[u] Insecure Transportation Security Protocol Supported (TLS 1.0) (Da…

…taBiosphere/azul-private#15)
DataBiosphere · Sep 12, 2023 · 8ea291d · 8ea291d
1 parent 3e79e70
commit 8ea291d
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 3 deletions.
diff --git a/UPGRADING.rst b/UPGRADING.rst
@@ -20,6 +20,16 @@ reverted. This is all fairly informal and loosely defined. Hopefully we won't
 have too many entries in this file.
 
 
+DataBiosphere/azul-private#15 Insecure Transportation Security Protocol Supported (TLS 1.0)
+===========================================================================================
+
+Operator
+~~~~~~~~
+
+Manually deploy the ``gitlab`` component of any main deployment, just before
+pushing the merge commit to the GitLab instance in that deployment.
+
+
 DataBiosphere/azul-private#95 Resolve vulnerabilities in AMI for GitLab
 =======================================================================
 

diff --git a/terraform/api_gateway.tf.json.template.py b/terraform/api_gateway.tf.json.template.py
@@ -370,7 +370,8 @@ def for_domain(cls, domain):
                 'aws_api_gateway_domain_name': {
                     f'{app.name}_{i}': {
                         'domain_name': '${aws_acm_certificate.%s_%i.domain_name}' % (app.name, i),
-                        'certificate_arn': '${aws_acm_certificate_validation.%s_%i.certificate_arn}' % (app.name, i)
+                        'certificate_arn': '${aws_acm_certificate_validation.%s_%i.certificate_arn}' % (app.name, i),
+                        'security_policy': 'TLS_1_2'
                     } for i, domain in enumerate(app.domains)
                 },
                 'aws_api_gateway_method_settings': {
@@ -618,7 +619,7 @@ def for_domain(cls, domain):
                             app.name: {
                                 'port': 443,
                                 'protocol': 'HTTPS',
-                                'ssl_policy': 'ELBSecurityPolicy-2016-08',
+                                'ssl_policy': 'ELBSecurityPolicy-FS-1-2-Res-2019-08',
                                 'certificate_arn': '${aws_acm_certificate.%s_0.arn}' % app.name,
                                 'default_action': [
                                     {

diff --git a/terraform/gitlab/gitlab.tf.json.template.py b/terraform/gitlab/gitlab.tf.json.template.py
@@ -1013,6 +1013,7 @@ def qq(*words):
                     'gitlab_' + name: {
                         'port': ext_port,
                         'protocol': 'TCP',
+                        'ssl_policy': 'ELBSecurityPolicy-FS-1-2-Res-2019-08',
                         'default_action': [
                             {
                                 'target_group_arn': '${aws_lb_target_group.gitlab_' + name + '.id}',
@@ -1027,7 +1028,7 @@ def qq(*words):
             'gitlab_http': {
                 'port': 443,
                 'protocol': 'HTTPS',
-                'ssl_policy': 'ELBSecurityPolicy-2016-08',
+                'ssl_policy': 'ELBSecurityPolicy-FS-1-2-Res-2019-08',
                 'certificate_arn': '${aws_acm_certificate.gitlab.arn}',
                 'default_action': [
                     {