replace TLSv1.2_2019 with TLSv1.2_2021 as default policy #294
Conversation
hans-d
added
wip
|
/terratest |
|
Thanks @jamerply for creating this pull request! A maintainer will review your changes shortly. Please don't be discouraged if it takes a while. While you wait, make sure to review our contributor guidelines. Tip Need help or want to ask for a PR review to be expedited?Join us on Slack in the |
There was a problem hiding this comment.
The problem is, this is a potentially breaking change that will manifest as some old clients failing to connect all of a sudden, a problem which will be difficult to trace back to updating this component.
I think instead we should just recommend that users explicitly set this to the newer version.
If users have pinned their modules to a particular version per CloudPosse's own recommendation, wouldn't that prevent the breaking change unless they knowingly updated to the newer version? |
|
@Nuru thoughts on just making this a major revision change? I agree that we should upgrade this for future consumers of this module, otherwise we're encouraging an old and outdated TLS. The other route is to remove the default altogether, but either way we'll want to do a major version rev. Let me know your thoughts and I can work with @jamerply to push this forward. |
what
This PR updates the
mimimum_protocol_versionvariable so that it defaults toTLSv1.2_2021(the current recommended security policy recommended by AWS) instead ofTLSv1.2_2019.why
The most current security policy is no longer
TLSv1.2_2019but isTLSv1.2_2021.references
See the "Security Policy" heading under the "Distribution Setting" section of the AWS CloudFront Documentation for further information.