Merge branch 'Ticketmaster-5637-conflict-resolution'
This commit is contained in:
commit
c95bf296d4
|
@ -223,6 +223,7 @@ func Provider() terraform.ResourceProvider {
|
||||||
"aws_load_balancer_policy": resourceAwsLoadBalancerPolicy(),
|
"aws_load_balancer_policy": resourceAwsLoadBalancerPolicy(),
|
||||||
"aws_load_balancer_backend_server_policy": resourceAwsLoadBalancerBackendServerPolicies(),
|
"aws_load_balancer_backend_server_policy": resourceAwsLoadBalancerBackendServerPolicies(),
|
||||||
"aws_load_balancer_listener_policy": resourceAwsLoadBalancerListenerPolicies(),
|
"aws_load_balancer_listener_policy": resourceAwsLoadBalancerListenerPolicies(),
|
||||||
|
"aws_lb_ssl_negotiation_policy": resourceAwsLBSSLNegotiationPolicy(),
|
||||||
"aws_main_route_table_association": resourceAwsMainRouteTableAssociation(),
|
"aws_main_route_table_association": resourceAwsMainRouteTableAssociation(),
|
||||||
"aws_nat_gateway": resourceAwsNatGateway(),
|
"aws_nat_gateway": resourceAwsNatGateway(),
|
||||||
"aws_network_acl": resourceAwsNetworkAcl(),
|
"aws_network_acl": resourceAwsNetworkAcl(),
|
||||||
|
|
|
@ -0,0 +1,185 @@
|
||||||
|
package aws
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"fmt"
|
||||||
|
"log"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/aws/aws-sdk-go/aws"
|
||||||
|
"github.com/aws/aws-sdk-go/aws/awserr"
|
||||||
|
"github.com/aws/aws-sdk-go/service/elb"
|
||||||
|
"github.com/hashicorp/terraform/helper/hashcode"
|
||||||
|
"github.com/hashicorp/terraform/helper/schema"
|
||||||
|
)
|
||||||
|
|
||||||
|
func resourceAwsLBSSLNegotiationPolicy() *schema.Resource {
|
||||||
|
return &schema.Resource{
|
||||||
|
// There is no concept of "updating" an LB policy in
|
||||||
|
// the AWS API.
|
||||||
|
Create: resourceAwsLBSSLNegotiationPolicyCreate,
|
||||||
|
Read: resourceAwsLBSSLNegotiationPolicyRead,
|
||||||
|
Delete: resourceAwsLBSSLNegotiationPolicyDelete,
|
||||||
|
|
||||||
|
Schema: map[string]*schema.Schema{
|
||||||
|
"name": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Required: true,
|
||||||
|
ForceNew: true,
|
||||||
|
},
|
||||||
|
|
||||||
|
"load_balancer": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Required: true,
|
||||||
|
ForceNew: true,
|
||||||
|
},
|
||||||
|
|
||||||
|
"lb_port": &schema.Schema{
|
||||||
|
Type: schema.TypeInt,
|
||||||
|
Required: true,
|
||||||
|
ForceNew: true,
|
||||||
|
},
|
||||||
|
|
||||||
|
"attribute": &schema.Schema{
|
||||||
|
Type: schema.TypeSet,
|
||||||
|
Optional: true,
|
||||||
|
ForceNew: true,
|
||||||
|
Elem: &schema.Resource{
|
||||||
|
Schema: map[string]*schema.Schema{
|
||||||
|
"name": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Required: true,
|
||||||
|
},
|
||||||
|
|
||||||
|
"value": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Required: true,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Set: func(v interface{}) int {
|
||||||
|
var buf bytes.Buffer
|
||||||
|
m := v.(map[string]interface{})
|
||||||
|
buf.WriteString(fmt.Sprintf("%s-", m["name"].(string)))
|
||||||
|
return hashcode.String(buf.String())
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func resourceAwsLBSSLNegotiationPolicyCreate(d *schema.ResourceData, meta interface{}) error {
|
||||||
|
elbconn := meta.(*AWSClient).elbconn
|
||||||
|
|
||||||
|
// Provision the SSLNegotiationPolicy
|
||||||
|
lbspOpts := &elb.CreateLoadBalancerPolicyInput{
|
||||||
|
LoadBalancerName: aws.String(d.Get("load_balancer").(string)),
|
||||||
|
PolicyName: aws.String(d.Get("name").(string)),
|
||||||
|
PolicyTypeName: aws.String("SSLNegotiationPolicyType"),
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check for Policy Attributes
|
||||||
|
if v, ok := d.GetOk("attribute"); ok {
|
||||||
|
var err error
|
||||||
|
// Expand the "attribute" set to aws-sdk-go compat []*elb.PolicyAttribute
|
||||||
|
lbspOpts.PolicyAttributes, err = expandPolicyAttributes(v.(*schema.Set).List())
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Printf("[DEBUG] Load Balancer Policy opts: %#v", lbspOpts)
|
||||||
|
if _, err := elbconn.CreateLoadBalancerPolicy(lbspOpts); err != nil {
|
||||||
|
return fmt.Errorf("Error creating Load Balancer Policy: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
setLoadBalancerOpts := &elb.SetLoadBalancerPoliciesOfListenerInput{
|
||||||
|
LoadBalancerName: aws.String(d.Get("load_balancer").(string)),
|
||||||
|
LoadBalancerPort: aws.Int64(int64(d.Get("lb_port").(int))),
|
||||||
|
PolicyNames: []*string{aws.String(d.Get("name").(string))},
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Printf("[DEBUG] SSL Negotiation create configuration: %#v", setLoadBalancerOpts)
|
||||||
|
if _, err := elbconn.SetLoadBalancerPoliciesOfListener(setLoadBalancerOpts); err != nil {
|
||||||
|
return fmt.Errorf("Error setting SSLNegotiationPolicy: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
d.SetId(fmt.Sprintf("%s:%d:%s",
|
||||||
|
*lbspOpts.LoadBalancerName,
|
||||||
|
*setLoadBalancerOpts.LoadBalancerPort,
|
||||||
|
*lbspOpts.PolicyName))
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func resourceAwsLBSSLNegotiationPolicyRead(d *schema.ResourceData, meta interface{}) error {
|
||||||
|
elbconn := meta.(*AWSClient).elbconn
|
||||||
|
|
||||||
|
lbName, lbPort, policyName := resourceAwsLBSSLNegotiationPolicyParseId(d.Id())
|
||||||
|
|
||||||
|
request := &elb.DescribeLoadBalancerPoliciesInput{
|
||||||
|
LoadBalancerName: aws.String(lbName),
|
||||||
|
PolicyNames: []*string{aws.String(policyName)},
|
||||||
|
}
|
||||||
|
|
||||||
|
getResp, err := elbconn.DescribeLoadBalancerPolicies(request)
|
||||||
|
if err != nil {
|
||||||
|
if ec2err, ok := err.(awserr.Error); ok && ec2err.Code() == "PolicyNotFound" {
|
||||||
|
// The policy is gone.
|
||||||
|
d.SetId("")
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return fmt.Errorf("Error retrieving policy: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(getResp.PolicyDescriptions) != 1 {
|
||||||
|
return fmt.Errorf("Unable to find policy %#v", getResp.PolicyDescriptions)
|
||||||
|
}
|
||||||
|
|
||||||
|
// We can get away with this because there's only one policy returned
|
||||||
|
policyDesc := getResp.PolicyDescriptions[0]
|
||||||
|
attributes := flattenPolicyAttributes(policyDesc.PolicyAttributeDescriptions)
|
||||||
|
d.Set("attributes", attributes)
|
||||||
|
|
||||||
|
d.Set("name", policyName)
|
||||||
|
d.Set("load_balancer", lbName)
|
||||||
|
d.Set("lb_port", lbPort)
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func resourceAwsLBSSLNegotiationPolicyDelete(d *schema.ResourceData, meta interface{}) error {
|
||||||
|
elbconn := meta.(*AWSClient).elbconn
|
||||||
|
|
||||||
|
lbName, _, policyName := resourceAwsLBSSLNegotiationPolicyParseId(d.Id())
|
||||||
|
|
||||||
|
// Perversely, if we Set an empty list of PolicyNames, we detach the
|
||||||
|
// policies attached to a listener, which is required to delete the
|
||||||
|
// policy itself.
|
||||||
|
setLoadBalancerOpts := &elb.SetLoadBalancerPoliciesOfListenerInput{
|
||||||
|
LoadBalancerName: aws.String(d.Get("load_balancer").(string)),
|
||||||
|
LoadBalancerPort: aws.Int64(int64(d.Get("lb_port").(int))),
|
||||||
|
PolicyNames: []*string{},
|
||||||
|
}
|
||||||
|
|
||||||
|
if _, err := elbconn.SetLoadBalancerPoliciesOfListener(setLoadBalancerOpts); err != nil {
|
||||||
|
return fmt.Errorf("Error removing SSLNegotiationPolicy: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
request := &elb.DeleteLoadBalancerPolicyInput{
|
||||||
|
LoadBalancerName: aws.String(lbName),
|
||||||
|
PolicyName: aws.String(policyName),
|
||||||
|
}
|
||||||
|
|
||||||
|
if _, err := elbconn.DeleteLoadBalancerPolicy(request); err != nil {
|
||||||
|
return fmt.Errorf("Error deleting SSL negotiation policy %s: %s", d.Id(), err)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// resourceAwsLBSSLNegotiationPolicyParseId takes an ID and parses it into
|
||||||
|
// it's constituent parts. You need three axes (LB name, policy name, and LB
|
||||||
|
// port) to create or identify an SSL negotiation policy in AWS's API.
|
||||||
|
func resourceAwsLBSSLNegotiationPolicyParseId(id string) (string, string, string) {
|
||||||
|
parts := strings.SplitN(id, ":", 3)
|
||||||
|
return parts[0], parts[1], parts[2]
|
||||||
|
}
|
|
@ -0,0 +1,263 @@
|
||||||
|
package aws
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/aws/aws-sdk-go/aws"
|
||||||
|
"github.com/aws/aws-sdk-go/aws/awserr"
|
||||||
|
"github.com/aws/aws-sdk-go/service/elb"
|
||||||
|
|
||||||
|
"github.com/hashicorp/terraform/helper/acctest"
|
||||||
|
"github.com/hashicorp/terraform/helper/resource"
|
||||||
|
"github.com/hashicorp/terraform/terraform"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestAccAWSLBSSLNegotiationPolicy_basic(t *testing.T) {
|
||||||
|
resource.Test(t, resource.TestCase{
|
||||||
|
PreCheck: func() { testAccPreCheck(t) },
|
||||||
|
Providers: testAccProviders,
|
||||||
|
CheckDestroy: testAccCheckLBSSLNegotiationPolicyDestroy,
|
||||||
|
Steps: []resource.TestStep{
|
||||||
|
resource.TestStep{
|
||||||
|
Config: testAccSslNegotiationPolicyConfig(
|
||||||
|
fmt.Sprintf("tf-acctest-%s", acctest.RandString(10))),
|
||||||
|
Check: resource.ComposeTestCheckFunc(
|
||||||
|
testAccCheckLBSSLNegotiationPolicy(
|
||||||
|
"aws_elb.lb",
|
||||||
|
"aws_lb_ssl_negotiation_policy.foo",
|
||||||
|
),
|
||||||
|
resource.TestCheckResourceAttr(
|
||||||
|
"aws_lb_ssl_negotiation_policy.foo", "attribute.#", "7"),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func testAccCheckLBSSLNegotiationPolicyDestroy(s *terraform.State) error {
|
||||||
|
elbconn := testAccProvider.Meta().(*AWSClient).elbconn
|
||||||
|
|
||||||
|
for _, rs := range s.RootModule().Resources {
|
||||||
|
if rs.Type != "aws_elb" && rs.Type != "aws_lb_ssl_negotiation_policy" {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check that the ELB is destroyed
|
||||||
|
if rs.Type == "aws_elb" {
|
||||||
|
describe, err := elbconn.DescribeLoadBalancers(&elb.DescribeLoadBalancersInput{
|
||||||
|
LoadBalancerNames: []*string{aws.String(rs.Primary.ID)},
|
||||||
|
})
|
||||||
|
|
||||||
|
if err == nil {
|
||||||
|
if len(describe.LoadBalancerDescriptions) != 0 &&
|
||||||
|
*describe.LoadBalancerDescriptions[0].LoadBalancerName == rs.Primary.ID {
|
||||||
|
return fmt.Errorf("ELB still exists")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Verify the error
|
||||||
|
providerErr, ok := err.(awserr.Error)
|
||||||
|
if !ok {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if providerErr.Code() != "LoadBalancerNotFound" {
|
||||||
|
return fmt.Errorf("Unexpected error: %s", err)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// Check that the SSL Negotiation Policy is destroyed
|
||||||
|
elbName, _, policyName := resourceAwsLBSSLNegotiationPolicyParseId(rs.Primary.ID)
|
||||||
|
_, err := elbconn.DescribeLoadBalancerPolicies(&elb.DescribeLoadBalancerPoliciesInput{
|
||||||
|
LoadBalancerName: aws.String(elbName),
|
||||||
|
PolicyNames: []*string{aws.String(policyName)},
|
||||||
|
})
|
||||||
|
|
||||||
|
if err == nil {
|
||||||
|
return fmt.Errorf("ELB SSL Negotiation Policy still exists")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func testAccCheckLBSSLNegotiationPolicy(elbResource string, policyResource string) resource.TestCheckFunc {
|
||||||
|
return func(s *terraform.State) error {
|
||||||
|
rs, ok := s.RootModule().Resources[elbResource]
|
||||||
|
if !ok {
|
||||||
|
return fmt.Errorf("Not found: %s", elbResource)
|
||||||
|
}
|
||||||
|
|
||||||
|
if rs.Primary.ID == "" {
|
||||||
|
return fmt.Errorf("No ID is set")
|
||||||
|
}
|
||||||
|
|
||||||
|
policy, ok := s.RootModule().Resources[policyResource]
|
||||||
|
if !ok {
|
||||||
|
return fmt.Errorf("Not found: %s", policyResource)
|
||||||
|
}
|
||||||
|
|
||||||
|
elbconn := testAccProvider.Meta().(*AWSClient).elbconn
|
||||||
|
|
||||||
|
elbName, _, policyName := resourceAwsLBSSLNegotiationPolicyParseId(policy.Primary.ID)
|
||||||
|
resp, err := elbconn.DescribeLoadBalancerPolicies(&elb.DescribeLoadBalancerPoliciesInput{
|
||||||
|
LoadBalancerName: aws.String(elbName),
|
||||||
|
PolicyNames: []*string{aws.String(policyName)},
|
||||||
|
})
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
fmt.Printf("[ERROR] Problem describing load balancer policy '%s': %s", policyName, err)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(resp.PolicyDescriptions) != 1 {
|
||||||
|
return fmt.Errorf("Unable to find policy %#v", resp.PolicyDescriptions)
|
||||||
|
}
|
||||||
|
|
||||||
|
attrmap := policyAttributesToMap(&resp.PolicyDescriptions[0].PolicyAttributeDescriptions)
|
||||||
|
if attrmap["Protocol-TLSv1"] != "false" {
|
||||||
|
return fmt.Errorf("Policy attribute 'Protocol-TLSv1' was of value %s instead of false!", attrmap["Protocol-TLSv1"])
|
||||||
|
}
|
||||||
|
if attrmap["Protocol-TLSv1.1"] != "false" {
|
||||||
|
return fmt.Errorf("Policy attribute 'Protocol-TLSv1.1' was of value %s instead of false!", attrmap["Protocol-TLSv1.1"])
|
||||||
|
}
|
||||||
|
if attrmap["Protocol-TLSv1.2"] != "true" {
|
||||||
|
return fmt.Errorf("Policy attribute 'Protocol-TLSv1.2' was of value %s instead of true!", attrmap["Protocol-TLSv1.2"])
|
||||||
|
}
|
||||||
|
if attrmap["Server-Defined-Cipher-Order"] != "true" {
|
||||||
|
return fmt.Errorf("Policy attribute 'Server-Defined-Cipher-Order' was of value %s instead of true!", attrmap["Server-Defined-Cipher-Order"])
|
||||||
|
}
|
||||||
|
if attrmap["ECDHE-RSA-AES128-GCM-SHA256"] != "true" {
|
||||||
|
return fmt.Errorf("Policy attribute 'ECDHE-RSA-AES128-GCM-SHA256' was of value %s instead of true!", attrmap["ECDHE-RSA-AES128-GCM-SHA256"])
|
||||||
|
}
|
||||||
|
if attrmap["AES128-GCM-SHA256"] != "true" {
|
||||||
|
return fmt.Errorf("Policy attribute 'AES128-GCM-SHA256' was of value %s instead of true!", attrmap["AES128-GCM-SHA256"])
|
||||||
|
}
|
||||||
|
if attrmap["EDH-RSA-DES-CBC3-SHA"] != "false" {
|
||||||
|
return fmt.Errorf("Policy attribute 'EDH-RSA-DES-CBC3-SHA' was of value %s instead of false!", attrmap["EDH-RSA-DES-CBC3-SHA"])
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func policyAttributesToMap(attributes *[]*elb.PolicyAttributeDescription) map[string]string {
|
||||||
|
attrmap := make(map[string]string)
|
||||||
|
|
||||||
|
for _, attrdef := range *attributes {
|
||||||
|
attrmap[*attrdef.AttributeName] = *attrdef.AttributeValue
|
||||||
|
}
|
||||||
|
|
||||||
|
return attrmap
|
||||||
|
}
|
||||||
|
|
||||||
|
// Sets the SSL Negotiation policy with attributes.
|
||||||
|
// The IAM Server Cert config is lifted from
|
||||||
|
// builtin/providers/aws/resource_aws_iam_server_certificate_test.go
|
||||||
|
func testAccSslNegotiationPolicyConfig(certName string) string {
|
||||||
|
return fmt.Sprintf(`
|
||||||
|
resource "aws_iam_server_certificate" "test_cert" {
|
||||||
|
name = "%s"
|
||||||
|
certificate_body = <<EOF
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICqzCCAhSgAwIBAgIJAOH3Ca1oeCfOMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNV
|
||||||
|
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQKEwlIYXNoaWNvcnAx
|
||||||
|
FjAUBgNVBAMTDWhhc2hpY29ycC5jb20wHhcNMTYwODEwMTcxNDEwWhcNMTcwODEw
|
||||||
|
MTcxNDEwWjBkMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIG
|
||||||
|
A1UEBwwLTG9zIEFuZ2VsZXMxEjAQBgNVBAoMCUhhc2hpY29ycDEWMBQGA1UEAwwN
|
||||||
|
aGFzaGljb3JwLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlQMKKTiK
|
||||||
|
bawxxGOwX9iyIm/ITyVwjnSyyZ8kuz7flXUAw4u/ZqGmRck0gdOBlzPcvdu/ngCZ
|
||||||
|
wMg6x03oe7iouDQHapQ6kCAUwl6zDmSOnjj8b4fKiaxW6Kw/UynrUjbjbdqKKsH3
|
||||||
|
fBYxa1sIVhnsDBCaOnnznkCXFbeiMeUX6YkCAwEAAaN7MHkwCQYDVR0TBAIwADAs
|
||||||
|
BglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
|
||||||
|
VR0OBBYEFB+VNDp3tesqOLJTZEbOXIzINdecMB8GA1UdIwQYMBaAFDnmEwagl6fs
|
||||||
|
/9oVTSmNdPUkhaRDMA0GCSqGSIb3DQEBBQUAA4GBAHMTokhZfM66L1dI8e21p4yp
|
||||||
|
F2GMGYNqR2CLy7pCk3z9NovB5F1plk1cDnbpJPS/jXU7N5i3LgfjjbYmlNsezV3u
|
||||||
|
gzYm7p7D6/AiMheL6VljPor5ZXXcq2yZ3xMJu6/hrSJGj0wtg9xsNPYPDGCyH+iI
|
||||||
|
zAYQVBuFaLoTi3Fs7g1s
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
EOF
|
||||||
|
certificate_chain = <<EOF
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICyzCCAjSgAwIBAgIJAOH3Ca1oeCfNMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNV
|
||||||
|
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQKEwlIYXNoaWNvcnAx
|
||||||
|
FjAUBgNVBAMTDWhhc2hpY29ycC5jb20wHhcNMTYwODEwMTcxMTAzWhcNMTkwODEw
|
||||||
|
MTcxMTAzWjBOMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAG
|
||||||
|
A1UEChMJSGFzaGljb3JwMRYwFAYDVQQDEw1oYXNoaWNvcnAuY29tMIGfMA0GCSqG
|
||||||
|
SIb3DQEBAQUAA4GNADCBiQKBgQDOOIUDgTP+v6yXq0cI99S99jrczNv274BfmBzS
|
||||||
|
XhExPnm62s5dnLGtzFokat/DIN0pyOh0C4+QnS4Qk7r31UCh1jLJRVkJJHtet8TM
|
||||||
|
7PhebIUIAFaQQ5+792L7ZkCXkzl0MxENeE0avGUf5QXMd7/eUt36BOS4KaEfGVUw
|
||||||
|
2Ldy0wIDAQABo4GwMIGtMB0GA1UdDgQWBBQ55hMGoJen7P/aFU0pjXT1JIWkQzB+
|
||||||
|
BgNVHSMEdzB1gBQ55hMGoJen7P/aFU0pjXT1JIWkQ6FSpFAwTjELMAkGA1UEBhMC
|
||||||
|
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAoTCUhhc2hpY29ycDEWMBQG
|
||||||
|
A1UEAxMNaGFzaGljb3JwLmNvbYIJAOH3Ca1oeCfNMAwGA1UdEwQFMAMBAf8wDQYJ
|
||||||
|
KoZIhvcNAQEFBQADgYEAvKhhRHHWuUl253pjlQJxHqJLv3a9g7pcF0vGkImw30lu
|
||||||
|
B0LFpM6xZmfoFR3aflTWDGHDbwNbP+VatZNwZt7GpO7qiLOXCV9/UM0utxI1Doyd
|
||||||
|
6oOaCDXtDDI9NliSFyAvNG5PKafR3ysWHsqEa/7VDWnRGYvCAIsaAEyurl4Gogk=
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
EOF
|
||||||
|
private_key = <<EOF
|
||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIICXQIBAAKBgQCVAwopOIptrDHEY7Bf2LIib8hPJXCOdLLJnyS7Pt+VdQDDi79m
|
||||||
|
oaZFyTSB04GXM9y927+eAJnAyDrHTeh7uKi4NAdqlDqQIBTCXrMOZI6eOPxvh8qJ
|
||||||
|
rFborD9TKetSNuNt2ooqwfd8FjFrWwhWGewMEJo6efOeQJcVt6Ix5RfpiQIDAQAB
|
||||||
|
AoGAdx8p9U/84bXhRxVGfyi1JvBjmlncxBUohCPT8lhN1qXlSW2jQgGB8ZHqhsq1
|
||||||
|
c1GDaseMRFxIjaPD0WZHrvgs73ReoDGTLf9Ne3mkE3g8Rp0Bg8CFG8ZFHvCbzAtQ
|
||||||
|
F441nXsa/E3fUajfuxOeIEz8sJUG8VpMMtNUGB2cmJxzlYECQQDGosn4g0trBkn+
|
||||||
|
wwwJ3CEnymTUZxgFQWr4UhGnScRHaHBJmw0sW9KsVOB5D4DEw/O7BDdVvpCoBlG1
|
||||||
|
GhL/XFcZAkEAwAuINbY5jKTpa2Xve1MUJXpgGpuraYWCXaAn9sdSUhm6wHONhDHr
|
||||||
|
O0S0a3P0aMA5M4GQ5JHeUq53r8/2oP2j8QJBAIzObu+8WqT2Y1O1/f2rTtF/FnS+
|
||||||
|
0/c9xU9cFemJUBryfM6gm/j66l+BF1KZ28UfxtGmjnc4zCBfwmHnptngIlkCQFv5
|
||||||
|
aeuncRptpKjd8frTSBPG7x3vLgHkghIK8Pjcbw2I6wrejIkiSzFgbzQDHavJW9vS
|
||||||
|
Eq2VOq/IhOO7qrdholECQQDFmlx7LQsVEOQ26xQX/ieZQolfDqZLA6zhJFec3k2l
|
||||||
|
wbEcTx10meJdinnhawqW7L0bhifeiTaPxbaCBXv/wiiL
|
||||||
|
-----END RSA PRIVATE KEY-----
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
resource "aws_elb" "lb" {
|
||||||
|
name = "test-lb"
|
||||||
|
availability_zones = ["us-west-2a"]
|
||||||
|
listener {
|
||||||
|
instance_port = 8000
|
||||||
|
instance_protocol = "https"
|
||||||
|
lb_port = 443
|
||||||
|
lb_protocol = "https"
|
||||||
|
ssl_certificate_id = "${aws_iam_server_certificate.test_cert.arn}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
resource "aws_lb_ssl_negotiation_policy" "foo" {
|
||||||
|
name = "foo-policy"
|
||||||
|
load_balancer = "${aws_elb.lb.id}"
|
||||||
|
lb_port = 443
|
||||||
|
attribute {
|
||||||
|
name = "Protocol-TLSv1"
|
||||||
|
value = "false"
|
||||||
|
}
|
||||||
|
attribute {
|
||||||
|
name = "Protocol-TLSv1.1"
|
||||||
|
value = "false"
|
||||||
|
}
|
||||||
|
attribute {
|
||||||
|
name = "Protocol-TLSv1.2"
|
||||||
|
value = "true"
|
||||||
|
}
|
||||||
|
attribute {
|
||||||
|
name = "Server-Defined-Cipher-Order"
|
||||||
|
value = "true"
|
||||||
|
}
|
||||||
|
attribute {
|
||||||
|
name = "ECDHE-RSA-AES128-GCM-SHA256"
|
||||||
|
value = "true"
|
||||||
|
}
|
||||||
|
attribute {
|
||||||
|
name = "AES128-GCM-SHA256"
|
||||||
|
value = "true"
|
||||||
|
}
|
||||||
|
attribute {
|
||||||
|
name = "EDH-RSA-DES-CBC3-SHA"
|
||||||
|
value = "false"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
`, certName)
|
||||||
|
}
|
|
@ -1447,3 +1447,41 @@ func (s setMap) Map() map[string]interface{} {
|
||||||
func (s setMap) MapList() []map[string]interface{} {
|
func (s setMap) MapList() []map[string]interface{} {
|
||||||
return []map[string]interface{}{s.Map()}
|
return []map[string]interface{}{s.Map()}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Takes the result of flatmap.Expand for an array of policy attributes and
|
||||||
|
// returns ELB API compatible objects
|
||||||
|
func expandPolicyAttributes(configured []interface{}) ([]*elb.PolicyAttribute, error) {
|
||||||
|
attributes := make([]*elb.PolicyAttribute, 0, len(configured))
|
||||||
|
|
||||||
|
// Loop over our configured attributes and create
|
||||||
|
// an array of aws-sdk-go compatible objects
|
||||||
|
for _, lRaw := range configured {
|
||||||
|
data := lRaw.(map[string]interface{})
|
||||||
|
|
||||||
|
a := &elb.PolicyAttribute{
|
||||||
|
AttributeName: aws.String(data["name"].(string)),
|
||||||
|
AttributeValue: aws.String(data["value"].(string)),
|
||||||
|
}
|
||||||
|
|
||||||
|
attributes = append(attributes, a)
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
return attributes, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Flattens an array of PolicyAttributes into a []interface{}
|
||||||
|
func flattenPolicyAttributes(list []*elb.PolicyAttributeDescription) []interface{} {
|
||||||
|
attributes := []interface{}{}
|
||||||
|
for _, attrdef := range list {
|
||||||
|
attribute := map[string]string{
|
||||||
|
"name": *attrdef.AttributeName,
|
||||||
|
"value": *attrdef.AttributeValue,
|
||||||
|
}
|
||||||
|
|
||||||
|
attributes = append(attributes, attribute)
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
return attributes
|
||||||
|
}
|
||||||
|
|
|
@ -1012,3 +1012,107 @@ func TestFlattenApiGatewayStageKeys(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestExpandPolicyAttributes(t *testing.T) {
|
||||||
|
expanded := []interface{}{
|
||||||
|
map[string]interface{}{
|
||||||
|
"name": "Protocol-TLSv1",
|
||||||
|
"value": "false",
|
||||||
|
},
|
||||||
|
map[string]interface{}{
|
||||||
|
"name": "Protocol-TLSv1.1",
|
||||||
|
"value": "false",
|
||||||
|
},
|
||||||
|
map[string]interface{}{
|
||||||
|
"name": "Protocol-TLSv1.2",
|
||||||
|
"value": "true",
|
||||||
|
},
|
||||||
|
}
|
||||||
|
attributes, err := expandPolicyAttributes(expanded)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("bad: %#v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(attributes) != 3 {
|
||||||
|
t.Fatalf("expected number of attributes to be 3, but got %d", len(attributes))
|
||||||
|
}
|
||||||
|
|
||||||
|
expected := &elb.PolicyAttribute{
|
||||||
|
AttributeName: aws.String("Protocol-TLSv1.2"),
|
||||||
|
AttributeValue: aws.String("true"),
|
||||||
|
}
|
||||||
|
|
||||||
|
if !reflect.DeepEqual(attributes[2], expected) {
|
||||||
|
t.Fatalf(
|
||||||
|
"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
|
||||||
|
attributes[2],
|
||||||
|
expected)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestExpandPolicyAttributes_invalid(t *testing.T) {
|
||||||
|
expanded := []interface{}{
|
||||||
|
map[string]interface{}{
|
||||||
|
"name": "Protocol-TLSv1.2",
|
||||||
|
"value": "true",
|
||||||
|
},
|
||||||
|
}
|
||||||
|
attributes, err := expandPolicyAttributes(expanded)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("bad: %#v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
expected := &elb.PolicyAttribute{
|
||||||
|
AttributeName: aws.String("Protocol-TLSv1.2"),
|
||||||
|
AttributeValue: aws.String("false"),
|
||||||
|
}
|
||||||
|
|
||||||
|
if reflect.DeepEqual(attributes[0], expected) {
|
||||||
|
t.Fatalf(
|
||||||
|
"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
|
||||||
|
attributes[0],
|
||||||
|
expected)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestExpandPolicyAttributes_empty(t *testing.T) {
|
||||||
|
var expanded []interface{}
|
||||||
|
|
||||||
|
attributes, err := expandPolicyAttributes(expanded)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("bad: %#v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(attributes) != 0 {
|
||||||
|
t.Fatalf("expected number of attributes to be 0, but got %d", len(attributes))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestFlattenPolicyAttributes(t *testing.T) {
|
||||||
|
cases := []struct {
|
||||||
|
Input []*elb.PolicyAttributeDescription
|
||||||
|
Output []interface{}
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
Input: []*elb.PolicyAttributeDescription{
|
||||||
|
&elb.PolicyAttributeDescription{
|
||||||
|
AttributeName: aws.String("Protocol-TLSv1.2"),
|
||||||
|
AttributeValue: aws.String("true"),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Output: []interface{}{
|
||||||
|
map[string]string{
|
||||||
|
"name": "Protocol-TLSv1.2",
|
||||||
|
"value": "true",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, tc := range cases {
|
||||||
|
output := flattenPolicyAttributes(tc.Input)
|
||||||
|
if !reflect.DeepEqual(output, tc.Output) {
|
||||||
|
t.Fatalf("Got:\n\n%#v\n\nExpected:\n\n%#v", output, tc.Output)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,87 @@
|
||||||
|
---
|
||||||
|
layout: "aws"
|
||||||
|
page_title: "AWS: aws_lb_ssl_negotiation_policy"
|
||||||
|
sidebar_current: "docs-aws-resource-lb-ssl-negotiation-policy"
|
||||||
|
description: |-
|
||||||
|
Provides a load balancer SSL negotiation policy, which allows an ELB to control which ciphers and protocols are supported during SSL negotiations between a client and a load balancer.
|
||||||
|
---
|
||||||
|
|
||||||
|
# aws\_lb\_ssl\_negotiation\_policy
|
||||||
|
|
||||||
|
Provides a load balancer SSL negotiation policy, which allows an ELB to control the ciphers and protocols that are supported during SSL negotiations between a client and a load balancer.
|
||||||
|
|
||||||
|
## Example Usage
|
||||||
|
|
||||||
|
```
|
||||||
|
resource "aws_elb" "lb" {
|
||||||
|
name = "test-lb"
|
||||||
|
availability_zones = ["us-east-1a"]
|
||||||
|
listener {
|
||||||
|
instance_port = 8000
|
||||||
|
instance_protocol = "https"
|
||||||
|
lb_port = 443
|
||||||
|
lb_protocol = "https"
|
||||||
|
ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/certName"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "aws_lb_ssl_negotiation_policy" "foo" {
|
||||||
|
name = "foo-policy"
|
||||||
|
load_balancer = "${aws_elb.lb.id}"
|
||||||
|
lb_port = 443
|
||||||
|
attribute {
|
||||||
|
name = "Protocol-TLSv1"
|
||||||
|
value = "false"
|
||||||
|
}
|
||||||
|
attribute {
|
||||||
|
name = "Protocol-TLSv1.1"
|
||||||
|
value = "false"
|
||||||
|
}
|
||||||
|
attribute {
|
||||||
|
name = "Protocol-TLSv1.2"
|
||||||
|
value = "true"
|
||||||
|
}
|
||||||
|
attribute {
|
||||||
|
name = "Server-Defined-Cipher-Order"
|
||||||
|
value = "true"
|
||||||
|
}
|
||||||
|
attribute {
|
||||||
|
name = "ECDHE-RSA-AES128-GCM-SHA256"
|
||||||
|
value = "true"
|
||||||
|
}
|
||||||
|
attribute {
|
||||||
|
name = "AES128-GCM-SHA256"
|
||||||
|
value = "true"
|
||||||
|
}
|
||||||
|
attribute {
|
||||||
|
name = "EDH-RSA-DES-CBC3-SHA"
|
||||||
|
value = "false"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Argument Reference
|
||||||
|
|
||||||
|
The following arguments are supported:
|
||||||
|
|
||||||
|
* `name` - (Required) The name of the SSL negotiation policy.
|
||||||
|
* `load_balancer` - (Required) The load balancer to which the policy
|
||||||
|
should be attached.
|
||||||
|
* `lb_port` - (Required) The load balancer port to which the policy
|
||||||
|
should be applied. This must be an active listener on the load
|
||||||
|
balancer.
|
||||||
|
* `attribute` - (Optional) An SSL Negotiation policy attribute. Each has two properties:
|
||||||
|
* `name` - The name of the attribute
|
||||||
|
* `value` - The value of the attribute
|
||||||
|
|
||||||
|
To set your attributes, please see the [AWS Elastic Load Balancing Developer Guide](http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html) for a listing of the supported SSL protocols, SSL options, and SSL ciphers.
|
||||||
|
|
||||||
|
## Attributes Reference
|
||||||
|
|
||||||
|
The following attributes are exported:
|
||||||
|
|
||||||
|
* `id` - The ID of the policy.
|
||||||
|
* `name` - The name of the stickiness policy.
|
||||||
|
* `load_balancer` - The load balancer to which the policy is attached.
|
||||||
|
* `lb_port` - The load balancer port to which the policy is applied.
|
||||||
|
* `attribute` - The SSL Negotiation policy attributes.
|
|
@ -288,6 +288,10 @@
|
||||||
<a href="/docs/providers/aws/r/load_balancer_policy.html">aws_load_balancer_policy</a>
|
<a href="/docs/providers/aws/r/load_balancer_policy.html">aws_load_balancer_policy</a>
|
||||||
</li>
|
</li>
|
||||||
|
|
||||||
|
<li<%= sidebar_current("docs-aws-resource-lb-ssl-negotiation-policy") %>>
|
||||||
|
<a href="/docs/providers/aws/r/lb_ssl_negotiation_policy.html">aws_lb_ssl_negotiation_policy</a>
|
||||||
|
</li>
|
||||||
|
|
||||||
<li<%= sidebar_current("docs-aws-resource-placement-group") %>>
|
<li<%= sidebar_current("docs-aws-resource-placement-group") %>>
|
||||||
<a href="/docs/providers/aws/r/placement_group.html">aws_placement_group</a>
|
<a href="/docs/providers/aws/r/placement_group.html">aws_placement_group</a>
|
||||||
</li>
|
</li>
|
||||||
|
|
Loading…
Reference in New Issue