Support TLS v1.3 in Cloudfront distribution minimum_protocol_version

[mbacchi]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS announced TLS v1.3 for viewer connections. This should be available in the Terraform AWS provider.

New or Affected Resource(s)

• aws_cloudfront_distribution

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.
resource "aws_cloudfront_distribution" "example_distribution" {
  enabled         = true
  viewer_certificate {
    minimum_protocol_version = "TLSv1.3"
  }
[...]
}

References

• https://aws.amazon.com/about-aws/whats-new/2020/09/cloudfront-tlsv1-3-support/
• https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html

[reedloden]

Not sure this is possible. As far as I can tell, there's no security policy that is TLSv1.3+. minimum_protocol_version maps to the security policies listed on https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html (the most restrictive one being TLSv1.2_2019).

[m4wk]

@reedloden AWS now supports TLSv1.3 as of last month: https://aws.amazon.com/about-aws/whats-new/2021/06/amazon-cloudfront-announces-new-tlsv12_2021-security-policy-for-viewer-connections/

Maybe we can have a minimum_protocol_version = TLSv1.2_2021`?

[enigmango]

Since the AWS API docs list TLSv1.2_2021 as a valid version, I tried using minimum_protocol_version = TLSv1.2_2021 with an existing config and it worked.

  viewer_certificate {
    cloudfront_default_certificate = #...
    acm_certificate_arn            = #...
    ssl_support_method             = #...
    minimum_protocol_version       = "TLSv1.2_2021"
  }

It's a little confusing, but looking at the table linked above, certain TLSv1.2 versions support TLSv1.3 ciphers. If you use the latest version available via the API, it will include TLS 1.3 cipher support.

The Terraform AWS resource documentation doesn't mention the latest version available, though, which made me uncertain if TLSv1.2_2021 would work. I'd suggest linking to the API doc instead of a static list.

[AbhilashDawar]

@enigmango Can you please tell what version of terraform you are using?
I'm trying that myself using minimum_protocol_version = "TLSv1.2_2021" but it gives following error.

Error: error updating CloudFront Distribution: MalformedXML: 1 validation error detected: Value 'TLSv1.2_2021' at 'distributionConfig.viewerCertificate.minimumProtocolVersion' failed to satisfy constraint: Member must satisfy enum value set: [TLSv1.1_2016, SSLv3, TLSv1.2_2018, TLSv1.2_2019, TLSv1_2016, TLSv1]

[enigmango]

@AbhilashDawar That might be an AWS provider version issue instead of a terraform version issue. Either way, I'm using TF 0.14.6 and the AWS provider 3.27.0. Below is my version config block.

terraform {
  required_version = "~> 0.14.6"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.0"
    }
  }
}

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[jc00ke]

Am I seeing a discrepancy between the AWS policies and actually enforcing TLSv1.3 as the minimum version?

Supported SSL/TLS protocols	SSLv3	TLSv1	TLSv1_2016	TLSv1.1_2016	TLSv1.2_2018	TLSv1.2_2019	TLSv1.2_2021
TLSv1.3	x	x	x	x	x	x	x
TLSv1.2	x	x	x	x	x	x	x
TLSv1.1	x	x	x	x
TLSv1	x	x	x
SSLv3	x

If I'm reading this correctly, there's no way to say TLSv1.2_2021 but enforce v1.3 and there surely is not a TLSv1.3_2024. So, I guess if you have a compliance requirement to enforce TLS v1.3 then you can't rely on the TLSv1.2_20[18|19|21] security policy because they could allow TLSv1.2 to pass through. Hmm, not ideal.