389 lines
11 KiB
Go
389 lines
11 KiB
Go
package aws
|
|
|
|
import (
|
|
"fmt"
|
|
"testing"
|
|
|
|
"github.com/aws/aws-sdk-go/aws"
|
|
"github.com/aws/aws-sdk-go/aws/awserr"
|
|
"github.com/aws/aws-sdk-go/service/elb"
|
|
|
|
tlsprovider "github.com/hashicorp/terraform/builtin/providers/tls"
|
|
"github.com/hashicorp/terraform/helper/resource"
|
|
"github.com/hashicorp/terraform/terraform"
|
|
)
|
|
|
|
func TestAccAWSLoadBalancerBackendServerPolicy_basic(t *testing.T) {
|
|
resource.Test(t, resource.TestCase{
|
|
PreCheck: func() { testAccPreCheck(t) },
|
|
Providers: map[string]terraform.ResourceProvider{
|
|
"aws": testAccProvider,
|
|
"tls": tlsprovider.Provider(),
|
|
},
|
|
CheckDestroy: testAccCheckAWSLoadBalancerBackendServerPolicyDestroy,
|
|
Steps: []resource.TestStep{
|
|
resource.TestStep{
|
|
Config: testAccAWSLoadBalancerBackendServerPolicyConfig_basic0,
|
|
Check: resource.ComposeTestCheckFunc(
|
|
testAccCheckAWSLoadBalancerPolicyState("aws_elb.test-lb", "aws_load_balancer_policy.test-pubkey-policy0"),
|
|
testAccCheckAWSLoadBalancerPolicyState("aws_elb.test-lb", "aws_load_balancer_policy.test-backend-auth-policy0"),
|
|
testAccCheckAWSLoadBalancerBackendServerPolicyState("test-aws-policies-lb", "test-backend-auth-policy0", true),
|
|
),
|
|
},
|
|
resource.TestStep{
|
|
Config: testAccAWSLoadBalancerBackendServerPolicyConfig_basic1,
|
|
Check: resource.ComposeTestCheckFunc(
|
|
testAccCheckAWSLoadBalancerPolicyState("aws_elb.test-lb", "aws_load_balancer_policy.test-pubkey-policy0"),
|
|
testAccCheckAWSLoadBalancerPolicyState("aws_elb.test-lb", "aws_load_balancer_policy.test-pubkey-policy1"),
|
|
testAccCheckAWSLoadBalancerPolicyState("aws_elb.test-lb", "aws_load_balancer_policy.test-backend-auth-policy0"),
|
|
testAccCheckAWSLoadBalancerBackendServerPolicyState("test-aws-policies-lb", "test-backend-auth-policy0", true),
|
|
),
|
|
},
|
|
resource.TestStep{
|
|
Config: testAccAWSLoadBalancerBackendServerPolicyConfig_basic2,
|
|
Check: resource.ComposeTestCheckFunc(
|
|
testAccCheckAWSLoadBalancerBackendServerPolicyState("test-aws-policies-lb", "test-backend-auth-policy0", false),
|
|
),
|
|
},
|
|
},
|
|
})
|
|
}
|
|
|
|
func policyInBackendServerPolicies(str string, list []string) bool {
|
|
for _, v := range list {
|
|
if v == str {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func testAccCheckAWSLoadBalancerBackendServerPolicyDestroy(s *terraform.State) error {
|
|
conn := testAccProvider.Meta().(*AWSClient).elbconn
|
|
|
|
for _, rs := range s.RootModule().Resources {
|
|
switch {
|
|
case rs.Type == "aws_load_balancer_policy":
|
|
loadBalancerName, policyName := resourceAwsLoadBalancerBackendServerPoliciesParseId(rs.Primary.ID)
|
|
out, err := conn.DescribeLoadBalancerPolicies(
|
|
&elb.DescribeLoadBalancerPoliciesInput{
|
|
LoadBalancerName: aws.String(loadBalancerName),
|
|
PolicyNames: []*string{aws.String(policyName)},
|
|
})
|
|
if err != nil {
|
|
if ec2err, ok := err.(awserr.Error); ok && (ec2err.Code() == "PolicyNotFound" || ec2err.Code() == "LoadBalancerNotFound") {
|
|
continue
|
|
}
|
|
return err
|
|
}
|
|
if len(out.PolicyDescriptions) > 0 {
|
|
return fmt.Errorf("Policy still exists")
|
|
}
|
|
case rs.Type == "aws_load_balancer_backend_policy":
|
|
loadBalancerName, policyName := resourceAwsLoadBalancerBackendServerPoliciesParseId(rs.Primary.ID)
|
|
out, err := conn.DescribeLoadBalancers(
|
|
&elb.DescribeLoadBalancersInput{
|
|
LoadBalancerNames: []*string{aws.String(loadBalancerName)},
|
|
})
|
|
if err != nil {
|
|
if ec2err, ok := err.(awserr.Error); ok && (ec2err.Code() == "LoadBalancerNotFound") {
|
|
continue
|
|
}
|
|
return err
|
|
}
|
|
for _, backendServer := range out.LoadBalancerDescriptions[0].BackendServerDescriptions {
|
|
policyStrings := []string{}
|
|
for _, pol := range backendServer.PolicyNames {
|
|
policyStrings = append(policyStrings, *pol)
|
|
}
|
|
if policyInBackendServerPolicies(policyName, policyStrings) {
|
|
return fmt.Errorf("Policy still exists and is assigned")
|
|
}
|
|
}
|
|
default:
|
|
continue
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func testAccCheckAWSLoadBalancerBackendServerPolicyState(loadBalancerName string, loadBalancerBackendAuthPolicyName string, assigned bool) resource.TestCheckFunc {
|
|
return func(s *terraform.State) error {
|
|
elbconn := testAccProvider.Meta().(*AWSClient).elbconn
|
|
|
|
loadBalancerDescription, err := elbconn.DescribeLoadBalancers(&elb.DescribeLoadBalancersInput{
|
|
LoadBalancerNames: []*string{aws.String(loadBalancerName)},
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
for _, backendServer := range loadBalancerDescription.LoadBalancerDescriptions[0].BackendServerDescriptions {
|
|
policyStrings := []string{}
|
|
for _, pol := range backendServer.PolicyNames {
|
|
policyStrings = append(policyStrings, *pol)
|
|
}
|
|
if policyInBackendServerPolicies(loadBalancerBackendAuthPolicyName, policyStrings) != assigned {
|
|
if assigned {
|
|
return fmt.Errorf("Policy no longer assigned %s not in %+v", loadBalancerBackendAuthPolicyName, policyStrings)
|
|
} else {
|
|
return fmt.Errorf("Policy exists and is assigned")
|
|
}
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
}
|
|
|
|
const testAccAWSLoadBalancerBackendServerPolicyConfig_basic0 = `
|
|
resource "tls_private_key" "example0" {
|
|
algorithm = "RSA"
|
|
}
|
|
|
|
resource "tls_self_signed_cert" "test-cert0" {
|
|
key_algorithm = "RSA"
|
|
private_key_pem = "${tls_private_key.example0.private_key_pem}"
|
|
|
|
subject {
|
|
common_name = "example.com"
|
|
organization = "ACME Examples, Inc"
|
|
}
|
|
|
|
validity_period_hours = 12
|
|
|
|
allowed_uses = [
|
|
"key_encipherment",
|
|
"digital_signature",
|
|
"server_auth",
|
|
]
|
|
}
|
|
|
|
resource "aws_iam_server_certificate" "test-iam-cert0" {
|
|
name_prefix = "test_cert_"
|
|
certificate_body = "${tls_self_signed_cert.test-cert0.cert_pem}"
|
|
private_key = "${tls_private_key.example0.private_key_pem}"
|
|
}
|
|
|
|
resource "aws_elb" "test-lb" {
|
|
name = "test-aws-policies-lb"
|
|
availability_zones = ["us-west-2a"]
|
|
|
|
listener {
|
|
instance_port = 443
|
|
instance_protocol = "https"
|
|
lb_port = 443
|
|
lb_protocol = "https"
|
|
ssl_certificate_id = "${aws_iam_server_certificate.test-iam-cert0.arn}"
|
|
}
|
|
|
|
tags {
|
|
Name = "tf-acc-test"
|
|
}
|
|
}
|
|
|
|
resource "aws_load_balancer_policy" "test-pubkey-policy0" {
|
|
load_balancer_name = "${aws_elb.test-lb.name}"
|
|
policy_name = "test-pubkey-policy0"
|
|
policy_type_name = "PublicKeyPolicyType"
|
|
policy_attribute = {
|
|
name = "PublicKey"
|
|
value = "${replace(replace(replace(tls_private_key.example0.public_key_pem, "\n", ""), "-----BEGIN PUBLIC KEY-----", ""), "-----END PUBLIC KEY-----", "")}"
|
|
}
|
|
}
|
|
|
|
resource "aws_load_balancer_policy" "test-backend-auth-policy0" {
|
|
load_balancer_name = "${aws_elb.test-lb.name}"
|
|
policy_name = "test-backend-auth-policy0"
|
|
policy_type_name = "BackendServerAuthenticationPolicyType"
|
|
policy_attribute = {
|
|
name = "PublicKeyPolicyName"
|
|
value = "${aws_load_balancer_policy.test-pubkey-policy0.policy_name}"
|
|
}
|
|
}
|
|
|
|
resource "aws_load_balancer_backend_server_policy" "test-backend-auth-policies-443" {
|
|
load_balancer_name = "${aws_elb.test-lb.name}"
|
|
instance_port = 443
|
|
policy_names = [
|
|
"${aws_load_balancer_policy.test-backend-auth-policy0.policy_name}"
|
|
]
|
|
}
|
|
`
|
|
|
|
const testAccAWSLoadBalancerBackendServerPolicyConfig_basic1 = `
|
|
resource "tls_private_key" "example0" {
|
|
algorithm = "RSA"
|
|
}
|
|
|
|
resource "tls_self_signed_cert" "test-cert0" {
|
|
key_algorithm = "RSA"
|
|
private_key_pem = "${tls_private_key.example0.private_key_pem}"
|
|
|
|
subject {
|
|
common_name = "example.com"
|
|
organization = "ACME Examples, Inc"
|
|
}
|
|
|
|
validity_period_hours = 12
|
|
|
|
allowed_uses = [
|
|
"key_encipherment",
|
|
"digital_signature",
|
|
"server_auth",
|
|
]
|
|
}
|
|
|
|
resource "tls_private_key" "example1" {
|
|
algorithm = "RSA"
|
|
}
|
|
|
|
resource "tls_self_signed_cert" "test-cert1" {
|
|
key_algorithm = "RSA"
|
|
private_key_pem = "${tls_private_key.example1.private_key_pem}"
|
|
|
|
subject {
|
|
common_name = "example.com"
|
|
organization = "ACME Examples, Inc"
|
|
}
|
|
|
|
validity_period_hours = 12
|
|
|
|
allowed_uses = [
|
|
"key_encipherment",
|
|
"digital_signature",
|
|
"server_auth",
|
|
]
|
|
}
|
|
|
|
resource "aws_iam_server_certificate" "test-iam-cert0" {
|
|
name_prefix = "test_cert_"
|
|
certificate_body = "${tls_self_signed_cert.test-cert0.cert_pem}"
|
|
private_key = "${tls_private_key.example0.private_key_pem}"
|
|
}
|
|
|
|
resource "aws_elb" "test-lb" {
|
|
name = "test-aws-policies-lb"
|
|
availability_zones = ["us-west-2a"]
|
|
|
|
listener {
|
|
instance_port = 443
|
|
instance_protocol = "https"
|
|
lb_port = 443
|
|
lb_protocol = "https"
|
|
ssl_certificate_id = "${aws_iam_server_certificate.test-iam-cert0.arn}"
|
|
}
|
|
|
|
tags {
|
|
Name = "tf-acc-test"
|
|
}
|
|
}
|
|
|
|
resource "aws_load_balancer_policy" "test-pubkey-policy0" {
|
|
load_balancer_name = "${aws_elb.test-lb.name}"
|
|
policy_name = "test-pubkey-policy0"
|
|
policy_type_name = "PublicKeyPolicyType"
|
|
policy_attribute = {
|
|
name = "PublicKey"
|
|
value = "${replace(replace(replace(tls_private_key.example0.public_key_pem, "\n", ""), "-----BEGIN PUBLIC KEY-----", ""), "-----END PUBLIC KEY-----", "")}"
|
|
}
|
|
}
|
|
|
|
resource "aws_load_balancer_policy" "test-pubkey-policy1" {
|
|
load_balancer_name = "${aws_elb.test-lb.name}"
|
|
policy_name = "test-pubkey-policy1"
|
|
policy_type_name = "PublicKeyPolicyType"
|
|
policy_attribute = {
|
|
name = "PublicKey"
|
|
value = "${replace(replace(replace(tls_private_key.example1.public_key_pem, "\n", ""), "-----BEGIN PUBLIC KEY-----", ""), "-----END PUBLIC KEY-----", "")}"
|
|
}
|
|
}
|
|
|
|
resource "aws_load_balancer_policy" "test-backend-auth-policy0" {
|
|
load_balancer_name = "${aws_elb.test-lb.name}"
|
|
policy_name = "test-backend-auth-policy0"
|
|
policy_type_name = "BackendServerAuthenticationPolicyType"
|
|
policy_attribute = {
|
|
name = "PublicKeyPolicyName"
|
|
value = "${aws_load_balancer_policy.test-pubkey-policy1.policy_name}"
|
|
}
|
|
}
|
|
|
|
resource "aws_load_balancer_backend_server_policy" "test-backend-auth-policies-443" {
|
|
load_balancer_name = "${aws_elb.test-lb.name}"
|
|
instance_port = 443
|
|
policy_names = [
|
|
"${aws_load_balancer_policy.test-backend-auth-policy0.policy_name}"
|
|
]
|
|
}
|
|
`
|
|
|
|
const testAccAWSLoadBalancerBackendServerPolicyConfig_basic2 = `
|
|
resource "tls_private_key" "example0" {
|
|
algorithm = "RSA"
|
|
}
|
|
|
|
resource "tls_self_signed_cert" "test-cert0" {
|
|
key_algorithm = "RSA"
|
|
private_key_pem = "${tls_private_key.example0.private_key_pem}"
|
|
|
|
subject {
|
|
common_name = "example.com"
|
|
organization = "ACME Examples, Inc"
|
|
}
|
|
|
|
validity_period_hours = 12
|
|
|
|
allowed_uses = [
|
|
"key_encipherment",
|
|
"digital_signature",
|
|
"server_auth",
|
|
]
|
|
}
|
|
|
|
resource "tls_private_key" "example1" {
|
|
algorithm = "RSA"
|
|
}
|
|
|
|
resource "tls_self_signed_cert" "test-cert1" {
|
|
key_algorithm = "RSA"
|
|
private_key_pem = "${tls_private_key.example1.private_key_pem}"
|
|
|
|
subject {
|
|
common_name = "example.com"
|
|
organization = "ACME Examples, Inc"
|
|
}
|
|
|
|
validity_period_hours = 12
|
|
|
|
allowed_uses = [
|
|
"key_encipherment",
|
|
"digital_signature",
|
|
"server_auth",
|
|
]
|
|
}
|
|
|
|
resource "aws_iam_server_certificate" "test-iam-cert0" {
|
|
name_prefix = "test_cert_"
|
|
certificate_body = "${tls_self_signed_cert.test-cert0.cert_pem}"
|
|
private_key = "${tls_private_key.example0.private_key_pem}"
|
|
}
|
|
|
|
resource "aws_elb" "test-lb" {
|
|
name = "test-aws-policies-lb"
|
|
availability_zones = ["us-west-2a"]
|
|
|
|
listener {
|
|
instance_port = 443
|
|
instance_protocol = "https"
|
|
lb_port = 443
|
|
lb_protocol = "https"
|
|
ssl_certificate_id = "${aws_iam_server_certificate.test-iam-cert0.arn}"
|
|
}
|
|
|
|
tags {
|
|
Name = "tf-acc-test"
|
|
}
|
|
}
|
|
`
|