diff --git a/avd_docs/aws/cloudfront/AVD-AWS-0013/Terraform.md b/avd_docs/aws/cloudfront/AVD-AWS-0013/Terraform.md index 7dfd45d5..87370c92 100644 --- a/avd_docs/aws/cloudfront/AVD-AWS-0013/Terraform.md +++ b/avd_docs/aws/cloudfront/AVD-AWS-0013/Terraform.md @@ -4,7 +4,7 @@ Use the most modern TLS/SSL policies available ```hcl resource "aws_cloudfront_distribution" "good_example" { viewer_certificate { - cloudfront_default_certificate = false + cloudfront_default_certificate = false minimum_protocol_version = "TLSv1.2_2021" } } diff --git a/avd_docs/aws/cloudfront/AVD-AWS-0013/docs.md b/avd_docs/aws/cloudfront/AVD-AWS-0013/docs.md index fc83dffe..544f9975 100644 --- a/avd_docs/aws/cloudfront/AVD-AWS-0013/docs.md +++ b/avd_docs/aws/cloudfront/AVD-AWS-0013/docs.md @@ -1,7 +1,7 @@ You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+. -Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name) and *ssl_support_method* is *sni-only*. +Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name). If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s. The only option when using the cloudfront.net domain name is to ignore this rule.