github.com/recobe182/terraform@v0.8.5-0.20170117231232-49ab22a935b7/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/aws/aws-sdk-go/aws" 8 "github.com/aws/aws-sdk-go/aws/awserr" 9 "github.com/aws/aws-sdk-go/service/elb" 10 11 "github.com/hashicorp/terraform/helper/acctest" 12 "github.com/hashicorp/terraform/helper/resource" 13 "github.com/hashicorp/terraform/terraform" 14 ) 15 16 func TestAccAWSLBSSLNegotiationPolicy_basic(t *testing.T) { 17 resource.Test(t, resource.TestCase{ 18 PreCheck: func() { testAccPreCheck(t) }, 19 Providers: testAccProviders, 20 CheckDestroy: testAccCheckLBSSLNegotiationPolicyDestroy, 21 Steps: []resource.TestStep{ 22 resource.TestStep{ 23 Config: testAccSslNegotiationPolicyConfig( 24 fmt.Sprintf("tf-acctest-%s", acctest.RandString(10))), 25 Check: resource.ComposeTestCheckFunc( 26 testAccCheckLBSSLNegotiationPolicy( 27 "aws_elb.lb", 28 "aws_lb_ssl_negotiation_policy.foo", 29 ), 30 resource.TestCheckResourceAttr( 31 "aws_lb_ssl_negotiation_policy.foo", "attribute.#", "7"), 32 ), 33 }, 34 }, 35 }) 36 } 37 38 func testAccCheckLBSSLNegotiationPolicyDestroy(s *terraform.State) error { 39 elbconn := testAccProvider.Meta().(*AWSClient).elbconn 40 41 for _, rs := range s.RootModule().Resources { 42 if rs.Type != "aws_elb" && rs.Type != "aws_lb_ssl_negotiation_policy" { 43 continue 44 } 45 46 // Check that the ELB is destroyed 47 if rs.Type == "aws_elb" { 48 describe, err := elbconn.DescribeLoadBalancers(&elb.DescribeLoadBalancersInput{ 49 LoadBalancerNames: []*string{aws.String(rs.Primary.ID)}, 50 }) 51 52 if err == nil { 53 if len(describe.LoadBalancerDescriptions) != 0 && 54 *describe.LoadBalancerDescriptions[0].LoadBalancerName == rs.Primary.ID { 55 return fmt.Errorf("ELB still exists") 56 } 57 } 58 59 // Verify the error 60 providerErr, ok := err.(awserr.Error) 61 if !ok { 62 return err 63 } 64 65 if providerErr.Code() != "LoadBalancerNotFound" { 66 return fmt.Errorf("Unexpected error: %s", err) 67 } 68 } else { 69 // Check that the SSL Negotiation Policy is destroyed 70 elbName, _, policyName := resourceAwsLBSSLNegotiationPolicyParseId(rs.Primary.ID) 71 _, err := elbconn.DescribeLoadBalancerPolicies(&elb.DescribeLoadBalancerPoliciesInput{ 72 LoadBalancerName: aws.String(elbName), 73 PolicyNames: []*string{aws.String(policyName)}, 74 }) 75 76 if err == nil { 77 return fmt.Errorf("ELB SSL Negotiation Policy still exists") 78 } 79 } 80 } 81 82 return nil 83 } 84 85 func testAccCheckLBSSLNegotiationPolicy(elbResource string, policyResource string) resource.TestCheckFunc { 86 return func(s *terraform.State) error { 87 rs, ok := s.RootModule().Resources[elbResource] 88 if !ok { 89 return fmt.Errorf("Not found: %s", elbResource) 90 } 91 92 if rs.Primary.ID == "" { 93 return fmt.Errorf("No ID is set") 94 } 95 96 policy, ok := s.RootModule().Resources[policyResource] 97 if !ok { 98 return fmt.Errorf("Not found: %s", policyResource) 99 } 100 101 elbconn := testAccProvider.Meta().(*AWSClient).elbconn 102 103 elbName, _, policyName := resourceAwsLBSSLNegotiationPolicyParseId(policy.Primary.ID) 104 resp, err := elbconn.DescribeLoadBalancerPolicies(&elb.DescribeLoadBalancerPoliciesInput{ 105 LoadBalancerName: aws.String(elbName), 106 PolicyNames: []*string{aws.String(policyName)}, 107 }) 108 109 if err != nil { 110 fmt.Printf("[ERROR] Problem describing load balancer policy '%s': %s", policyName, err) 111 return err 112 } 113 114 if len(resp.PolicyDescriptions) != 1 { 115 return fmt.Errorf("Unable to find policy %#v", resp.PolicyDescriptions) 116 } 117 118 attrmap := policyAttributesToMap(&resp.PolicyDescriptions[0].PolicyAttributeDescriptions) 119 if attrmap["Protocol-TLSv1"] != "false" { 120 return fmt.Errorf("Policy attribute 'Protocol-TLSv1' was of value %s instead of false!", attrmap["Protocol-TLSv1"]) 121 } 122 if attrmap["Protocol-TLSv1.1"] != "false" { 123 return fmt.Errorf("Policy attribute 'Protocol-TLSv1.1' was of value %s instead of false!", attrmap["Protocol-TLSv1.1"]) 124 } 125 if attrmap["Protocol-TLSv1.2"] != "true" { 126 return fmt.Errorf("Policy attribute 'Protocol-TLSv1.2' was of value %s instead of true!", attrmap["Protocol-TLSv1.2"]) 127 } 128 if attrmap["Server-Defined-Cipher-Order"] != "true" { 129 return fmt.Errorf("Policy attribute 'Server-Defined-Cipher-Order' was of value %s instead of true!", attrmap["Server-Defined-Cipher-Order"]) 130 } 131 if attrmap["ECDHE-RSA-AES128-GCM-SHA256"] != "true" { 132 return fmt.Errorf("Policy attribute 'ECDHE-RSA-AES128-GCM-SHA256' was of value %s instead of true!", attrmap["ECDHE-RSA-AES128-GCM-SHA256"]) 133 } 134 if attrmap["AES128-GCM-SHA256"] != "true" { 135 return fmt.Errorf("Policy attribute 'AES128-GCM-SHA256' was of value %s instead of true!", attrmap["AES128-GCM-SHA256"]) 136 } 137 if attrmap["EDH-RSA-DES-CBC3-SHA"] != "false" { 138 return fmt.Errorf("Policy attribute 'EDH-RSA-DES-CBC3-SHA' was of value %s instead of false!", attrmap["EDH-RSA-DES-CBC3-SHA"]) 139 } 140 141 return nil 142 } 143 } 144 145 func policyAttributesToMap(attributes *[]*elb.PolicyAttributeDescription) map[string]string { 146 attrmap := make(map[string]string) 147 148 for _, attrdef := range *attributes { 149 attrmap[*attrdef.AttributeName] = *attrdef.AttributeValue 150 } 151 152 return attrmap 153 } 154 155 // Sets the SSL Negotiation policy with attributes. 156 // The IAM Server Cert config is lifted from 157 // builtin/providers/aws/resource_aws_iam_server_certificate_test.go 158 func testAccSslNegotiationPolicyConfig(certName string) string { 159 return fmt.Sprintf(` 160 resource "aws_iam_server_certificate" "test_cert" { 161 name = "%s" 162 certificate_body = <<EOF 163 -----BEGIN CERTIFICATE----- 164 MIICqzCCAhSgAwIBAgIJAOH3Ca1oeCfOMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNV 165 BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQKEwlIYXNoaWNvcnAx 166 FjAUBgNVBAMTDWhhc2hpY29ycC5jb20wHhcNMTYwODEwMTcxNDEwWhcNMTcwODEw 167 MTcxNDEwWjBkMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIG 168 A1UEBwwLTG9zIEFuZ2VsZXMxEjAQBgNVBAoMCUhhc2hpY29ycDEWMBQGA1UEAwwN 169 aGFzaGljb3JwLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlQMKKTiK 170 bawxxGOwX9iyIm/ITyVwjnSyyZ8kuz7flXUAw4u/ZqGmRck0gdOBlzPcvdu/ngCZ 171 wMg6x03oe7iouDQHapQ6kCAUwl6zDmSOnjj8b4fKiaxW6Kw/UynrUjbjbdqKKsH3 172 fBYxa1sIVhnsDBCaOnnznkCXFbeiMeUX6YkCAwEAAaN7MHkwCQYDVR0TBAIwADAs 173 BglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD 174 VR0OBBYEFB+VNDp3tesqOLJTZEbOXIzINdecMB8GA1UdIwQYMBaAFDnmEwagl6fs 175 /9oVTSmNdPUkhaRDMA0GCSqGSIb3DQEBBQUAA4GBAHMTokhZfM66L1dI8e21p4yp 176 F2GMGYNqR2CLy7pCk3z9NovB5F1plk1cDnbpJPS/jXU7N5i3LgfjjbYmlNsezV3u 177 gzYm7p7D6/AiMheL6VljPor5ZXXcq2yZ3xMJu6/hrSJGj0wtg9xsNPYPDGCyH+iI 178 zAYQVBuFaLoTi3Fs7g1s 179 -----END CERTIFICATE----- 180 EOF 181 certificate_chain = <<EOF 182 -----BEGIN CERTIFICATE----- 183 MIICyzCCAjSgAwIBAgIJAOH3Ca1oeCfNMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNV 184 BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQKEwlIYXNoaWNvcnAx 185 FjAUBgNVBAMTDWhhc2hpY29ycC5jb20wHhcNMTYwODEwMTcxMTAzWhcNMTkwODEw 186 MTcxMTAzWjBOMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAG 187 A1UEChMJSGFzaGljb3JwMRYwFAYDVQQDEw1oYXNoaWNvcnAuY29tMIGfMA0GCSqG 188 SIb3DQEBAQUAA4GNADCBiQKBgQDOOIUDgTP+v6yXq0cI99S99jrczNv274BfmBzS 189 XhExPnm62s5dnLGtzFokat/DIN0pyOh0C4+QnS4Qk7r31UCh1jLJRVkJJHtet8TM 190 7PhebIUIAFaQQ5+792L7ZkCXkzl0MxENeE0avGUf5QXMd7/eUt36BOS4KaEfGVUw 191 2Ldy0wIDAQABo4GwMIGtMB0GA1UdDgQWBBQ55hMGoJen7P/aFU0pjXT1JIWkQzB+ 192 BgNVHSMEdzB1gBQ55hMGoJen7P/aFU0pjXT1JIWkQ6FSpFAwTjELMAkGA1UEBhMC 193 VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAoTCUhhc2hpY29ycDEWMBQG 194 A1UEAxMNaGFzaGljb3JwLmNvbYIJAOH3Ca1oeCfNMAwGA1UdEwQFMAMBAf8wDQYJ 195 KoZIhvcNAQEFBQADgYEAvKhhRHHWuUl253pjlQJxHqJLv3a9g7pcF0vGkImw30lu 196 B0LFpM6xZmfoFR3aflTWDGHDbwNbP+VatZNwZt7GpO7qiLOXCV9/UM0utxI1Doyd 197 6oOaCDXtDDI9NliSFyAvNG5PKafR3ysWHsqEa/7VDWnRGYvCAIsaAEyurl4Gogk= 198 -----END CERTIFICATE----- 199 EOF 200 private_key = <<EOF 201 -----BEGIN RSA PRIVATE KEY----- 202 MIICXQIBAAKBgQCVAwopOIptrDHEY7Bf2LIib8hPJXCOdLLJnyS7Pt+VdQDDi79m 203 oaZFyTSB04GXM9y927+eAJnAyDrHTeh7uKi4NAdqlDqQIBTCXrMOZI6eOPxvh8qJ 204 rFborD9TKetSNuNt2ooqwfd8FjFrWwhWGewMEJo6efOeQJcVt6Ix5RfpiQIDAQAB 205 AoGAdx8p9U/84bXhRxVGfyi1JvBjmlncxBUohCPT8lhN1qXlSW2jQgGB8ZHqhsq1 206 c1GDaseMRFxIjaPD0WZHrvgs73ReoDGTLf9Ne3mkE3g8Rp0Bg8CFG8ZFHvCbzAtQ 207 F441nXsa/E3fUajfuxOeIEz8sJUG8VpMMtNUGB2cmJxzlYECQQDGosn4g0trBkn+ 208 wwwJ3CEnymTUZxgFQWr4UhGnScRHaHBJmw0sW9KsVOB5D4DEw/O7BDdVvpCoBlG1 209 GhL/XFcZAkEAwAuINbY5jKTpa2Xve1MUJXpgGpuraYWCXaAn9sdSUhm6wHONhDHr 210 O0S0a3P0aMA5M4GQ5JHeUq53r8/2oP2j8QJBAIzObu+8WqT2Y1O1/f2rTtF/FnS+ 211 0/c9xU9cFemJUBryfM6gm/j66l+BF1KZ28UfxtGmjnc4zCBfwmHnptngIlkCQFv5 212 aeuncRptpKjd8frTSBPG7x3vLgHkghIK8Pjcbw2I6wrejIkiSzFgbzQDHavJW9vS 213 Eq2VOq/IhOO7qrdholECQQDFmlx7LQsVEOQ26xQX/ieZQolfDqZLA6zhJFec3k2l 214 wbEcTx10meJdinnhawqW7L0bhifeiTaPxbaCBXv/wiiL 215 -----END RSA PRIVATE KEY----- 216 EOF 217 } 218 resource "aws_elb" "lb" { 219 name = "test-lb" 220 availability_zones = ["us-west-2a"] 221 listener { 222 instance_port = 8000 223 instance_protocol = "https" 224 lb_port = 443 225 lb_protocol = "https" 226 ssl_certificate_id = "${aws_iam_server_certificate.test_cert.arn}" 227 } 228 } 229 resource "aws_lb_ssl_negotiation_policy" "foo" { 230 name = "foo-policy" 231 load_balancer = "${aws_elb.lb.id}" 232 lb_port = 443 233 attribute { 234 name = "Protocol-TLSv1" 235 value = "false" 236 } 237 attribute { 238 name = "Protocol-TLSv1.1" 239 value = "false" 240 } 241 attribute { 242 name = "Protocol-TLSv1.2" 243 value = "true" 244 } 245 attribute { 246 name = "Server-Defined-Cipher-Order" 247 value = "true" 248 } 249 attribute { 250 name = "ECDHE-RSA-AES128-GCM-SHA256" 251 value = "true" 252 } 253 attribute { 254 name = "AES128-GCM-SHA256" 255 value = "true" 256 } 257 attribute { 258 name = "EDH-RSA-DES-CBC3-SHA" 259 value = "false" 260 } 261 } 262 `, certName) 263 }