diff --git a/builtin/providers/aws/structure.go b/builtin/providers/aws/structure.go index 3afebbad7..d74064db9 100644 --- a/builtin/providers/aws/structure.go +++ b/builtin/providers/aws/structure.go @@ -44,8 +44,24 @@ func expandListeners(configured []interface{}) ([]*elb.Listener, error) { l.SSLCertificateId = aws.String(v.(string)) } - listeners = append(listeners, l) - } + var valid bool + if l.SSLCertificateId != nil && *l.SSLCertificateId != "" { + // validate the protocol is correct + for _, p := range []string{"https", "ssl"} { + if (*l.InstanceProtocol == p) || (*l.Protocol == p) { + valid = true + } + } + } else { + valid = true + } + + if valid { + listeners = append(listeners, l) + } else { + return nil, fmt.Errorf("[ERR] ELB Listener: ssl_certificate_id may be set only when protocol is 'https' or 'ssl'") + } + } return listeners, nil } diff --git a/builtin/providers/aws/structure_test.go b/builtin/providers/aws/structure_test.go index 7447801ee..65d56bb93 100644 --- a/builtin/providers/aws/structure_test.go +++ b/builtin/providers/aws/structure_test.go @@ -2,6 +2,7 @@ package aws import ( "reflect" + "strings" "testing" "github.com/aws/aws-sdk-go/aws" @@ -295,6 +296,13 @@ func TestExpandListeners(t *testing.T) { "instance_protocol": "http", "lb_protocol": "http", }, + map[string]interface{}{ + "instance_port": 8000, + "lb_port": 80, + "instance_protocol": "https", + "lb_protocol": "https", + "ssl_certificate_id": "something", + }, } listeners, err := expandListeners(expanded) if err != nil { @@ -314,7 +322,31 @@ func TestExpandListeners(t *testing.T) { listeners[0], expected) } +} +// this test should produce an error from expandlisteners on an invalid +// combination +func TestExpandListeners_invalid(t *testing.T) { + expanded := []interface{}{ + map[string]interface{}{ + "instance_port": 8000, + "lb_port": 80, + "instance_protocol": "http", + "lb_protocol": "http", + "ssl_certificate_id": "something", + }, + } + _, err := expandListeners(expanded) + if err != nil { + // Check the error we got + if !strings.Contains(err.Error(), "ssl_certificate_id may be set only when protocol") { + t.Fatalf("Got error in TestExpandListeners_invalid, but not what we expected: %s", err) + } + } + + if err == nil { + t.Fatalf("Expected TestExpandListeners_invalid to fail, but passed") + } } func TestFlattenHealthCheck(t *testing.T) { diff --git a/website/source/docs/providers/aws/r/elb.html.markdown b/website/source/docs/providers/aws/r/elb.html.markdown index 401f4cabe..dde90e54d 100644 --- a/website/source/docs/providers/aws/r/elb.html.markdown +++ b/website/source/docs/providers/aws/r/elb.html.markdown @@ -33,7 +33,7 @@ resource "aws_elb" "bar" { listener { instance_port = 8000 - instance_protocol = "http" + instance_protocol = "https" lb_port = 443 lb_protocol = "https" ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/certName" @@ -90,10 +90,14 @@ Access Logs support the following: Listeners support the following: * `instance_port` - (Required) The port on the instance to route to -* `instance_protocol` - (Required) The protocol to use to the instance. +* `instance_protocol` - (Required) The protocol to use to the instance. Valid + values are `HTTP`, `HTTPS`, `TCP`, or `SSL` * `lb_port` - (Required) The port to listen on for the load balancer -* `lb_protocol` - (Required) The protocol to listen on. -* `ssl_certificate_id` - (Optional) The id of an SSL certificate you have uploaded to AWS IAM. +* `lb_protocol` - (Required) The protocol to listen on. Valid values are `HTTP`, + `HTTPS`, `TCP`, or `SSL` +* `ssl_certificate_id` - (Optional) The id of an SSL certificate you have +uploaded to AWS IAM. **Only valid when `instance_protocol` and + `lb_protocol` are either HTTPS or SSL** Health Check supports the following: