futurice · jre21 · May 31, 2021 · May 31, 2021
diff --git a/aws/wordpress_fargate/alb.tf b/aws/wordpress_fargate/alb.tf
@@ -49,6 +49,7 @@ module "alb" {
     {
       "certificate_arn" = module.acm_alb.this_acm_certificate_arn
       "port"            = 443
+      "ssl_policy"      = "ELBSecurityPolicy-FS-1-2-Res-2020-10"
     },
   ]
 

diff --git a/aws/wordpress_fargate/cloudfront.tf b/aws/wordpress_fargate/cloudfront.tf
@@ -21,7 +21,7 @@ resource "aws_cloudfront_distribution" "this" {
       http_port              = 80
       https_port             = 443
       origin_protocol_policy = "https-only"
-      origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
+      origin_ssl_protocols   = ["TLSv1.2"]
     }
   }
 
@@ -110,7 +110,7 @@ resource "aws_cloudfront_distribution" "this" {
   viewer_certificate {
     acm_certificate_arn      = module.acm.this_acm_certificate_arn
     ssl_support_method       = "sni-only"
-    minimum_protocol_version = "TLSv1.1_2016"
+    minimum_protocol_version = "TLSv1.2_2019"
   }
 
   # By default, cloudfront caches error for five minutes. There can be situation when a developer has accidentally broken the website and you would not want to wait for five minutes for the error response to be cached.

diff --git a/aws/wordpress_fargate/efs.tf b/aws/wordpress_fargate/efs.tf
@@ -1,5 +1,6 @@
 resource "aws_efs_file_system" "this" {
   creation_token = "${var.prefix}-${var.environment}"
+  encrypted      = true
   tags           = var.tags
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -49,6 +49,7 @@ module "alb" { @@
         {
           "certificate_arn" = module.acm_alb.this_acm_certificate_arn
           "port"            = 443
+          "ssl_policy"      = "ELBSecurityPolicy-FS-1-2-Res-2020-10"
         },
       ]
@@ Expand Down @@