Merge branch '5637-conflict-resolution' of https://github.com/Ticketmaster/terraform into Ticketmaster-5637-conflict-resolution
This commit is contained in:
commit
cdda4d76d4
|
@ -223,6 +223,7 @@ func Provider() terraform.ResourceProvider {
|
|||
"aws_load_balancer_policy": resourceAwsLoadBalancerPolicy(),
|
||||
"aws_load_balancer_backend_server_policy": resourceAwsLoadBalancerBackendServerPolicies(),
|
||||
"aws_load_balancer_listener_policy": resourceAwsLoadBalancerListenerPolicies(),
|
||||
"aws_lb_ssl_negotiation_policy": resourceAwsLBSSLNegotiationPolicy(),
|
||||
"aws_main_route_table_association": resourceAwsMainRouteTableAssociation(),
|
||||
"aws_nat_gateway": resourceAwsNatGateway(),
|
||||
"aws_network_acl": resourceAwsNetworkAcl(),
|
||||
|
|
|
@ -0,0 +1,185 @@
|
|||
package aws
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"fmt"
|
||||
"log"
|
||||
"strings"
|
||||
|
||||
"github.com/aws/aws-sdk-go/aws"
|
||||
"github.com/aws/aws-sdk-go/aws/awserr"
|
||||
"github.com/aws/aws-sdk-go/service/elb"
|
||||
"github.com/hashicorp/terraform/helper/hashcode"
|
||||
"github.com/hashicorp/terraform/helper/schema"
|
||||
)
|
||||
|
||||
func resourceAwsLBSSLNegotiationPolicy() *schema.Resource {
|
||||
return &schema.Resource{
|
||||
// There is no concept of "updating" an LB policy in
|
||||
// the AWS API.
|
||||
Create: resourceAwsLBSSLNegotiationPolicyCreate,
|
||||
Read: resourceAwsLBSSLNegotiationPolicyRead,
|
||||
Delete: resourceAwsLBSSLNegotiationPolicyDelete,
|
||||
|
||||
Schema: map[string]*schema.Schema{
|
||||
"name": &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
ForceNew: true,
|
||||
},
|
||||
|
||||
"load_balancer": &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
ForceNew: true,
|
||||
},
|
||||
|
||||
"lb_port": &schema.Schema{
|
||||
Type: schema.TypeInt,
|
||||
Required: true,
|
||||
ForceNew: true,
|
||||
},
|
||||
|
||||
"attribute": &schema.Schema{
|
||||
Type: schema.TypeSet,
|
||||
Optional: true,
|
||||
ForceNew: true,
|
||||
Elem: &schema.Resource{
|
||||
Schema: map[string]*schema.Schema{
|
||||
"name": &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
},
|
||||
|
||||
"value": &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
},
|
||||
},
|
||||
},
|
||||
Set: func(v interface{}) int {
|
||||
var buf bytes.Buffer
|
||||
m := v.(map[string]interface{})
|
||||
buf.WriteString(fmt.Sprintf("%s-", m["name"].(string)))
|
||||
return hashcode.String(buf.String())
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func resourceAwsLBSSLNegotiationPolicyCreate(d *schema.ResourceData, meta interface{}) error {
|
||||
elbconn := meta.(*AWSClient).elbconn
|
||||
|
||||
// Provision the SSLNegotiationPolicy
|
||||
lbspOpts := &elb.CreateLoadBalancerPolicyInput{
|
||||
LoadBalancerName: aws.String(d.Get("load_balancer").(string)),
|
||||
PolicyName: aws.String(d.Get("name").(string)),
|
||||
PolicyTypeName: aws.String("SSLNegotiationPolicyType"),
|
||||
}
|
||||
|
||||
// Check for Policy Attributes
|
||||
if v, ok := d.GetOk("attribute"); ok {
|
||||
var err error
|
||||
// Expand the "attribute" set to aws-sdk-go compat []*elb.PolicyAttribute
|
||||
lbspOpts.PolicyAttributes, err = expandPolicyAttributes(v.(*schema.Set).List())
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
log.Printf("[DEBUG] Load Balancer Policy opts: %#v", lbspOpts)
|
||||
if _, err := elbconn.CreateLoadBalancerPolicy(lbspOpts); err != nil {
|
||||
return fmt.Errorf("Error creating Load Balancer Policy: %s", err)
|
||||
}
|
||||
|
||||
setLoadBalancerOpts := &elb.SetLoadBalancerPoliciesOfListenerInput{
|
||||
LoadBalancerName: aws.String(d.Get("load_balancer").(string)),
|
||||
LoadBalancerPort: aws.Int64(int64(d.Get("lb_port").(int))),
|
||||
PolicyNames: []*string{aws.String(d.Get("name").(string))},
|
||||
}
|
||||
|
||||
log.Printf("[DEBUG] SSL Negotiation create configuration: %#v", setLoadBalancerOpts)
|
||||
if _, err := elbconn.SetLoadBalancerPoliciesOfListener(setLoadBalancerOpts); err != nil {
|
||||
return fmt.Errorf("Error setting SSLNegotiationPolicy: %s", err)
|
||||
}
|
||||
|
||||
d.SetId(fmt.Sprintf("%s:%d:%s",
|
||||
*lbspOpts.LoadBalancerName,
|
||||
*setLoadBalancerOpts.LoadBalancerPort,
|
||||
*lbspOpts.PolicyName))
|
||||
return nil
|
||||
}
|
||||
|
||||
func resourceAwsLBSSLNegotiationPolicyRead(d *schema.ResourceData, meta interface{}) error {
|
||||
elbconn := meta.(*AWSClient).elbconn
|
||||
|
||||
lbName, lbPort, policyName := resourceAwsLBSSLNegotiationPolicyParseId(d.Id())
|
||||
|
||||
request := &elb.DescribeLoadBalancerPoliciesInput{
|
||||
LoadBalancerName: aws.String(lbName),
|
||||
PolicyNames: []*string{aws.String(policyName)},
|
||||
}
|
||||
|
||||
getResp, err := elbconn.DescribeLoadBalancerPolicies(request)
|
||||
if err != nil {
|
||||
if ec2err, ok := err.(awserr.Error); ok && ec2err.Code() == "PolicyNotFound" {
|
||||
// The policy is gone.
|
||||
d.SetId("")
|
||||
return nil
|
||||
}
|
||||
return fmt.Errorf("Error retrieving policy: %s", err)
|
||||
}
|
||||
|
||||
if len(getResp.PolicyDescriptions) != 1 {
|
||||
return fmt.Errorf("Unable to find policy %#v", getResp.PolicyDescriptions)
|
||||
}
|
||||
|
||||
// We can get away with this because there's only one policy returned
|
||||
policyDesc := getResp.PolicyDescriptions[0]
|
||||
attributes := flattenPolicyAttributes(policyDesc.PolicyAttributeDescriptions)
|
||||
d.Set("attributes", attributes)
|
||||
|
||||
d.Set("name", policyName)
|
||||
d.Set("load_balancer", lbName)
|
||||
d.Set("lb_port", lbPort)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func resourceAwsLBSSLNegotiationPolicyDelete(d *schema.ResourceData, meta interface{}) error {
|
||||
elbconn := meta.(*AWSClient).elbconn
|
||||
|
||||
lbName, _, policyName := resourceAwsLBSSLNegotiationPolicyParseId(d.Id())
|
||||
|
||||
// Perversely, if we Set an empty list of PolicyNames, we detach the
|
||||
// policies attached to a listener, which is required to delete the
|
||||
// policy itself.
|
||||
setLoadBalancerOpts := &elb.SetLoadBalancerPoliciesOfListenerInput{
|
||||
LoadBalancerName: aws.String(d.Get("load_balancer").(string)),
|
||||
LoadBalancerPort: aws.Int64(int64(d.Get("lb_port").(int))),
|
||||
PolicyNames: []*string{},
|
||||
}
|
||||
|
||||
if _, err := elbconn.SetLoadBalancerPoliciesOfListener(setLoadBalancerOpts); err != nil {
|
||||
return fmt.Errorf("Error removing SSLNegotiationPolicy: %s", err)
|
||||
}
|
||||
|
||||
request := &elb.DeleteLoadBalancerPolicyInput{
|
||||
LoadBalancerName: aws.String(lbName),
|
||||
PolicyName: aws.String(policyName),
|
||||
}
|
||||
|
||||
if _, err := elbconn.DeleteLoadBalancerPolicy(request); err != nil {
|
||||
return fmt.Errorf("Error deleting SSL negotiation policy %s: %s", d.Id(), err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// resourceAwsLBSSLNegotiationPolicyParseId takes an ID and parses it into
|
||||
// it's constituent parts. You need three axes (LB name, policy name, and LB
|
||||
// port) to create or identify an SSL negotiation policy in AWS's API.
|
||||
func resourceAwsLBSSLNegotiationPolicyParseId(id string) (string, string, string) {
|
||||
parts := strings.SplitN(id, ":", 3)
|
||||
return parts[0], parts[1], parts[2]
|
||||
}
|
|
@ -0,0 +1,263 @@
|
|||
package aws
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"testing"
|
||||
|
||||
"github.com/aws/aws-sdk-go/aws"
|
||||
"github.com/aws/aws-sdk-go/aws/awserr"
|
||||
"github.com/aws/aws-sdk-go/service/elb"
|
||||
|
||||
"github.com/hashicorp/terraform/helper/acctest"
|
||||
"github.com/hashicorp/terraform/helper/resource"
|
||||
"github.com/hashicorp/terraform/terraform"
|
||||
)
|
||||
|
||||
func TestAccAWSLBSSLNegotiationPolicy_basic(t *testing.T) {
|
||||
resource.Test(t, resource.TestCase{
|
||||
PreCheck: func() { testAccPreCheck(t) },
|
||||
Providers: testAccProviders,
|
||||
CheckDestroy: testAccCheckLBSSLNegotiationPolicyDestroy,
|
||||
Steps: []resource.TestStep{
|
||||
resource.TestStep{
|
||||
Config: testAccSslNegotiationPolicyConfig(
|
||||
fmt.Sprintf("tf-acctest-%s", acctest.RandString(10))),
|
||||
Check: resource.ComposeTestCheckFunc(
|
||||
testAccCheckLBSSLNegotiationPolicy(
|
||||
"aws_elb.lb",
|
||||
"aws_lb_ssl_negotiation_policy.foo",
|
||||
),
|
||||
resource.TestCheckResourceAttr(
|
||||
"aws_lb_ssl_negotiation_policy.foo", "attribute.#", "7"),
|
||||
),
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func testAccCheckLBSSLNegotiationPolicyDestroy(s *terraform.State) error {
|
||||
elbconn := testAccProvider.Meta().(*AWSClient).elbconn
|
||||
|
||||
for _, rs := range s.RootModule().Resources {
|
||||
if rs.Type != "aws_elb" && rs.Type != "aws_lb_ssl_negotiation_policy" {
|
||||
continue
|
||||
}
|
||||
|
||||
// Check that the ELB is destroyed
|
||||
if rs.Type == "aws_elb" {
|
||||
describe, err := elbconn.DescribeLoadBalancers(&elb.DescribeLoadBalancersInput{
|
||||
LoadBalancerNames: []*string{aws.String(rs.Primary.ID)},
|
||||
})
|
||||
|
||||
if err == nil {
|
||||
if len(describe.LoadBalancerDescriptions) != 0 &&
|
||||
*describe.LoadBalancerDescriptions[0].LoadBalancerName == rs.Primary.ID {
|
||||
return fmt.Errorf("ELB still exists")
|
||||
}
|
||||
}
|
||||
|
||||
// Verify the error
|
||||
providerErr, ok := err.(awserr.Error)
|
||||
if !ok {
|
||||
return err
|
||||
}
|
||||
|
||||
if providerErr.Code() != "LoadBalancerNotFound" {
|
||||
return fmt.Errorf("Unexpected error: %s", err)
|
||||
}
|
||||
} else {
|
||||
// Check that the SSL Negotiation Policy is destroyed
|
||||
elbName, _, policyName := resourceAwsLBSSLNegotiationPolicyParseId(rs.Primary.ID)
|
||||
_, err := elbconn.DescribeLoadBalancerPolicies(&elb.DescribeLoadBalancerPoliciesInput{
|
||||
LoadBalancerName: aws.String(elbName),
|
||||
PolicyNames: []*string{aws.String(policyName)},
|
||||
})
|
||||
|
||||
if err == nil {
|
||||
return fmt.Errorf("ELB SSL Negotiation Policy still exists")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func testAccCheckLBSSLNegotiationPolicy(elbResource string, policyResource string) resource.TestCheckFunc {
|
||||
return func(s *terraform.State) error {
|
||||
rs, ok := s.RootModule().Resources[elbResource]
|
||||
if !ok {
|
||||
return fmt.Errorf("Not found: %s", elbResource)
|
||||
}
|
||||
|
||||
if rs.Primary.ID == "" {
|
||||
return fmt.Errorf("No ID is set")
|
||||
}
|
||||
|
||||
policy, ok := s.RootModule().Resources[policyResource]
|
||||
if !ok {
|
||||
return fmt.Errorf("Not found: %s", policyResource)
|
||||
}
|
||||
|
||||
elbconn := testAccProvider.Meta().(*AWSClient).elbconn
|
||||
|
||||
elbName, _, policyName := resourceAwsLBSSLNegotiationPolicyParseId(policy.Primary.ID)
|
||||
resp, err := elbconn.DescribeLoadBalancerPolicies(&elb.DescribeLoadBalancerPoliciesInput{
|
||||
LoadBalancerName: aws.String(elbName),
|
||||
PolicyNames: []*string{aws.String(policyName)},
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
fmt.Printf("[ERROR] Problem describing load balancer policy '%s': %s", policyName, err)
|
||||
return err
|
||||
}
|
||||
|
||||
if len(resp.PolicyDescriptions) != 1 {
|
||||
return fmt.Errorf("Unable to find policy %#v", resp.PolicyDescriptions)
|
||||
}
|
||||
|
||||
attrmap := policyAttributesToMap(&resp.PolicyDescriptions[0].PolicyAttributeDescriptions)
|
||||
if attrmap["Protocol-TLSv1"] != "false" {
|
||||
return fmt.Errorf("Policy attribute 'Protocol-TLSv1' was of value %s instead of false!", attrmap["Protocol-TLSv1"])
|
||||
}
|
||||
if attrmap["Protocol-TLSv1.1"] != "false" {
|
||||
return fmt.Errorf("Policy attribute 'Protocol-TLSv1.1' was of value %s instead of false!", attrmap["Protocol-TLSv1.1"])
|
||||
}
|
||||
if attrmap["Protocol-TLSv1.2"] != "true" {
|
||||
return fmt.Errorf("Policy attribute 'Protocol-TLSv1.2' was of value %s instead of true!", attrmap["Protocol-TLSv1.2"])
|
||||
}
|
||||
if attrmap["Server-Defined-Cipher-Order"] != "true" {
|
||||
return fmt.Errorf("Policy attribute 'Server-Defined-Cipher-Order' was of value %s instead of true!", attrmap["Server-Defined-Cipher-Order"])
|
||||
}
|
||||
if attrmap["ECDHE-RSA-AES128-GCM-SHA256"] != "true" {
|
||||
return fmt.Errorf("Policy attribute 'ECDHE-RSA-AES128-GCM-SHA256' was of value %s instead of true!", attrmap["ECDHE-RSA-AES128-GCM-SHA256"])
|
||||
}
|
||||
if attrmap["AES128-GCM-SHA256"] != "true" {
|
||||
return fmt.Errorf("Policy attribute 'AES128-GCM-SHA256' was of value %s instead of true!", attrmap["AES128-GCM-SHA256"])
|
||||
}
|
||||
if attrmap["EDH-RSA-DES-CBC3-SHA"] != "false" {
|
||||
return fmt.Errorf("Policy attribute 'EDH-RSA-DES-CBC3-SHA' was of value %s instead of false!", attrmap["EDH-RSA-DES-CBC3-SHA"])
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func policyAttributesToMap(attributes *[]*elb.PolicyAttributeDescription) map[string]string {
|
||||
attrmap := make(map[string]string)
|
||||
|
||||
for _, attrdef := range *attributes {
|
||||
attrmap[*attrdef.AttributeName] = *attrdef.AttributeValue
|
||||
}
|
||||
|
||||
return attrmap
|
||||
}
|
||||
|
||||
// Sets the SSL Negotiation policy with attributes.
|
||||
// The IAM Server Cert config is lifted from
|
||||
// builtin/providers/aws/resource_aws_iam_server_certificate_test.go
|
||||
func testAccSslNegotiationPolicyConfig(certName string) string {
|
||||
return fmt.Sprintf(`
|
||||
resource "aws_iam_server_certificate" "test_cert" {
|
||||
name = "%s"
|
||||
certificate_body = <<EOF
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICqzCCAhSgAwIBAgIJAOH3Ca1oeCfOMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNV
|
||||
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQKEwlIYXNoaWNvcnAx
|
||||
FjAUBgNVBAMTDWhhc2hpY29ycC5jb20wHhcNMTYwODEwMTcxNDEwWhcNMTcwODEw
|
||||
MTcxNDEwWjBkMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIG
|
||||
A1UEBwwLTG9zIEFuZ2VsZXMxEjAQBgNVBAoMCUhhc2hpY29ycDEWMBQGA1UEAwwN
|
||||
aGFzaGljb3JwLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlQMKKTiK
|
||||
bawxxGOwX9iyIm/ITyVwjnSyyZ8kuz7flXUAw4u/ZqGmRck0gdOBlzPcvdu/ngCZ
|
||||
wMg6x03oe7iouDQHapQ6kCAUwl6zDmSOnjj8b4fKiaxW6Kw/UynrUjbjbdqKKsH3
|
||||
fBYxa1sIVhnsDBCaOnnznkCXFbeiMeUX6YkCAwEAAaN7MHkwCQYDVR0TBAIwADAs
|
||||
BglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
|
||||
VR0OBBYEFB+VNDp3tesqOLJTZEbOXIzINdecMB8GA1UdIwQYMBaAFDnmEwagl6fs
|
||||
/9oVTSmNdPUkhaRDMA0GCSqGSIb3DQEBBQUAA4GBAHMTokhZfM66L1dI8e21p4yp
|
||||
F2GMGYNqR2CLy7pCk3z9NovB5F1plk1cDnbpJPS/jXU7N5i3LgfjjbYmlNsezV3u
|
||||
gzYm7p7D6/AiMheL6VljPor5ZXXcq2yZ3xMJu6/hrSJGj0wtg9xsNPYPDGCyH+iI
|
||||
zAYQVBuFaLoTi3Fs7g1s
|
||||
-----END CERTIFICATE-----
|
||||
EOF
|
||||
certificate_chain = <<EOF
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICyzCCAjSgAwIBAgIJAOH3Ca1oeCfNMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNV
|
||||
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQKEwlIYXNoaWNvcnAx
|
||||
FjAUBgNVBAMTDWhhc2hpY29ycC5jb20wHhcNMTYwODEwMTcxMTAzWhcNMTkwODEw
|
||||
MTcxMTAzWjBOMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAG
|
||||
A1UEChMJSGFzaGljb3JwMRYwFAYDVQQDEw1oYXNoaWNvcnAuY29tMIGfMA0GCSqG
|
||||
SIb3DQEBAQUAA4GNADCBiQKBgQDOOIUDgTP+v6yXq0cI99S99jrczNv274BfmBzS
|
||||
XhExPnm62s5dnLGtzFokat/DIN0pyOh0C4+QnS4Qk7r31UCh1jLJRVkJJHtet8TM
|
||||
7PhebIUIAFaQQ5+792L7ZkCXkzl0MxENeE0avGUf5QXMd7/eUt36BOS4KaEfGVUw
|
||||
2Ldy0wIDAQABo4GwMIGtMB0GA1UdDgQWBBQ55hMGoJen7P/aFU0pjXT1JIWkQzB+
|
||||
BgNVHSMEdzB1gBQ55hMGoJen7P/aFU0pjXT1JIWkQ6FSpFAwTjELMAkGA1UEBhMC
|
||||
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAoTCUhhc2hpY29ycDEWMBQG
|
||||
A1UEAxMNaGFzaGljb3JwLmNvbYIJAOH3Ca1oeCfNMAwGA1UdEwQFMAMBAf8wDQYJ
|
||||
KoZIhvcNAQEFBQADgYEAvKhhRHHWuUl253pjlQJxHqJLv3a9g7pcF0vGkImw30lu
|
||||
B0LFpM6xZmfoFR3aflTWDGHDbwNbP+VatZNwZt7GpO7qiLOXCV9/UM0utxI1Doyd
|
||||
6oOaCDXtDDI9NliSFyAvNG5PKafR3ysWHsqEa/7VDWnRGYvCAIsaAEyurl4Gogk=
|
||||
-----END CERTIFICATE-----
|
||||
EOF
|
||||
private_key = <<EOF
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIICXQIBAAKBgQCVAwopOIptrDHEY7Bf2LIib8hPJXCOdLLJnyS7Pt+VdQDDi79m
|
||||
oaZFyTSB04GXM9y927+eAJnAyDrHTeh7uKi4NAdqlDqQIBTCXrMOZI6eOPxvh8qJ
|
||||
rFborD9TKetSNuNt2ooqwfd8FjFrWwhWGewMEJo6efOeQJcVt6Ix5RfpiQIDAQAB
|
||||
AoGAdx8p9U/84bXhRxVGfyi1JvBjmlncxBUohCPT8lhN1qXlSW2jQgGB8ZHqhsq1
|
||||
c1GDaseMRFxIjaPD0WZHrvgs73ReoDGTLf9Ne3mkE3g8Rp0Bg8CFG8ZFHvCbzAtQ
|
||||
F441nXsa/E3fUajfuxOeIEz8sJUG8VpMMtNUGB2cmJxzlYECQQDGosn4g0trBkn+
|
||||
wwwJ3CEnymTUZxgFQWr4UhGnScRHaHBJmw0sW9KsVOB5D4DEw/O7BDdVvpCoBlG1
|
||||
GhL/XFcZAkEAwAuINbY5jKTpa2Xve1MUJXpgGpuraYWCXaAn9sdSUhm6wHONhDHr
|
||||
O0S0a3P0aMA5M4GQ5JHeUq53r8/2oP2j8QJBAIzObu+8WqT2Y1O1/f2rTtF/FnS+
|
||||
0/c9xU9cFemJUBryfM6gm/j66l+BF1KZ28UfxtGmjnc4zCBfwmHnptngIlkCQFv5
|
||||
aeuncRptpKjd8frTSBPG7x3vLgHkghIK8Pjcbw2I6wrejIkiSzFgbzQDHavJW9vS
|
||||
Eq2VOq/IhOO7qrdholECQQDFmlx7LQsVEOQ26xQX/ieZQolfDqZLA6zhJFec3k2l
|
||||
wbEcTx10meJdinnhawqW7L0bhifeiTaPxbaCBXv/wiiL
|
||||
-----END RSA PRIVATE KEY-----
|
||||
EOF
|
||||
}
|
||||
resource "aws_elb" "lb" {
|
||||
name = "test-lb"
|
||||
availability_zones = ["us-east-1a"]
|
||||
listener {
|
||||
instance_port = 8000
|
||||
instance_protocol = "https"
|
||||
lb_port = 443
|
||||
lb_protocol = "https"
|
||||
ssl_certificate_id = "${aws_iam_server_certificate.test_cert.arn}"
|
||||
}
|
||||
}
|
||||
resource "aws_lb_ssl_negotiation_policy" "foo" {
|
||||
name = "foo-policy"
|
||||
load_balancer = "${aws_elb.lb.id}"
|
||||
lb_port = 443
|
||||
attribute {
|
||||
name = "Protocol-TLSv1"
|
||||
value = "false"
|
||||
}
|
||||
attribute {
|
||||
name = "Protocol-TLSv1.1"
|
||||
value = "false"
|
||||
}
|
||||
attribute {
|
||||
name = "Protocol-TLSv1.2"
|
||||
value = "true"
|
||||
}
|
||||
attribute {
|
||||
name = "Server-Defined-Cipher-Order"
|
||||
value = "true"
|
||||
}
|
||||
attribute {
|
||||
name = "ECDHE-RSA-AES128-GCM-SHA256"
|
||||
value = "true"
|
||||
}
|
||||
attribute {
|
||||
name = "AES128-GCM-SHA256"
|
||||
value = "true"
|
||||
}
|
||||
attribute {
|
||||
name = "EDH-RSA-DES-CBC3-SHA"
|
||||
value = "false"
|
||||
}
|
||||
}
|
||||
`, certName)
|
||||
}
|
|
@ -1447,3 +1447,41 @@ func (s setMap) Map() map[string]interface{} {
|
|||
func (s setMap) MapList() []map[string]interface{} {
|
||||
return []map[string]interface{}{s.Map()}
|
||||
}
|
||||
|
||||
// Takes the result of flatmap.Expand for an array of policy attributes and
|
||||
// returns ELB API compatible objects
|
||||
func expandPolicyAttributes(configured []interface{}) ([]*elb.PolicyAttribute, error) {
|
||||
attributes := make([]*elb.PolicyAttribute, 0, len(configured))
|
||||
|
||||
// Loop over our configured attributes and create
|
||||
// an array of aws-sdk-go compatible objects
|
||||
for _, lRaw := range configured {
|
||||
data := lRaw.(map[string]interface{})
|
||||
|
||||
a := &elb.PolicyAttribute{
|
||||
AttributeName: aws.String(data["name"].(string)),
|
||||
AttributeValue: aws.String(data["value"].(string)),
|
||||
}
|
||||
|
||||
attributes = append(attributes, a)
|
||||
|
||||
}
|
||||
|
||||
return attributes, nil
|
||||
}
|
||||
|
||||
// Flattens an array of PolicyAttributes into a []interface{}
|
||||
func flattenPolicyAttributes(list []*elb.PolicyAttributeDescription) []interface{} {
|
||||
attributes := []interface{}{}
|
||||
for _, attrdef := range list {
|
||||
attribute := map[string]string{
|
||||
"name": *attrdef.AttributeName,
|
||||
"value": *attrdef.AttributeValue,
|
||||
}
|
||||
|
||||
attributes = append(attributes, attribute)
|
||||
|
||||
}
|
||||
|
||||
return attributes
|
||||
}
|
||||
|
|
|
@ -1012,3 +1012,107 @@ func TestFlattenApiGatewayStageKeys(t *testing.T) {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestExpandPolicyAttributes(t *testing.T) {
|
||||
expanded := []interface{}{
|
||||
map[string]interface{}{
|
||||
"name": "Protocol-TLSv1",
|
||||
"value": "false",
|
||||
},
|
||||
map[string]interface{}{
|
||||
"name": "Protocol-TLSv1.1",
|
||||
"value": "false",
|
||||
},
|
||||
map[string]interface{}{
|
||||
"name": "Protocol-TLSv1.2",
|
||||
"value": "true",
|
||||
},
|
||||
}
|
||||
attributes, err := expandPolicyAttributes(expanded)
|
||||
if err != nil {
|
||||
t.Fatalf("bad: %#v", err)
|
||||
}
|
||||
|
||||
if len(attributes) != 3 {
|
||||
t.Fatalf("expected number of attributes to be 3, but got %d", len(attributes))
|
||||
}
|
||||
|
||||
expected := &elb.PolicyAttribute{
|
||||
AttributeName: aws.String("Protocol-TLSv1.2"),
|
||||
AttributeValue: aws.String("true"),
|
||||
}
|
||||
|
||||
if !reflect.DeepEqual(attributes[2], expected) {
|
||||
t.Fatalf(
|
||||
"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
|
||||
attributes[2],
|
||||
expected)
|
||||
}
|
||||
}
|
||||
|
||||
func TestExpandPolicyAttributes_invalid(t *testing.T) {
|
||||
expanded := []interface{}{
|
||||
map[string]interface{}{
|
||||
"name": "Protocol-TLSv1.2",
|
||||
"value": "true",
|
||||
},
|
||||
}
|
||||
attributes, err := expandPolicyAttributes(expanded)
|
||||
if err != nil {
|
||||
t.Fatalf("bad: %#v", err)
|
||||
}
|
||||
|
||||
expected := &elb.PolicyAttribute{
|
||||
AttributeName: aws.String("Protocol-TLSv1.2"),
|
||||
AttributeValue: aws.String("false"),
|
||||
}
|
||||
|
||||
if reflect.DeepEqual(attributes[0], expected) {
|
||||
t.Fatalf(
|
||||
"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
|
||||
attributes[0],
|
||||
expected)
|
||||
}
|
||||
}
|
||||
|
||||
func TestExpandPolicyAttributes_empty(t *testing.T) {
|
||||
var expanded []interface{}
|
||||
|
||||
attributes, err := expandPolicyAttributes(expanded)
|
||||
if err != nil {
|
||||
t.Fatalf("bad: %#v", err)
|
||||
}
|
||||
|
||||
if len(attributes) != 0 {
|
||||
t.Fatalf("expected number of attributes to be 0, but got %d", len(attributes))
|
||||
}
|
||||
}
|
||||
|
||||
func TestFlattenPolicyAttributes(t *testing.T) {
|
||||
cases := []struct {
|
||||
Input []*elb.PolicyAttributeDescription
|
||||
Output []interface{}
|
||||
}{
|
||||
{
|
||||
Input: []*elb.PolicyAttributeDescription{
|
||||
&elb.PolicyAttributeDescription{
|
||||
AttributeName: aws.String("Protocol-TLSv1.2"),
|
||||
AttributeValue: aws.String("true"),
|
||||
},
|
||||
},
|
||||
Output: []interface{}{
|
||||
map[string]string{
|
||||
"name": "Protocol-TLSv1.2",
|
||||
"value": "true",
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range cases {
|
||||
output := flattenPolicyAttributes(tc.Input)
|
||||
if !reflect.DeepEqual(output, tc.Output) {
|
||||
t.Fatalf("Got:\n\n%#v\n\nExpected:\n\n%#v", output, tc.Output)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,87 @@
|
|||
---
|
||||
layout: "aws"
|
||||
page_title: "AWS: aws_lb_ssl_negotiation_policy"
|
||||
sidebar_current: "docs-aws-resource-lb-ssl-negotiation-policy"
|
||||
description: |-
|
||||
Provides a load balancer SSL negotiation policy, which allows an ELB to control which ciphers and protocols are supported during SSL negotiations between a client and a load balancer.
|
||||
---
|
||||
|
||||
# aws\_lb\_ssl\_negotiation\_policy
|
||||
|
||||
Provides a load balancer SSL negotiation policy, which allows an ELB to control the ciphers and protocols that are supported during SSL negotiations between a client and a load balancer.
|
||||
|
||||
## Example Usage
|
||||
|
||||
```
|
||||
resource "aws_elb" "lb" {
|
||||
name = "test-lb"
|
||||
availability_zones = ["us-east-1a"]
|
||||
listener {
|
||||
instance_port = 8000
|
||||
instance_protocol = "https"
|
||||
lb_port = 443
|
||||
lb_protocol = "https"
|
||||
ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/certName"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_lb_ssl_negotiation_policy" "foo" {
|
||||
name = "foo-policy"
|
||||
load_balancer = "${aws_elb.lb.id}"
|
||||
lb_port = 443
|
||||
attribute {
|
||||
name = "Protocol-TLSv1"
|
||||
value = "false"
|
||||
}
|
||||
attribute {
|
||||
name = "Protocol-TLSv1.1"
|
||||
value = "false"
|
||||
}
|
||||
attribute {
|
||||
name = "Protocol-TLSv1.2"
|
||||
value = "true"
|
||||
}
|
||||
attribute {
|
||||
name = "Server-Defined-Cipher-Order"
|
||||
value = "true"
|
||||
}
|
||||
attribute {
|
||||
name = "ECDHE-RSA-AES128-GCM-SHA256"
|
||||
value = "true"
|
||||
}
|
||||
attribute {
|
||||
name = "AES128-GCM-SHA256"
|
||||
value = "true"
|
||||
}
|
||||
attribute {
|
||||
name = "EDH-RSA-DES-CBC3-SHA"
|
||||
value = "false"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
## Argument Reference
|
||||
|
||||
The following arguments are supported:
|
||||
|
||||
* `name` - (Required) The name of the SSL negotiation policy.
|
||||
* `load_balancer` - (Required) The load balancer to which the policy
|
||||
should be attached.
|
||||
* `lb_port` - (Required) The load balancer port to which the policy
|
||||
should be applied. This must be an active listener on the load
|
||||
balancer.
|
||||
* `attribute` - (Optional) An SSL Negotiation policy attribute. Each has two properties:
|
||||
* `name` - The name of the attribute
|
||||
* `value` - The value of the attribute
|
||||
|
||||
To set your attributes, please see the [AWS Elastic Load Balancing Developer Guide](http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html) for a listing of the supported SSL protocols, SSL options, and SSL ciphers.
|
||||
|
||||
## Attributes Reference
|
||||
|
||||
The following attributes are exported:
|
||||
|
||||
* `id` - The ID of the policy.
|
||||
* `name` - The name of the stickiness policy.
|
||||
* `load_balancer` - The load balancer to which the policy is attached.
|
||||
* `lb_port` - The load balancer port to which the policy is applied.
|
||||
* `attribute` - The SSL Negotiation policy attributes.
|
|
@ -288,6 +288,10 @@
|
|||
<a href="/docs/providers/aws/r/load_balancer_policy.html">aws_load_balancer_policy</a>
|
||||
</li>
|
||||
|
||||
<li<%= sidebar_current("docs-aws-resource-lb-ssl-negotiation-policy") %>>
|
||||
<a href="/docs/providers/aws/r/lb_ssl_negotiation_policy.html">aws_lb_ssl_negotiation_policy</a>
|
||||
</li>
|
||||
|
||||
<li<%= sidebar_current("docs-aws-resource-placement-group") %>>
|
||||
<a href="/docs/providers/aws/r/placement_group.html">aws_placement_group</a>
|
||||
</li>
|
||||
|
|
Loading…
Reference in New Issue