Provide SSL security policy (#45)

* Provide SSL security policy

* Build documentation updates

* Update variables.tf

* Auto Format

* Update main.tf

Co-authored-by: nitrocode <[email protected]>
Co-authored-by: cloudpossebot <[email protected]>

README.md

@@ -303,6 +303,7 @@ Available targets:
 | <a name="input_labels_as_tags"></a> [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.<br>Default is to include all labels.<br>Tags with empty values will not be included in the `tags` output.<br>Set to `[]` to suppress all generated tags.<br>**Notes:**<br>  The value of the `name` tag, if included, will be the `id`, not the `name`.<br>  Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br>  changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | <pre>[<br>  "default"<br>]</pre> | no |
 | <a name="input_loadbalancer_certificate_arn"></a> [loadbalancer\_certificate\_arn](#input\_loadbalancer\_certificate\_arn) | Load Balancer SSL certificate ARN. The certificate must be present in AWS Certificate Manager | `string` | `""` | no |
 | <a name="input_loadbalancer_logs_bucket_force_destroy"></a> [loadbalancer\_logs\_bucket\_force\_destroy](#input\_loadbalancer\_logs\_bucket\_force\_destroy) | Force destroy the S3 bucket for load balancer logs even if it's not empty | `bool` | `false` | no |
+| <a name="input_loadbalancer_ssl_policy"></a> [loadbalancer\_ssl\_policy](#input\_loadbalancer\_ssl\_policy) | Specify a security policy to apply to the listener. This option is only applicable to environments with an application load balancer | `string` | `""` | no |
 | <a name="input_loadbalancer_subnets"></a> [loadbalancer\_subnets](#input\_loadbalancer\_subnets) | List of subnets to place Elastic Load Balancer | `list(string)` | n/a | yes |
 | <a name="input_loadbalancer_type"></a> [loadbalancer\_type](#input\_loadbalancer\_type) | Load Balancer type, e.g. 'application' or 'classic' | `string` | `"application"` | no |
 | <a name="input_master_instance_type"></a> [master\_instance\_type](#input\_master\_instance\_type) | EC2 instance type for Jenkins master, e.g. 't2.medium' | `string` | `"t2.medium"` | no |

docs/terraform.md

@@ -75,6 +75,7 @@
 | <a name="input_labels_as_tags"></a> [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.<br>Default is to include all labels.<br>Tags with empty values will not be included in the `tags` output.<br>Set to `[]` to suppress all generated tags.<br>**Notes:**<br>  The value of the `name` tag, if included, will be the `id`, not the `name`.<br>  Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br>  changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | <pre>[<br>  "default"<br>]</pre> | no |
 | <a name="input_loadbalancer_certificate_arn"></a> [loadbalancer\_certificate\_arn](#input\_loadbalancer\_certificate\_arn) | Load Balancer SSL certificate ARN. The certificate must be present in AWS Certificate Manager | `string` | `""` | no |
 | <a name="input_loadbalancer_logs_bucket_force_destroy"></a> [loadbalancer\_logs\_bucket\_force\_destroy](#input\_loadbalancer\_logs\_bucket\_force\_destroy) | Force destroy the S3 bucket for load balancer logs even if it's not empty | `bool` | `false` | no |
+| <a name="input_loadbalancer_ssl_policy"></a> [loadbalancer\_ssl\_policy](#input\_loadbalancer\_ssl\_policy) | Specify a security policy to apply to the listener. This option is only applicable to environments with an application load balancer | `string` | `""` | no |
 | <a name="input_loadbalancer_subnets"></a> [loadbalancer\_subnets](#input\_loadbalancer\_subnets) | List of subnets to place Elastic Load Balancer | `list(string)` | n/a | yes |
 | <a name="input_loadbalancer_type"></a> [loadbalancer\_type](#input\_loadbalancer\_type) | Load Balancer type, e.g. 'application' or 'classic' | `string` | `"application"` | no |
 | <a name="input_master_instance_type"></a> [master\_instance\_type](#input\_master\_instance\_type) | EC2 instance type for Jenkins master, e.g. 't2.medium' | `string` | `"t2.medium"` | no |

main.tf

@@ -46,6 +46,7 @@ module "elastic_beanstalk_environment" {
   keypair                 = var.ssh_key_pair
   solution_stack_name     = var.solution_stack_name
   force_destroy           = var.loadbalancer_logs_bucket_force_destroy
+  loadbalancer_ssl_policy = var.loadbalancer_ssl_policy
 
   # Provide EFS DNS name to EB in the `EFS_HOST` ENV var. EC2 instance will mount to the EFS filesystem and use it to store Jenkins state
   # Add slaves Security Group `JENKINS_SLAVE_SECURITY_GROUPS` (comma-separated if more than one). Will be used by Jenkins to init the EC2 plugin to launch slaves inside the Security Group

variables.tf

@@ -51,6 +51,12 @@ variable "loadbalancer_certificate_arn" {
   default     = ""
 }
 
+variable "loadbalancer_ssl_policy" {
+  type        = "string"
+  default     = ""
+  description = "Specify a security policy to apply to the listener. This option is only applicable to environments with an application load balancer"
+}
+
 variable "loadbalancer_subnets" {
   type        = list(string)
   description = "List of subnets to place Elastic Load Balancer"