github.com/mohanarpit/terraform@v0.6.16-0.20160909104007-291f29853544/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy_test.go (about)

     1  package aws
     2  
     3  import (
     4  	"fmt"
     5  	"testing"
     6  
     7  	"github.com/aws/aws-sdk-go/aws"
     8  	"github.com/aws/aws-sdk-go/aws/awserr"
     9  	"github.com/aws/aws-sdk-go/service/elb"
    10  
    11  	"github.com/hashicorp/terraform/helper/acctest"
    12  	"github.com/hashicorp/terraform/helper/resource"
    13  	"github.com/hashicorp/terraform/terraform"
    14  )
    15  
    16  func TestAccAWSLBSSLNegotiationPolicy_basic(t *testing.T) {
    17  	resource.Test(t, resource.TestCase{
    18  		PreCheck:     func() { testAccPreCheck(t) },
    19  		Providers:    testAccProviders,
    20  		CheckDestroy: testAccCheckLBSSLNegotiationPolicyDestroy,
    21  		Steps: []resource.TestStep{
    22  			resource.TestStep{
    23  				Config: testAccSslNegotiationPolicyConfig(
    24  					fmt.Sprintf("tf-acctest-%s", acctest.RandString(10))),
    25  				Check: resource.ComposeTestCheckFunc(
    26  					testAccCheckLBSSLNegotiationPolicy(
    27  						"aws_elb.lb",
    28  						"aws_lb_ssl_negotiation_policy.foo",
    29  					),
    30  					resource.TestCheckResourceAttr(
    31  						"aws_lb_ssl_negotiation_policy.foo", "attribute.#", "7"),
    32  				),
    33  			},
    34  		},
    35  	})
    36  }
    37  
    38  func testAccCheckLBSSLNegotiationPolicyDestroy(s *terraform.State) error {
    39  	elbconn := testAccProvider.Meta().(*AWSClient).elbconn
    40  
    41  	for _, rs := range s.RootModule().Resources {
    42  		if rs.Type != "aws_elb" && rs.Type != "aws_lb_ssl_negotiation_policy" {
    43  			continue
    44  		}
    45  
    46  		// Check that the ELB is destroyed
    47  		if rs.Type == "aws_elb" {
    48  			describe, err := elbconn.DescribeLoadBalancers(&elb.DescribeLoadBalancersInput{
    49  				LoadBalancerNames: []*string{aws.String(rs.Primary.ID)},
    50  			})
    51  
    52  			if err == nil {
    53  				if len(describe.LoadBalancerDescriptions) != 0 &&
    54  					*describe.LoadBalancerDescriptions[0].LoadBalancerName == rs.Primary.ID {
    55  					return fmt.Errorf("ELB still exists")
    56  				}
    57  			}
    58  
    59  			// Verify the error
    60  			providerErr, ok := err.(awserr.Error)
    61  			if !ok {
    62  				return err
    63  			}
    64  
    65  			if providerErr.Code() != "LoadBalancerNotFound" {
    66  				return fmt.Errorf("Unexpected error: %s", err)
    67  			}
    68  		} else {
    69  			// Check that the SSL Negotiation Policy is destroyed
    70  			elbName, _, policyName := resourceAwsLBSSLNegotiationPolicyParseId(rs.Primary.ID)
    71  			_, err := elbconn.DescribeLoadBalancerPolicies(&elb.DescribeLoadBalancerPoliciesInput{
    72  				LoadBalancerName: aws.String(elbName),
    73  				PolicyNames:      []*string{aws.String(policyName)},
    74  			})
    75  
    76  			if err == nil {
    77  				return fmt.Errorf("ELB SSL Negotiation Policy still exists")
    78  			}
    79  		}
    80  	}
    81  
    82  	return nil
    83  }
    84  
    85  func testAccCheckLBSSLNegotiationPolicy(elbResource string, policyResource string) resource.TestCheckFunc {
    86  	return func(s *terraform.State) error {
    87  		rs, ok := s.RootModule().Resources[elbResource]
    88  		if !ok {
    89  			return fmt.Errorf("Not found: %s", elbResource)
    90  		}
    91  
    92  		if rs.Primary.ID == "" {
    93  			return fmt.Errorf("No ID is set")
    94  		}
    95  
    96  		policy, ok := s.RootModule().Resources[policyResource]
    97  		if !ok {
    98  			return fmt.Errorf("Not found: %s", policyResource)
    99  		}
   100  
   101  		elbconn := testAccProvider.Meta().(*AWSClient).elbconn
   102  
   103  		elbName, _, policyName := resourceAwsLBSSLNegotiationPolicyParseId(policy.Primary.ID)
   104  		resp, err := elbconn.DescribeLoadBalancerPolicies(&elb.DescribeLoadBalancerPoliciesInput{
   105  			LoadBalancerName: aws.String(elbName),
   106  			PolicyNames:      []*string{aws.String(policyName)},
   107  		})
   108  
   109  		if err != nil {
   110  			fmt.Printf("[ERROR] Problem describing load balancer policy '%s': %s", policyName, err)
   111  			return err
   112  		}
   113  
   114  		if len(resp.PolicyDescriptions) != 1 {
   115  			return fmt.Errorf("Unable to find policy %#v", resp.PolicyDescriptions)
   116  		}
   117  
   118  		attrmap := policyAttributesToMap(&resp.PolicyDescriptions[0].PolicyAttributeDescriptions)
   119  		if attrmap["Protocol-TLSv1"] != "false" {
   120  			return fmt.Errorf("Policy attribute 'Protocol-TLSv1' was of value %s instead of false!", attrmap["Protocol-TLSv1"])
   121  		}
   122  		if attrmap["Protocol-TLSv1.1"] != "false" {
   123  			return fmt.Errorf("Policy attribute 'Protocol-TLSv1.1' was of value %s instead of false!", attrmap["Protocol-TLSv1.1"])
   124  		}
   125  		if attrmap["Protocol-TLSv1.2"] != "true" {
   126  			return fmt.Errorf("Policy attribute 'Protocol-TLSv1.2' was of value %s instead of true!", attrmap["Protocol-TLSv1.2"])
   127  		}
   128  		if attrmap["Server-Defined-Cipher-Order"] != "true" {
   129  			return fmt.Errorf("Policy attribute 'Server-Defined-Cipher-Order' was of value %s instead of true!", attrmap["Server-Defined-Cipher-Order"])
   130  		}
   131  		if attrmap["ECDHE-RSA-AES128-GCM-SHA256"] != "true" {
   132  			return fmt.Errorf("Policy attribute 'ECDHE-RSA-AES128-GCM-SHA256' was of value %s instead of true!", attrmap["ECDHE-RSA-AES128-GCM-SHA256"])
   133  		}
   134  		if attrmap["AES128-GCM-SHA256"] != "true" {
   135  			return fmt.Errorf("Policy attribute 'AES128-GCM-SHA256' was of value %s instead of true!", attrmap["AES128-GCM-SHA256"])
   136  		}
   137  		if attrmap["EDH-RSA-DES-CBC3-SHA"] != "false" {
   138  			return fmt.Errorf("Policy attribute 'EDH-RSA-DES-CBC3-SHA' was of value %s instead of false!", attrmap["EDH-RSA-DES-CBC3-SHA"])
   139  		}
   140  
   141  		return nil
   142  	}
   143  }
   144  
   145  func policyAttributesToMap(attributes *[]*elb.PolicyAttributeDescription) map[string]string {
   146  	attrmap := make(map[string]string)
   147  
   148  	for _, attrdef := range *attributes {
   149  		attrmap[*attrdef.AttributeName] = *attrdef.AttributeValue
   150  	}
   151  
   152  	return attrmap
   153  }
   154  
   155  // Sets the SSL Negotiation policy with attributes.
   156  // The IAM Server Cert config is lifted from
   157  // builtin/providers/aws/resource_aws_iam_server_certificate_test.go
   158  func testAccSslNegotiationPolicyConfig(certName string) string {
   159  	return fmt.Sprintf(`
   160  resource "aws_iam_server_certificate" "test_cert" {
   161    name = "%s"
   162    certificate_body = <<EOF
   163  -----BEGIN CERTIFICATE-----
   164  MIICqzCCAhSgAwIBAgIJAOH3Ca1oeCfOMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNV
   165  BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQKEwlIYXNoaWNvcnAx
   166  FjAUBgNVBAMTDWhhc2hpY29ycC5jb20wHhcNMTYwODEwMTcxNDEwWhcNMTcwODEw
   167  MTcxNDEwWjBkMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIG
   168  A1UEBwwLTG9zIEFuZ2VsZXMxEjAQBgNVBAoMCUhhc2hpY29ycDEWMBQGA1UEAwwN
   169  aGFzaGljb3JwLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlQMKKTiK
   170  bawxxGOwX9iyIm/ITyVwjnSyyZ8kuz7flXUAw4u/ZqGmRck0gdOBlzPcvdu/ngCZ
   171  wMg6x03oe7iouDQHapQ6kCAUwl6zDmSOnjj8b4fKiaxW6Kw/UynrUjbjbdqKKsH3
   172  fBYxa1sIVhnsDBCaOnnznkCXFbeiMeUX6YkCAwEAAaN7MHkwCQYDVR0TBAIwADAs
   173  BglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
   174  VR0OBBYEFB+VNDp3tesqOLJTZEbOXIzINdecMB8GA1UdIwQYMBaAFDnmEwagl6fs
   175  /9oVTSmNdPUkhaRDMA0GCSqGSIb3DQEBBQUAA4GBAHMTokhZfM66L1dI8e21p4yp
   176  F2GMGYNqR2CLy7pCk3z9NovB5F1plk1cDnbpJPS/jXU7N5i3LgfjjbYmlNsezV3u
   177  gzYm7p7D6/AiMheL6VljPor5ZXXcq2yZ3xMJu6/hrSJGj0wtg9xsNPYPDGCyH+iI
   178  zAYQVBuFaLoTi3Fs7g1s
   179  -----END CERTIFICATE-----
   180  EOF
   181    certificate_chain = <<EOF
   182  -----BEGIN CERTIFICATE-----
   183  MIICyzCCAjSgAwIBAgIJAOH3Ca1oeCfNMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNV
   184  BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQKEwlIYXNoaWNvcnAx
   185  FjAUBgNVBAMTDWhhc2hpY29ycC5jb20wHhcNMTYwODEwMTcxMTAzWhcNMTkwODEw
   186  MTcxMTAzWjBOMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAG
   187  A1UEChMJSGFzaGljb3JwMRYwFAYDVQQDEw1oYXNoaWNvcnAuY29tMIGfMA0GCSqG
   188  SIb3DQEBAQUAA4GNADCBiQKBgQDOOIUDgTP+v6yXq0cI99S99jrczNv274BfmBzS
   189  XhExPnm62s5dnLGtzFokat/DIN0pyOh0C4+QnS4Qk7r31UCh1jLJRVkJJHtet8TM
   190  7PhebIUIAFaQQ5+792L7ZkCXkzl0MxENeE0avGUf5QXMd7/eUt36BOS4KaEfGVUw
   191  2Ldy0wIDAQABo4GwMIGtMB0GA1UdDgQWBBQ55hMGoJen7P/aFU0pjXT1JIWkQzB+
   192  BgNVHSMEdzB1gBQ55hMGoJen7P/aFU0pjXT1JIWkQ6FSpFAwTjELMAkGA1UEBhMC
   193  VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAoTCUhhc2hpY29ycDEWMBQG
   194  A1UEAxMNaGFzaGljb3JwLmNvbYIJAOH3Ca1oeCfNMAwGA1UdEwQFMAMBAf8wDQYJ
   195  KoZIhvcNAQEFBQADgYEAvKhhRHHWuUl253pjlQJxHqJLv3a9g7pcF0vGkImw30lu
   196  B0LFpM6xZmfoFR3aflTWDGHDbwNbP+VatZNwZt7GpO7qiLOXCV9/UM0utxI1Doyd
   197  6oOaCDXtDDI9NliSFyAvNG5PKafR3ysWHsqEa/7VDWnRGYvCAIsaAEyurl4Gogk=
   198  -----END CERTIFICATE-----
   199  EOF
   200    private_key =  <<EOF
   201  -----BEGIN RSA PRIVATE KEY-----
   202  MIICXQIBAAKBgQCVAwopOIptrDHEY7Bf2LIib8hPJXCOdLLJnyS7Pt+VdQDDi79m
   203  oaZFyTSB04GXM9y927+eAJnAyDrHTeh7uKi4NAdqlDqQIBTCXrMOZI6eOPxvh8qJ
   204  rFborD9TKetSNuNt2ooqwfd8FjFrWwhWGewMEJo6efOeQJcVt6Ix5RfpiQIDAQAB
   205  AoGAdx8p9U/84bXhRxVGfyi1JvBjmlncxBUohCPT8lhN1qXlSW2jQgGB8ZHqhsq1
   206  c1GDaseMRFxIjaPD0WZHrvgs73ReoDGTLf9Ne3mkE3g8Rp0Bg8CFG8ZFHvCbzAtQ
   207  F441nXsa/E3fUajfuxOeIEz8sJUG8VpMMtNUGB2cmJxzlYECQQDGosn4g0trBkn+
   208  wwwJ3CEnymTUZxgFQWr4UhGnScRHaHBJmw0sW9KsVOB5D4DEw/O7BDdVvpCoBlG1
   209  GhL/XFcZAkEAwAuINbY5jKTpa2Xve1MUJXpgGpuraYWCXaAn9sdSUhm6wHONhDHr
   210  O0S0a3P0aMA5M4GQ5JHeUq53r8/2oP2j8QJBAIzObu+8WqT2Y1O1/f2rTtF/FnS+
   211  0/c9xU9cFemJUBryfM6gm/j66l+BF1KZ28UfxtGmjnc4zCBfwmHnptngIlkCQFv5
   212  aeuncRptpKjd8frTSBPG7x3vLgHkghIK8Pjcbw2I6wrejIkiSzFgbzQDHavJW9vS
   213  Eq2VOq/IhOO7qrdholECQQDFmlx7LQsVEOQ26xQX/ieZQolfDqZLA6zhJFec3k2l
   214  wbEcTx10meJdinnhawqW7L0bhifeiTaPxbaCBXv/wiiL
   215  -----END RSA PRIVATE KEY-----
   216  EOF
   217  }
   218  resource "aws_elb" "lb" {
   219    name = "test-lb"
   220      availability_zones = ["us-west-2a"]
   221      listener {
   222        instance_port = 8000
   223        instance_protocol = "https"
   224        lb_port = 443
   225        lb_protocol = "https"
   226        ssl_certificate_id = "${aws_iam_server_certificate.test_cert.arn}"
   227  	}
   228  }
   229  resource "aws_lb_ssl_negotiation_policy" "foo" {
   230  	name = "foo-policy"
   231  	load_balancer = "${aws_elb.lb.id}"
   232  	lb_port = 443
   233  	attribute {
   234      	name = "Protocol-TLSv1"
   235          value = "false"
   236      }
   237      attribute {
   238          name = "Protocol-TLSv1.1"
   239          value = "false" 
   240      }       
   241      attribute {
   242          name = "Protocol-TLSv1.2"
   243          value = "true"
   244      }
   245      attribute {
   246          name = "Server-Defined-Cipher-Order"
   247          value = "true"
   248      }       
   249      attribute {
   250          name = "ECDHE-RSA-AES128-GCM-SHA256"
   251          value = "true"
   252      }
   253      attribute {
   254          name = "AES128-GCM-SHA256"
   255          value = "true"
   256      }
   257      attribute {
   258          name = "EDH-RSA-DES-CBC3-SHA"
   259          value = "false"
   260      }
   261  }
   262  `, certName)
   263  }