Merge branch 'Ticketmaster-5637-conflict-resolution'

2016-08-11 15:15:34 +12:00 · 2016-08-11 15:15:34 +12:00 · c95bf296d4
parent 6b477e888a ec3e442f26
commit c95bf296d4
7 changed files with 682 additions and 0 deletions
--- a/builtin/providers/aws/provider.go
+++ b/builtin/providers/aws/provider.go
@ -223,6 +223,7 @@ func Provider() terraform.ResourceProvider {
 			"aws_load_balancer_policy":                     resourceAwsLoadBalancerPolicy(),
 			"aws_load_balancer_backend_server_policy":      resourceAwsLoadBalancerBackendServerPolicies(),
 			"aws_load_balancer_listener_policy":            resourceAwsLoadBalancerListenerPolicies(),
+			"aws_lb_ssl_negotiation_policy":                resourceAwsLBSSLNegotiationPolicy(),
 			"aws_main_route_table_association":             resourceAwsMainRouteTableAssociation(),
 			"aws_nat_gateway":                              resourceAwsNatGateway(),
 			"aws_network_acl":                              resourceAwsNetworkAcl(),
--- a/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy.go
+++ b/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy.go
@ -0,0 +1,185 @@
+package aws
+
+import (
+	"bytes"
+	"fmt"
+	"log"
+	"strings"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/service/elb"
+	"github.com/hashicorp/terraform/helper/hashcode"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAwsLBSSLNegotiationPolicy() *schema.Resource {
+	return &schema.Resource{
+		// There is no concept of "updating" an LB policy in
+		// the AWS API.
+		Create: resourceAwsLBSSLNegotiationPolicyCreate,
+		Read:   resourceAwsLBSSLNegotiationPolicyRead,
+		Delete: resourceAwsLBSSLNegotiationPolicyDelete,
+
+		Schema: map[string]*schema.Schema{
+			"name": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+
+			"load_balancer": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+
+			"lb_port": &schema.Schema{
+				Type:     schema.TypeInt,
+				Required: true,
+				ForceNew: true,
+			},
+
+			"attribute": &schema.Schema{
+				Type:     schema.TypeSet,
+				Optional: true,
+				ForceNew: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"name": &schema.Schema{
+							Type:     schema.TypeString,
+							Required: true,
+						},
+
+						"value": &schema.Schema{
+							Type:     schema.TypeString,
+							Required: true,
+						},
+					},
+				},
+				Set: func(v interface{}) int {
+					var buf bytes.Buffer
+					m := v.(map[string]interface{})
+					buf.WriteString(fmt.Sprintf("%s-", m["name"].(string)))
+					return hashcode.String(buf.String())
+				},
+			},
+		},
+	}
+}
+
+func resourceAwsLBSSLNegotiationPolicyCreate(d *schema.ResourceData, meta interface{}) error {
+	elbconn := meta.(*AWSClient).elbconn
+
+	// Provision the SSLNegotiationPolicy
+	lbspOpts := &elb.CreateLoadBalancerPolicyInput{
+		LoadBalancerName: aws.String(d.Get("load_balancer").(string)),
+		PolicyName:       aws.String(d.Get("name").(string)),
+		PolicyTypeName:   aws.String("SSLNegotiationPolicyType"),
+	}
+
+	// Check for Policy Attributes
+	if v, ok := d.GetOk("attribute"); ok {
+		var err error
+		// Expand the "attribute" set to aws-sdk-go compat []*elb.PolicyAttribute
+		lbspOpts.PolicyAttributes, err = expandPolicyAttributes(v.(*schema.Set).List())
+		if err != nil {
+			return err
+		}
+	}
+
+	log.Printf("[DEBUG] Load Balancer Policy opts: %#v", lbspOpts)
+	if _, err := elbconn.CreateLoadBalancerPolicy(lbspOpts); err != nil {
+		return fmt.Errorf("Error creating Load Balancer Policy: %s", err)
+	}
+
+	setLoadBalancerOpts := &elb.SetLoadBalancerPoliciesOfListenerInput{
+		LoadBalancerName: aws.String(d.Get("load_balancer").(string)),
+		LoadBalancerPort: aws.Int64(int64(d.Get("lb_port").(int))),
+		PolicyNames:      []*string{aws.String(d.Get("name").(string))},
+	}
+
+	log.Printf("[DEBUG] SSL Negotiation create configuration: %#v", setLoadBalancerOpts)
+	if _, err := elbconn.SetLoadBalancerPoliciesOfListener(setLoadBalancerOpts); err != nil {
+		return fmt.Errorf("Error setting SSLNegotiationPolicy: %s", err)
+	}
+
+	d.SetId(fmt.Sprintf("%s:%d:%s",
+		*lbspOpts.LoadBalancerName,
+		*setLoadBalancerOpts.LoadBalancerPort,
+		*lbspOpts.PolicyName))
+	return nil
+}
+
+func resourceAwsLBSSLNegotiationPolicyRead(d *schema.ResourceData, meta interface{}) error {
+	elbconn := meta.(*AWSClient).elbconn
+
+	lbName, lbPort, policyName := resourceAwsLBSSLNegotiationPolicyParseId(d.Id())
+
+	request := &elb.DescribeLoadBalancerPoliciesInput{
+		LoadBalancerName: aws.String(lbName),
+		PolicyNames:      []*string{aws.String(policyName)},
+	}
+
+	getResp, err := elbconn.DescribeLoadBalancerPolicies(request)
+	if err != nil {
+		if ec2err, ok := err.(awserr.Error); ok && ec2err.Code() == "PolicyNotFound" {
+			// The policy is gone.
+			d.SetId("")
+			return nil
+		}
+		return fmt.Errorf("Error retrieving policy: %s", err)
+	}
+
+	if len(getResp.PolicyDescriptions) != 1 {
+		return fmt.Errorf("Unable to find policy %#v", getResp.PolicyDescriptions)
+	}
+
+	// We can get away with this because there's only one policy returned
+	policyDesc := getResp.PolicyDescriptions[0]
+	attributes := flattenPolicyAttributes(policyDesc.PolicyAttributeDescriptions)
+	d.Set("attributes", attributes)
+
+	d.Set("name", policyName)
+	d.Set("load_balancer", lbName)
+	d.Set("lb_port", lbPort)
+
+	return nil
+}
+
+func resourceAwsLBSSLNegotiationPolicyDelete(d *schema.ResourceData, meta interface{}) error {
+	elbconn := meta.(*AWSClient).elbconn
+
+	lbName, _, policyName := resourceAwsLBSSLNegotiationPolicyParseId(d.Id())
+
+	// Perversely, if we Set an empty list of PolicyNames, we detach the
+	// policies attached to a listener, which is required to delete the
+	// policy itself.
+	setLoadBalancerOpts := &elb.SetLoadBalancerPoliciesOfListenerInput{
+		LoadBalancerName: aws.String(d.Get("load_balancer").(string)),
+		LoadBalancerPort: aws.Int64(int64(d.Get("lb_port").(int))),
+		PolicyNames:      []*string{},
+	}
+
+	if _, err := elbconn.SetLoadBalancerPoliciesOfListener(setLoadBalancerOpts); err != nil {
+		return fmt.Errorf("Error removing SSLNegotiationPolicy: %s", err)
+	}
+
+	request := &elb.DeleteLoadBalancerPolicyInput{
+		LoadBalancerName: aws.String(lbName),
+		PolicyName:       aws.String(policyName),
+	}
+
+	if _, err := elbconn.DeleteLoadBalancerPolicy(request); err != nil {
+		return fmt.Errorf("Error deleting SSL negotiation policy %s: %s", d.Id(), err)
+	}
+	return nil
+}
+
+// resourceAwsLBSSLNegotiationPolicyParseId takes an ID and parses it into
+// it's constituent parts. You need three axes (LB name, policy name, and LB
+// port) to create or identify an SSL negotiation policy in AWS's API.
+func resourceAwsLBSSLNegotiationPolicyParseId(id string) (string, string, string) {
+	parts := strings.SplitN(id, ":", 3)
+	return parts[0], parts[1], parts[2]
+}
--- a/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy_test.go
+++ b/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy_test.go
@ -0,0 +1,263 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/service/elb"
+
+	"github.com/hashicorp/terraform/helper/acctest"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSLBSSLNegotiationPolicy_basic(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckLBSSLNegotiationPolicyDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccSslNegotiationPolicyConfig(
+					fmt.Sprintf("tf-acctest-%s", acctest.RandString(10))),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckLBSSLNegotiationPolicy(
+						"aws_elb.lb",
+						"aws_lb_ssl_negotiation_policy.foo",
+					),
+					resource.TestCheckResourceAttr(
+						"aws_lb_ssl_negotiation_policy.foo", "attribute.#", "7"),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckLBSSLNegotiationPolicyDestroy(s *terraform.State) error {
+	elbconn := testAccProvider.Meta().(*AWSClient).elbconn
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_elb" && rs.Type != "aws_lb_ssl_negotiation_policy" {
+			continue
+		}
+
+		// Check that the ELB is destroyed
+		if rs.Type == "aws_elb" {
+			describe, err := elbconn.DescribeLoadBalancers(&elb.DescribeLoadBalancersInput{
+				LoadBalancerNames: []*string{aws.String(rs.Primary.ID)},
+			})
+
+			if err == nil {
+				if len(describe.LoadBalancerDescriptions) != 0 &&
+					*describe.LoadBalancerDescriptions[0].LoadBalancerName == rs.Primary.ID {
+					return fmt.Errorf("ELB still exists")
+				}
+			}
+
+			// Verify the error
+			providerErr, ok := err.(awserr.Error)
+			if !ok {
+				return err
+			}
+
+			if providerErr.Code() != "LoadBalancerNotFound" {
+				return fmt.Errorf("Unexpected error: %s", err)
+			}
+		} else {
+			// Check that the SSL Negotiation Policy is destroyed
+			elbName, _, policyName := resourceAwsLBSSLNegotiationPolicyParseId(rs.Primary.ID)
+			_, err := elbconn.DescribeLoadBalancerPolicies(&elb.DescribeLoadBalancerPoliciesInput{
+				LoadBalancerName: aws.String(elbName),
+				PolicyNames:      []*string{aws.String(policyName)},
+			})
+
+			if err == nil {
+				return fmt.Errorf("ELB SSL Negotiation Policy still exists")
+			}
+		}
+	}
+
+	return nil
+}
+
+func testAccCheckLBSSLNegotiationPolicy(elbResource string, policyResource string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[elbResource]
+		if !ok {
+			return fmt.Errorf("Not found: %s", elbResource)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No ID is set")
+		}
+
+		policy, ok := s.RootModule().Resources[policyResource]
+		if !ok {
+			return fmt.Errorf("Not found: %s", policyResource)
+		}
+
+		elbconn := testAccProvider.Meta().(*AWSClient).elbconn
+
+		elbName, _, policyName := resourceAwsLBSSLNegotiationPolicyParseId(policy.Primary.ID)
+		resp, err := elbconn.DescribeLoadBalancerPolicies(&elb.DescribeLoadBalancerPoliciesInput{
+			LoadBalancerName: aws.String(elbName),
+			PolicyNames:      []*string{aws.String(policyName)},
+		})
+
+		if err != nil {
+			fmt.Printf("[ERROR] Problem describing load balancer policy '%s': %s", policyName, err)
+			return err
+		}
+
+		if len(resp.PolicyDescriptions) != 1 {
+			return fmt.Errorf("Unable to find policy %#v", resp.PolicyDescriptions)
+		}
+
+		attrmap := policyAttributesToMap(&resp.PolicyDescriptions[0].PolicyAttributeDescriptions)
+		if attrmap["Protocol-TLSv1"] != "false" {
+			return fmt.Errorf("Policy attribute 'Protocol-TLSv1' was of value %s instead of false!", attrmap["Protocol-TLSv1"])
+		}
+		if attrmap["Protocol-TLSv1.1"] != "false" {
+			return fmt.Errorf("Policy attribute 'Protocol-TLSv1.1' was of value %s instead of false!", attrmap["Protocol-TLSv1.1"])
+		}
+		if attrmap["Protocol-TLSv1.2"] != "true" {
+			return fmt.Errorf("Policy attribute 'Protocol-TLSv1.2' was of value %s instead of true!", attrmap["Protocol-TLSv1.2"])
+		}
+		if attrmap["Server-Defined-Cipher-Order"] != "true" {
+			return fmt.Errorf("Policy attribute 'Server-Defined-Cipher-Order' was of value %s instead of true!", attrmap["Server-Defined-Cipher-Order"])
+		}
+		if attrmap["ECDHE-RSA-AES128-GCM-SHA256"] != "true" {
+			return fmt.Errorf("Policy attribute 'ECDHE-RSA-AES128-GCM-SHA256' was of value %s instead of true!", attrmap["ECDHE-RSA-AES128-GCM-SHA256"])
+		}
+		if attrmap["AES128-GCM-SHA256"] != "true" {
+			return fmt.Errorf("Policy attribute 'AES128-GCM-SHA256' was of value %s instead of true!", attrmap["AES128-GCM-SHA256"])
+		}
+		if attrmap["EDH-RSA-DES-CBC3-SHA"] != "false" {
+			return fmt.Errorf("Policy attribute 'EDH-RSA-DES-CBC3-SHA' was of value %s instead of false!", attrmap["EDH-RSA-DES-CBC3-SHA"])
+		}
+
+		return nil
+	}
+}
+
+func policyAttributesToMap(attributes *[]*elb.PolicyAttributeDescription) map[string]string {
+	attrmap := make(map[string]string)
+
+	for _, attrdef := range *attributes {
+		attrmap[*attrdef.AttributeName] = *attrdef.AttributeValue
+	}
+
+	return attrmap
+}
+
+// Sets the SSL Negotiation policy with attributes.
+// The IAM Server Cert config is lifted from
+// builtin/providers/aws/resource_aws_iam_server_certificate_test.go
+func testAccSslNegotiationPolicyConfig(certName string) string {
+	return fmt.Sprintf(`
+resource "aws_iam_server_certificate" "test_cert" {
+  name = "%s"
+  certificate_body = <<EOF
+-----BEGIN CERTIFICATE-----
+MIICqzCCAhSgAwIBAgIJAOH3Ca1oeCfOMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQKEwlIYXNoaWNvcnAx
+FjAUBgNVBAMTDWhhc2hpY29ycC5jb20wHhcNMTYwODEwMTcxNDEwWhcNMTcwODEw
+MTcxNDEwWjBkMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIG
+A1UEBwwLTG9zIEFuZ2VsZXMxEjAQBgNVBAoMCUhhc2hpY29ycDEWMBQGA1UEAwwN
+aGFzaGljb3JwLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlQMKKTiK
+bawxxGOwX9iyIm/ITyVwjnSyyZ8kuz7flXUAw4u/ZqGmRck0gdOBlzPcvdu/ngCZ
+wMg6x03oe7iouDQHapQ6kCAUwl6zDmSOnjj8b4fKiaxW6Kw/UynrUjbjbdqKKsH3
+fBYxa1sIVhnsDBCaOnnznkCXFbeiMeUX6YkCAwEAAaN7MHkwCQYDVR0TBAIwADAs
+BglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
+VR0OBBYEFB+VNDp3tesqOLJTZEbOXIzINdecMB8GA1UdIwQYMBaAFDnmEwagl6fs
+/9oVTSmNdPUkhaRDMA0GCSqGSIb3DQEBBQUAA4GBAHMTokhZfM66L1dI8e21p4yp
+F2GMGYNqR2CLy7pCk3z9NovB5F1plk1cDnbpJPS/jXU7N5i3LgfjjbYmlNsezV3u
+gzYm7p7D6/AiMheL6VljPor5ZXXcq2yZ3xMJu6/hrSJGj0wtg9xsNPYPDGCyH+iI
+zAYQVBuFaLoTi3Fs7g1s
+-----END CERTIFICATE-----
+EOF
+  certificate_chain = <<EOF
+-----BEGIN CERTIFICATE-----
+MIICyzCCAjSgAwIBAgIJAOH3Ca1oeCfNMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQKEwlIYXNoaWNvcnAx
+FjAUBgNVBAMTDWhhc2hpY29ycC5jb20wHhcNMTYwODEwMTcxMTAzWhcNMTkwODEw
+MTcxMTAzWjBOMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAG
+A1UEChMJSGFzaGljb3JwMRYwFAYDVQQDEw1oYXNoaWNvcnAuY29tMIGfMA0GCSqG
+SIb3DQEBAQUAA4GNADCBiQKBgQDOOIUDgTP+v6yXq0cI99S99jrczNv274BfmBzS
+XhExPnm62s5dnLGtzFokat/DIN0pyOh0C4+QnS4Qk7r31UCh1jLJRVkJJHtet8TM
+7PhebIUIAFaQQ5+792L7ZkCXkzl0MxENeE0avGUf5QXMd7/eUt36BOS4KaEfGVUw
+2Ldy0wIDAQABo4GwMIGtMB0GA1UdDgQWBBQ55hMGoJen7P/aFU0pjXT1JIWkQzB+
+BgNVHSMEdzB1gBQ55hMGoJen7P/aFU0pjXT1JIWkQ6FSpFAwTjELMAkGA1UEBhMC
+VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAoTCUhhc2hpY29ycDEWMBQG
+A1UEAxMNaGFzaGljb3JwLmNvbYIJAOH3Ca1oeCfNMAwGA1UdEwQFMAMBAf8wDQYJ
+KoZIhvcNAQEFBQADgYEAvKhhRHHWuUl253pjlQJxHqJLv3a9g7pcF0vGkImw30lu
+B0LFpM6xZmfoFR3aflTWDGHDbwNbP+VatZNwZt7GpO7qiLOXCV9/UM0utxI1Doyd
+6oOaCDXtDDI9NliSFyAvNG5PKafR3ysWHsqEa/7VDWnRGYvCAIsaAEyurl4Gogk=
+-----END CERTIFICATE-----
+EOF
+  private_key =  <<EOF
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCVAwopOIptrDHEY7Bf2LIib8hPJXCOdLLJnyS7Pt+VdQDDi79m
+oaZFyTSB04GXM9y927+eAJnAyDrHTeh7uKi4NAdqlDqQIBTCXrMOZI6eOPxvh8qJ
+rFborD9TKetSNuNt2ooqwfd8FjFrWwhWGewMEJo6efOeQJcVt6Ix5RfpiQIDAQAB
+AoGAdx8p9U/84bXhRxVGfyi1JvBjmlncxBUohCPT8lhN1qXlSW2jQgGB8ZHqhsq1
+c1GDaseMRFxIjaPD0WZHrvgs73ReoDGTLf9Ne3mkE3g8Rp0Bg8CFG8ZFHvCbzAtQ
+F441nXsa/E3fUajfuxOeIEz8sJUG8VpMMtNUGB2cmJxzlYECQQDGosn4g0trBkn+
+wwwJ3CEnymTUZxgFQWr4UhGnScRHaHBJmw0sW9KsVOB5D4DEw/O7BDdVvpCoBlG1
+GhL/XFcZAkEAwAuINbY5jKTpa2Xve1MUJXpgGpuraYWCXaAn9sdSUhm6wHONhDHr
+O0S0a3P0aMA5M4GQ5JHeUq53r8/2oP2j8QJBAIzObu+8WqT2Y1O1/f2rTtF/FnS+
+0/c9xU9cFemJUBryfM6gm/j66l+BF1KZ28UfxtGmjnc4zCBfwmHnptngIlkCQFv5
+aeuncRptpKjd8frTSBPG7x3vLgHkghIK8Pjcbw2I6wrejIkiSzFgbzQDHavJW9vS
+Eq2VOq/IhOO7qrdholECQQDFmlx7LQsVEOQ26xQX/ieZQolfDqZLA6zhJFec3k2l
+wbEcTx10meJdinnhawqW7L0bhifeiTaPxbaCBXv/wiiL
+-----END RSA PRIVATE KEY-----
+EOF
+}
+resource "aws_elb" "lb" {
+  name = "test-lb"
+    availability_zones = ["us-west-2a"]
+    listener {
+      instance_port = 8000
+      instance_protocol = "https"
+      lb_port = 443
+      lb_protocol = "https"
+      ssl_certificate_id = "${aws_iam_server_certificate.test_cert.arn}"
+	}
+}
+resource "aws_lb_ssl_negotiation_policy" "foo" {
+	name = "foo-policy"
+	load_balancer = "${aws_elb.lb.id}"
+	lb_port = 443
+	attribute {
+    	name = "Protocol-TLSv1"
+        value = "false"
+    }
+    attribute {
+        name = "Protocol-TLSv1.1"
+        value = "false" 
+    }       
+    attribute {
+        name = "Protocol-TLSv1.2"
+        value = "true"
+    }
+    attribute {
+        name = "Server-Defined-Cipher-Order"
+        value = "true"
+    }       
+    attribute {
+        name = "ECDHE-RSA-AES128-GCM-SHA256"
+        value = "true"
+    }
+    attribute {
+        name = "AES128-GCM-SHA256"
+        value = "true"
+    }
+    attribute {
+        name = "EDH-RSA-DES-CBC3-SHA"
+        value = "false"
+    }
+}
+`, certName)
+}
--- a/builtin/providers/aws/structure.go
+++ b/builtin/providers/aws/structure.go
@ -1447,3 +1447,41 @@ func (s setMap) Map() map[string]interface{} {
 func (s setMap) MapList() []map[string]interface{} {
 	return []map[string]interface{}{s.Map()}
 }
+
+// Takes the result of flatmap.Expand for an array of policy attributes and
+// returns ELB API compatible objects
+func expandPolicyAttributes(configured []interface{}) ([]*elb.PolicyAttribute, error) {
+	attributes := make([]*elb.PolicyAttribute, 0, len(configured))
+
+	// Loop over our configured attributes and create
+	// an array of aws-sdk-go compatible objects
+	for _, lRaw := range configured {
+		data := lRaw.(map[string]interface{})
+
+		a := &elb.PolicyAttribute{
+			AttributeName:  aws.String(data["name"].(string)),
+			AttributeValue: aws.String(data["value"].(string)),
+		}
+
+		attributes = append(attributes, a)
+
+	}
+
+	return attributes, nil
+}
+
+// Flattens an array of PolicyAttributes into a []interface{}
+func flattenPolicyAttributes(list []*elb.PolicyAttributeDescription) []interface{} {
+	attributes := []interface{}{}
+	for _, attrdef := range list {
+		attribute := map[string]string{
+			"name":  *attrdef.AttributeName,
+			"value": *attrdef.AttributeValue,
+		}
+
+		attributes = append(attributes, attribute)
+
+	}
+
+	return attributes
+}
--- a/builtin/providers/aws/structure_test.go
+++ b/builtin/providers/aws/structure_test.go
@ -1012,3 +1012,107 @@ func TestFlattenApiGatewayStageKeys(t *testing.T) {
 		}
 	}
 }
+
+func TestExpandPolicyAttributes(t *testing.T) {
+	expanded := []interface{}{
+		map[string]interface{}{
+			"name":  "Protocol-TLSv1",
+			"value": "false",
+		},
+		map[string]interface{}{
+			"name":  "Protocol-TLSv1.1",
+			"value": "false",
+		},
+		map[string]interface{}{
+			"name":  "Protocol-TLSv1.2",
+			"value": "true",
+		},
+	}
+	attributes, err := expandPolicyAttributes(expanded)
+	if err != nil {
+		t.Fatalf("bad: %#v", err)
+	}
+
+	if len(attributes) != 3 {
+		t.Fatalf("expected number of attributes to be 3, but got %d", len(attributes))
+	}
+
+	expected := &elb.PolicyAttribute{
+		AttributeName:  aws.String("Protocol-TLSv1.2"),
+		AttributeValue: aws.String("true"),
+	}
+
+	if !reflect.DeepEqual(attributes[2], expected) {
+		t.Fatalf(
+			"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
+			attributes[2],
+			expected)
+	}
+}
+
+func TestExpandPolicyAttributes_invalid(t *testing.T) {
+	expanded := []interface{}{
+		map[string]interface{}{
+			"name":  "Protocol-TLSv1.2",
+			"value": "true",
+		},
+	}
+	attributes, err := expandPolicyAttributes(expanded)
+	if err != nil {
+		t.Fatalf("bad: %#v", err)
+	}
+
+	expected := &elb.PolicyAttribute{
+		AttributeName:  aws.String("Protocol-TLSv1.2"),
+		AttributeValue: aws.String("false"),
+	}
+
+	if reflect.DeepEqual(attributes[0], expected) {
+		t.Fatalf(
+			"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
+			attributes[0],
+			expected)
+	}
+}
+
+func TestExpandPolicyAttributes_empty(t *testing.T) {
+	var expanded []interface{}
+
+	attributes, err := expandPolicyAttributes(expanded)
+	if err != nil {
+		t.Fatalf("bad: %#v", err)
+	}
+
+	if len(attributes) != 0 {
+		t.Fatalf("expected number of attributes to be 0, but got %d", len(attributes))
+	}
+}
+
+func TestFlattenPolicyAttributes(t *testing.T) {
+	cases := []struct {
+		Input  []*elb.PolicyAttributeDescription
+		Output []interface{}
+	}{
+		{
+			Input: []*elb.PolicyAttributeDescription{
+				&elb.PolicyAttributeDescription{
+					AttributeName:  aws.String("Protocol-TLSv1.2"),
+					AttributeValue: aws.String("true"),
+				},
+			},
+			Output: []interface{}{
+				map[string]string{
+					"name":  "Protocol-TLSv1.2",
+					"value": "true",
+				},
+			},
+		},
+	}
+
+	for _, tc := range cases {
+		output := flattenPolicyAttributes(tc.Input)
+		if !reflect.DeepEqual(output, tc.Output) {
+			t.Fatalf("Got:\n\n%#v\n\nExpected:\n\n%#v", output, tc.Output)
+		}
+	}
+}
--- a/website/source/docs/providers/aws/r/lb_ssl_negotiation_policy.html.markdown
+++ b/website/source/docs/providers/aws/r/lb_ssl_negotiation_policy.html.markdown
@ -0,0 +1,87 @@
+---
+layout: "aws"
+page_title: "AWS: aws_lb_ssl_negotiation_policy"
+sidebar_current: "docs-aws-resource-lb-ssl-negotiation-policy"
+description: |-
+  Provides a load balancer SSL negotiation policy, which allows an ELB to control which ciphers and protocols are supported during SSL negotiations between a client and a load balancer.
+---
+
+# aws\_lb\_ssl\_negotiation\_policy
+
+Provides a load balancer SSL negotiation policy, which allows an ELB to control the ciphers and protocols that are supported during SSL negotiations between a client and a load balancer.
+
+## Example Usage
+
+```
+resource "aws_elb" "lb" {
+	name = "test-lb"
+    availability_zones = ["us-east-1a"]
+    listener {
+        instance_port = 8000
+        instance_protocol = "https"
+        lb_port = 443
+        lb_protocol = "https"
+        ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/certName"
+    }
+}
+
+resource "aws_lb_ssl_negotiation_policy" "foo" {
+	name = "foo-policy"
+	load_balancer = "${aws_elb.lb.id}"
+	lb_port = 443
+	attribute {
+    	name = "Protocol-TLSv1"
+        value = "false"
+    }
+    attribute {
+        name = "Protocol-TLSv1.1"
+        value = "false" 
+    }       
+    attribute {
+        name = "Protocol-TLSv1.2"
+        value = "true"
+    }
+    attribute {
+        name = "Server-Defined-Cipher-Order"
+        value = "true"
+    }       
+    attribute {
+        name = "ECDHE-RSA-AES128-GCM-SHA256"
+        value = "true"
+    }
+    attribute {
+        name = "AES128-GCM-SHA256"
+        value = "true"
+    }
+    attribute {
+        name = "EDH-RSA-DES-CBC3-SHA"
+        value = "false"
+    }
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` - (Required) The name of the SSL negotiation policy.
+* `load_balancer` - (Required) The load balancer to which the policy
+  should be attached.
+* `lb_port` - (Required) The load balancer port to which the policy
+  should be applied. This must be an active listener on the load
+balancer.
+* `attribute` - (Optional) An SSL Negotiation policy attribute. Each has two properties:
+	* `name` - The name of the attribute
+	* `value` - The value of the attribute
+
+To set your attributes, please see the [AWS Elastic Load Balancing Developer Guide](http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html) for a listing of the supported SSL protocols, SSL options, and SSL ciphers.
+
+## Attributes Reference
+
+The following attributes are exported:
+
+* `id` - The ID of the policy.
+* `name` - The name of the stickiness policy.
+* `load_balancer` - The load balancer to which the policy is attached.
+* `lb_port` - The load balancer port to which the policy is applied.
+* `attribute` - The SSL Negotiation policy attributes.
--- a/website/source/layouts/aws.erb
+++ b/website/source/layouts/aws.erb
@ -288,6 +288,10 @@
                            <a href="/docs/providers/aws/r/load_balancer_policy.html">aws_load_balancer_policy</a>
                        </li>

+                        <li<%= sidebar_current("docs-aws-resource-lb-ssl-negotiation-policy") %>>
+                            <a href="/docs/providers/aws/r/lb_ssl_negotiation_policy.html">aws_lb_ssl_negotiation_policy</a>
+                        </li>
+
                        <li<%= sidebar_current("docs-aws-resource-placement-group") %>>
                            <a href="/docs/providers/aws/r/placement_group.html">aws_placement_group</a>
                        </li>