
-  chart_version     = var.aws_load_balancer_controller_version
-  cluster_full_name = module.cluster_name.full
-  k8s_namespace     = var.k8s_namespace
-  oidc_issuer       = data.aws_ssm_parameter.oidc_issuer.value
-  vpc_cidr_block    = module.network.vpc.cidr_block
+  aws_namespace      = [module.cluster_name.full]
+  aws_tags           = var.aws_tags
+  chart_values       = var.aws_load_balancer_controller_values
+  chart_version      = var.aws_load_balancer_controller_version
+  cluster_full_name  = module.cluster_name.full
+  default_ssl_policy = var.default_ssl_policy
+  k8s_namespace      = var.k8s_namespace
+  oidc_issuer        = data.aws_ssm_parameter.oidc_issuer.value
+  vpc_cidr_block     = module.network.vpc.cidr_block
 
   depends_on = [module.common_platform]
 }
diff --git a/aws/platform/modules/load-balancer-controller/main.tf b/aws/platform/modules/load-balancer-controller/main.tf
index 77b69937..03c14251 100644
--- a/aws/platform/modules/load-balancer-controller/main.tf
+++ b/aws/platform/modules/load-balancer-controller/main.tf
@@ -90,6 +90,8 @@ locals {
           "eks.amazonaws.com/role-arn" = module.service_account_role.arn
         }
       }
+
+      defaultSSLPolicy = coalesce(var.default_ssl_policy, "ELBSecurityPolicy-TLS13-1-2-2021-06")
     })
   ]
 }
diff --git a/aws/platform/modules/load-balancer-controller/variables.tf b/aws/platform/modules/load-balancer-controller/variables.tf
index 2a6e9402..f8528667 100644
--- a/aws/platform/modules/load-balancer-controller/variables.tf
+++ b/aws/platform/modules/load-balancer-controller/variables.tf
@@ -66,3 +66,9 @@ variable "vpc_cidr_block" {
   type        = string
   description = "CIDR block for the AWS VPC in which the load balancer runs"
 }
+
+variable "default_ssl_policy" {
+  type        = string
+  description = "The default SSL policy to use for the load balancer"
+  default     = null
+}
\ No newline at end of file
diff --git a/aws/platform/variables.tf b/aws/platform/variables.tf
index 943b7b47..fdd3f2fe 100644
--- a/aws/platform/variables.tf
+++ b/aws/platform/variables.tf
@@ -74,6 +74,12 @@ variable "custom_roles" {
   default     = {}
 }
 
+variable "default_ssl_policy" {
+  type        = string
+  description = "The default SSL policy to use for the load balancer"
+  default     = null
+}
+
 variable "domain_names" {
   type        = list(string)
   default     = []