github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/aws/aws-sdk-go/aws" 8 "github.com/aws/aws-sdk-go/aws/awserr" 9 "github.com/aws/aws-sdk-go/service/elb" 10 11 "github.com/hashicorp/terraform/helper/acctest" 12 "github.com/hashicorp/terraform/helper/resource" 13 "github.com/hashicorp/terraform/terraform" 14 ) 15 16 func TestAccAWSLBSSLNegotiationPolicy_basic(t *testing.T) { 17 resource.Test(t, resource.TestCase{ 18 PreCheck: func() { testAccPreCheck(t) }, 19 Providers: testAccProviders, 20 CheckDestroy: testAccCheckLBSSLNegotiationPolicyDestroy, 21 Steps: []resource.TestStep{ 22 resource.TestStep{ 23 Config: testAccSslNegotiationPolicyConfig( 24 fmt.Sprintf("tf-acctest-%s", acctest.RandString(10)), fmt.Sprintf("tf-test-lb-%s", acctest.RandString(5))), 25 Check: resource.ComposeTestCheckFunc( 26 testAccCheckLBSSLNegotiationPolicy( 27 "aws_elb.lb", 28 "aws_lb_ssl_negotiation_policy.foo", 29 ), 30 resource.TestCheckResourceAttr( 31 "aws_lb_ssl_negotiation_policy.foo", "attribute.#", "7"), 32 ), 33 }, 34 }, 35 }) 36 } 37 38 func TestAccAWSLBSSLNegotiationPolicy_missingLB(t *testing.T) { 39 lbName := fmt.Sprintf("tf-test-lb-%s", acctest.RandString(5)) 40 41 // check that we can destroy the policy if the LB is missing 42 removeLB := func() { 43 conn := testAccProvider.Meta().(*AWSClient).elbconn 44 deleteElbOpts := elb.DeleteLoadBalancerInput{ 45 LoadBalancerName: aws.String(lbName), 46 } 47 if _, err := conn.DeleteLoadBalancer(&deleteElbOpts); err != nil { 48 t.Fatalf("Error deleting ELB: %s", err) 49 } 50 } 51 52 resource.Test(t, resource.TestCase{ 53 PreCheck: func() { testAccPreCheck(t) }, 54 Providers: testAccProviders, 55 CheckDestroy: testAccCheckLBSSLNegotiationPolicyDestroy, 56 Steps: []resource.TestStep{ 57 resource.TestStep{ 58 Config: testAccSslNegotiationPolicyConfig(fmt.Sprintf("tf-acctest-%s", acctest.RandString(10)), lbName), 59 Check: resource.ComposeTestCheckFunc( 60 testAccCheckLBSSLNegotiationPolicy( 61 "aws_elb.lb", 62 "aws_lb_ssl_negotiation_policy.foo", 63 ), 64 resource.TestCheckResourceAttr( 65 "aws_lb_ssl_negotiation_policy.foo", "attribute.#", "7"), 66 ), 67 }, 68 resource.TestStep{ 69 PreConfig: removeLB, 70 Config: testAccSslNegotiationPolicyConfig(fmt.Sprintf("tf-acctest-%s", acctest.RandString(10)), lbName), 71 }, 72 }, 73 }) 74 } 75 76 func testAccCheckLBSSLNegotiationPolicyDestroy(s *terraform.State) error { 77 elbconn := testAccProvider.Meta().(*AWSClient).elbconn 78 79 for _, rs := range s.RootModule().Resources { 80 if rs.Type != "aws_elb" && rs.Type != "aws_lb_ssl_negotiation_policy" { 81 continue 82 } 83 84 // Check that the ELB is destroyed 85 if rs.Type == "aws_elb" { 86 describe, err := elbconn.DescribeLoadBalancers(&elb.DescribeLoadBalancersInput{ 87 LoadBalancerNames: []*string{aws.String(rs.Primary.ID)}, 88 }) 89 90 if err == nil { 91 if len(describe.LoadBalancerDescriptions) != 0 && 92 *describe.LoadBalancerDescriptions[0].LoadBalancerName == rs.Primary.ID { 93 return fmt.Errorf("ELB still exists") 94 } 95 } 96 97 // Verify the error 98 providerErr, ok := err.(awserr.Error) 99 if !ok { 100 return err 101 } 102 103 if providerErr.Code() != "LoadBalancerNotFound" { 104 return fmt.Errorf("Unexpected error: %s", err) 105 } 106 } else { 107 // Check that the SSL Negotiation Policy is destroyed 108 elbName, _, policyName := resourceAwsLBSSLNegotiationPolicyParseId(rs.Primary.ID) 109 _, err := elbconn.DescribeLoadBalancerPolicies(&elb.DescribeLoadBalancerPoliciesInput{ 110 LoadBalancerName: aws.String(elbName), 111 PolicyNames: []*string{aws.String(policyName)}, 112 }) 113 114 if err == nil { 115 return fmt.Errorf("ELB SSL Negotiation Policy still exists") 116 } 117 } 118 } 119 120 return nil 121 } 122 123 func testAccCheckLBSSLNegotiationPolicy(elbResource string, policyResource string) resource.TestCheckFunc { 124 return func(s *terraform.State) error { 125 rs, ok := s.RootModule().Resources[elbResource] 126 if !ok { 127 return fmt.Errorf("Not found: %s", elbResource) 128 } 129 130 if rs.Primary.ID == "" { 131 return fmt.Errorf("No ID is set") 132 } 133 134 policy, ok := s.RootModule().Resources[policyResource] 135 if !ok { 136 return fmt.Errorf("Not found: %s", policyResource) 137 } 138 139 elbconn := testAccProvider.Meta().(*AWSClient).elbconn 140 141 elbName, _, policyName := resourceAwsLBSSLNegotiationPolicyParseId(policy.Primary.ID) 142 resp, err := elbconn.DescribeLoadBalancerPolicies(&elb.DescribeLoadBalancerPoliciesInput{ 143 LoadBalancerName: aws.String(elbName), 144 PolicyNames: []*string{aws.String(policyName)}, 145 }) 146 147 if err != nil { 148 fmt.Printf("[ERROR] Problem describing load balancer policy '%s': %s", policyName, err) 149 return err 150 } 151 152 if len(resp.PolicyDescriptions) != 1 { 153 return fmt.Errorf("Unable to find policy %#v", resp.PolicyDescriptions) 154 } 155 156 attrmap := policyAttributesToMap(&resp.PolicyDescriptions[0].PolicyAttributeDescriptions) 157 if attrmap["Protocol-TLSv1"] != "false" { 158 return fmt.Errorf("Policy attribute 'Protocol-TLSv1' was of value %s instead of false!", attrmap["Protocol-TLSv1"]) 159 } 160 if attrmap["Protocol-TLSv1.1"] != "false" { 161 return fmt.Errorf("Policy attribute 'Protocol-TLSv1.1' was of value %s instead of false!", attrmap["Protocol-TLSv1.1"]) 162 } 163 if attrmap["Protocol-TLSv1.2"] != "true" { 164 return fmt.Errorf("Policy attribute 'Protocol-TLSv1.2' was of value %s instead of true!", attrmap["Protocol-TLSv1.2"]) 165 } 166 if attrmap["Server-Defined-Cipher-Order"] != "true" { 167 return fmt.Errorf("Policy attribute 'Server-Defined-Cipher-Order' was of value %s instead of true!", attrmap["Server-Defined-Cipher-Order"]) 168 } 169 if attrmap["ECDHE-RSA-AES128-GCM-SHA256"] != "true" { 170 return fmt.Errorf("Policy attribute 'ECDHE-RSA-AES128-GCM-SHA256' was of value %s instead of true!", attrmap["ECDHE-RSA-AES128-GCM-SHA256"]) 171 } 172 if attrmap["AES128-GCM-SHA256"] != "true" { 173 return fmt.Errorf("Policy attribute 'AES128-GCM-SHA256' was of value %s instead of true!", attrmap["AES128-GCM-SHA256"]) 174 } 175 if attrmap["EDH-RSA-DES-CBC3-SHA"] != "false" { 176 return fmt.Errorf("Policy attribute 'EDH-RSA-DES-CBC3-SHA' was of value %s instead of false!", attrmap["EDH-RSA-DES-CBC3-SHA"]) 177 } 178 179 return nil 180 } 181 } 182 183 func policyAttributesToMap(attributes *[]*elb.PolicyAttributeDescription) map[string]string { 184 attrmap := make(map[string]string) 185 186 for _, attrdef := range *attributes { 187 attrmap[*attrdef.AttributeName] = *attrdef.AttributeValue 188 } 189 190 return attrmap 191 } 192 193 // Sets the SSL Negotiation policy with attributes. 194 // The IAM Server Cert config is lifted from 195 // builtin/providers/aws/resource_aws_iam_server_certificate_test.go 196 func testAccSslNegotiationPolicyConfig(certName string, lbName string) string { 197 return fmt.Sprintf(` 198 resource "aws_iam_server_certificate" "test_cert" { 199 name = "%s" 200 certificate_body = <<EOF 201 -----BEGIN CERTIFICATE----- 202 MIICqzCCAhSgAwIBAgIJAOH3Ca1oeCfOMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNV 203 BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQKEwlIYXNoaWNvcnAx 204 FjAUBgNVBAMTDWhhc2hpY29ycC5jb20wHhcNMTYwODEwMTcxNDEwWhcNMTcwODEw 205 MTcxNDEwWjBkMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIG 206 A1UEBwwLTG9zIEFuZ2VsZXMxEjAQBgNVBAoMCUhhc2hpY29ycDEWMBQGA1UEAwwN 207 aGFzaGljb3JwLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlQMKKTiK 208 bawxxGOwX9iyIm/ITyVwjnSyyZ8kuz7flXUAw4u/ZqGmRck0gdOBlzPcvdu/ngCZ 209 wMg6x03oe7iouDQHapQ6kCAUwl6zDmSOnjj8b4fKiaxW6Kw/UynrUjbjbdqKKsH3 210 fBYxa1sIVhnsDBCaOnnznkCXFbeiMeUX6YkCAwEAAaN7MHkwCQYDVR0TBAIwADAs 211 BglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD 212 VR0OBBYEFB+VNDp3tesqOLJTZEbOXIzINdecMB8GA1UdIwQYMBaAFDnmEwagl6fs 213 /9oVTSmNdPUkhaRDMA0GCSqGSIb3DQEBBQUAA4GBAHMTokhZfM66L1dI8e21p4yp 214 F2GMGYNqR2CLy7pCk3z9NovB5F1plk1cDnbpJPS/jXU7N5i3LgfjjbYmlNsezV3u 215 gzYm7p7D6/AiMheL6VljPor5ZXXcq2yZ3xMJu6/hrSJGj0wtg9xsNPYPDGCyH+iI 216 zAYQVBuFaLoTi3Fs7g1s 217 -----END CERTIFICATE----- 218 EOF 219 certificate_chain = <<EOF 220 -----BEGIN CERTIFICATE----- 221 MIICyzCCAjSgAwIBAgIJAOH3Ca1oeCfNMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNV 222 BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQKEwlIYXNoaWNvcnAx 223 FjAUBgNVBAMTDWhhc2hpY29ycC5jb20wHhcNMTYwODEwMTcxMTAzWhcNMTkwODEw 224 MTcxMTAzWjBOMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAG 225 A1UEChMJSGFzaGljb3JwMRYwFAYDVQQDEw1oYXNoaWNvcnAuY29tMIGfMA0GCSqG 226 SIb3DQEBAQUAA4GNADCBiQKBgQDOOIUDgTP+v6yXq0cI99S99jrczNv274BfmBzS 227 XhExPnm62s5dnLGtzFokat/DIN0pyOh0C4+QnS4Qk7r31UCh1jLJRVkJJHtet8TM 228 7PhebIUIAFaQQ5+792L7ZkCXkzl0MxENeE0avGUf5QXMd7/eUt36BOS4KaEfGVUw 229 2Ldy0wIDAQABo4GwMIGtMB0GA1UdDgQWBBQ55hMGoJen7P/aFU0pjXT1JIWkQzB+ 230 BgNVHSMEdzB1gBQ55hMGoJen7P/aFU0pjXT1JIWkQ6FSpFAwTjELMAkGA1UEBhMC 231 VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAoTCUhhc2hpY29ycDEWMBQG 232 A1UEAxMNaGFzaGljb3JwLmNvbYIJAOH3Ca1oeCfNMAwGA1UdEwQFMAMBAf8wDQYJ 233 KoZIhvcNAQEFBQADgYEAvKhhRHHWuUl253pjlQJxHqJLv3a9g7pcF0vGkImw30lu 234 B0LFpM6xZmfoFR3aflTWDGHDbwNbP+VatZNwZt7GpO7qiLOXCV9/UM0utxI1Doyd 235 6oOaCDXtDDI9NliSFyAvNG5PKafR3ysWHsqEa/7VDWnRGYvCAIsaAEyurl4Gogk= 236 -----END CERTIFICATE----- 237 EOF 238 private_key = <<EOF 239 -----BEGIN RSA PRIVATE KEY----- 240 MIICXQIBAAKBgQCVAwopOIptrDHEY7Bf2LIib8hPJXCOdLLJnyS7Pt+VdQDDi79m 241 oaZFyTSB04GXM9y927+eAJnAyDrHTeh7uKi4NAdqlDqQIBTCXrMOZI6eOPxvh8qJ 242 rFborD9TKetSNuNt2ooqwfd8FjFrWwhWGewMEJo6efOeQJcVt6Ix5RfpiQIDAQAB 243 AoGAdx8p9U/84bXhRxVGfyi1JvBjmlncxBUohCPT8lhN1qXlSW2jQgGB8ZHqhsq1 244 c1GDaseMRFxIjaPD0WZHrvgs73ReoDGTLf9Ne3mkE3g8Rp0Bg8CFG8ZFHvCbzAtQ 245 F441nXsa/E3fUajfuxOeIEz8sJUG8VpMMtNUGB2cmJxzlYECQQDGosn4g0trBkn+ 246 wwwJ3CEnymTUZxgFQWr4UhGnScRHaHBJmw0sW9KsVOB5D4DEw/O7BDdVvpCoBlG1 247 GhL/XFcZAkEAwAuINbY5jKTpa2Xve1MUJXpgGpuraYWCXaAn9sdSUhm6wHONhDHr 248 O0S0a3P0aMA5M4GQ5JHeUq53r8/2oP2j8QJBAIzObu+8WqT2Y1O1/f2rTtF/FnS+ 249 0/c9xU9cFemJUBryfM6gm/j66l+BF1KZ28UfxtGmjnc4zCBfwmHnptngIlkCQFv5 250 aeuncRptpKjd8frTSBPG7x3vLgHkghIK8Pjcbw2I6wrejIkiSzFgbzQDHavJW9vS 251 Eq2VOq/IhOO7qrdholECQQDFmlx7LQsVEOQ26xQX/ieZQolfDqZLA6zhJFec3k2l 252 wbEcTx10meJdinnhawqW7L0bhifeiTaPxbaCBXv/wiiL 253 -----END RSA PRIVATE KEY----- 254 EOF 255 } 256 resource "aws_elb" "lb" { 257 name = "%s" 258 availability_zones = ["us-west-2a"] 259 listener { 260 instance_port = 8000 261 instance_protocol = "https" 262 lb_port = 443 263 lb_protocol = "https" 264 ssl_certificate_id = "${aws_iam_server_certificate.test_cert.arn}" 265 } 266 } 267 resource "aws_lb_ssl_negotiation_policy" "foo" { 268 name = "foo-policy" 269 load_balancer = "${aws_elb.lb.id}" 270 lb_port = 443 271 attribute { 272 name = "Protocol-TLSv1" 273 value = "false" 274 } 275 attribute { 276 name = "Protocol-TLSv1.1" 277 value = "false" 278 } 279 attribute { 280 name = "Protocol-TLSv1.2" 281 value = "true" 282 } 283 attribute { 284 name = "Server-Defined-Cipher-Order" 285 value = "true" 286 } 287 attribute { 288 name = "ECDHE-RSA-AES128-GCM-SHA256" 289 value = "true" 290 } 291 attribute { 292 name = "AES128-GCM-SHA256" 293 value = "true" 294 } 295 attribute { 296 name = "EDH-RSA-DES-CBC3-SHA" 297 value = "false" 298 } 299 } 300 `, certName, lbName) 301 }