Merge pull request #29482 from hashicorp/b-aws_loadbalancer_listener_…

…policy aws_load_balancer_listener_policy: add triggers argument
hashicorp · Feb 21, 2023 · 93fcd85 · 93fcd85
2 parents 96ab862 + 21f9529
commit 93fcd85
Show file tree

Hide file tree

Showing 7 changed files with 211 additions and 0 deletions.
diff --git a/.changelog/29482.txt b/.changelog/29482.txt
@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/aws_load_balancer_listener_policy: Add `trigger` attribute to force resource updates
+```
+
+```release-note:enhancement
+resource/aws_lb_ssl_negotiation_policy: Add `trigger` attribute to force resource redeployment
+```
diff --git a/internal/service/elb/lb_ssl_negotiation_policy.go b/internal/service/elb/lb_ssl_negotiation_policy.go
@@ -55,6 +55,12 @@ func ResourceSSLNegotiationPolicy() *schema.Resource {
 				Required: true,
 				ForceNew: true,
 			},
+			"triggers": {
+				Type:     schema.TypeMap,
+				Optional: true,
+				ForceNew: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
 		},
 	}
 }

diff --git a/internal/service/elb/lb_ssl_negotiation_policy_test.go b/internal/service/elb/lb_ssl_negotiation_policy_test.go
@@ -39,6 +39,41 @@ func TestAccELBSSLNegotiationPolicy_basic(t *testing.T) {
 	})
 }
 
+func TestAccELBSSLNegotiationPolicy_update(t *testing.T) {
+	ctx := acctest.Context(t)
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	key := acctest.TLSRSAPrivateKeyPEM(t, 2048)
+	certificate := acctest.TLSRSAX509SelfSignedCertificatePEM(t, key, "example.com")
+	resourceName := "aws_lb_ssl_negotiation_policy.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(t) },
+		ErrorCheck:               acctest.ErrorCheck(t, elb.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckLBSSLNegotiationPolicyDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccLBSSLNegotiationPolicyConfig_update(rName, key, certificate, 0),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckLBSSLNegotiationPolicy(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "attribute.#", "7"),
+				),
+			},
+			{
+				Config: testAccLBSSLNegotiationPolicyConfig_update(rName, key, certificate, 1),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckLBSSLNegotiationPolicy(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "attribute.#", "7"),
+				),
+			},
+			{
+				Config:   testAccLBSSLNegotiationPolicyConfig_update(rName, key, certificate, 1),
+				PlanOnly: true,
+			},
+		},
+	})
+}
+
 func TestAccELBSSLNegotiationPolicy_disappears(t *testing.T) {
 	ctx := acctest.Context(t)
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
@@ -184,3 +219,72 @@ resource "aws_lb_ssl_negotiation_policy" "test" {
 }
 `, rName, acctest.TLSPEMEscapeNewlines(certificate), acctest.TLSPEMEscapeNewlines(key)))
 }
+
+func testAccLBSSLNegotiationPolicyConfig_update(rName, key, certificate string, certToUse int) string {
+	return acctest.ConfigCompose(acctest.ConfigAvailableAZsNoOptIn(), fmt.Sprintf(`
+resource "aws_iam_server_certificate" "test" {
+  count            = 2
+  name_prefix      = %[1]q
+  certificate_body = "%[2]s"
+  private_key      = "%[3]s"
+}
+
+resource "aws_elb" "test" {
+  name               = %[1]q
+  availability_zones = [data.aws_availability_zones.available.names[0]]
+
+  listener {
+    instance_port      = 8000
+    instance_protocol  = "https"
+    lb_port            = 443
+    lb_protocol        = "https"
+    ssl_certificate_id = aws_iam_server_certificate.test[%[4]d].arn
+  }
+}
+
+resource "aws_lb_ssl_negotiation_policy" "test" {
+  name          = %[1]q
+  load_balancer = aws_elb.test.id
+  lb_port       = 443
+
+  attribute {
+    name  = "Protocol-TLSv1"
+    value = "false"
+  }
+
+  attribute {
+    name  = "Protocol-TLSv1.1"
+    value = "false"
+  }
+
+  attribute {
+    name  = "Protocol-TLSv1.2"
+    value = "true"
+  }
+
+  attribute {
+    name  = "Server-Defined-Cipher-Order"
+    value = "true"
+  }
+
+  attribute {
+    name  = "ECDHE-RSA-AES128-GCM-SHA256"
+    value = "true"
+  }
+
+  attribute {
+    name  = "AES128-GCM-SHA256"
+    value = "true"
+  }
+
+  attribute {
+    name  = "EDH-RSA-DES-CBC3-SHA"
+    value = "false"
+  }
+
+  triggers = {
+    certificate_arn = aws_iam_server_certificate.test[%[4]d].arn,
+  }
+}
+`, rName, acctest.TLSPEMEscapeNewlines(certificate), acctest.TLSPEMEscapeNewlines(key), certToUse))
+}
diff --git a/internal/service/elb/listener_policy.go b/internal/service/elb/listener_policy.go
@@ -38,6 +38,11 @@ func ResourceListenerPolicy() *schema.Resource {
 				Optional: true,
 				Elem:     &schema.Schema{Type: schema.TypeString},
 			},
+			"triggers": {
+				Type:     schema.TypeMap,
+				Optional: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
 		},
 	}
 }

diff --git a/internal/service/elb/listener_policy_test.go b/internal/service/elb/listener_policy_test.go
@@ -39,6 +39,45 @@ func TestAccELBListenerPolicy_basic(t *testing.T) {
 	})
 }
 
+func TestAccELBListenerPolicy_update(t *testing.T) {
+	ctx := acctest.Context(t)
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	key := acctest.TLSRSAPrivateKeyPEM(t, 2048)
+	certificate := acctest.TLSRSAX509SelfSignedCertificatePEM(t, key, "example.com")
+	resourceName := "aws_load_balancer_listener_policy.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(t) },
+		ErrorCheck:               acctest.ErrorCheck(t, elb.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckListenerPolicyDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccListenerPolicyConfig_update(rName, key, certificate, 0),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckListenerPolicyExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "load_balancer_port", "443"),
+					resource.TestCheckResourceAttr(resourceName, "policy_names.#", "1"),
+					resource.TestCheckTypeSetElemAttrPair(resourceName, "policy_names.*", "aws_load_balancer_policy.test", "policy_name"),
+				),
+			},
+			{
+				Config: testAccListenerPolicyConfig_update(rName, key, certificate, 1),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckListenerPolicyExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "load_balancer_port", "443"),
+					resource.TestCheckResourceAttr(resourceName, "policy_names.#", "1"),
+					resource.TestCheckTypeSetElemAttrPair(resourceName, "policy_names.*", "aws_load_balancer_policy.test", "policy_name"),
+				),
+			},
+			{
+				Config:   testAccListenerPolicyConfig_update(rName, key, certificate, 1),
+				PlanOnly: true,
+			},
+		},
+	})
+}
+
 func TestAccELBListenerPolicy_disappears(t *testing.T) {
 	ctx := acctest.Context(t)
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
@@ -154,3 +193,51 @@ resource "aws_load_balancer_listener_policy" "test" {
 }
 `, rName))
 }
+
+func testAccListenerPolicyConfig_update(rName, key, certificate string, certToUse int) string {
+	return acctest.ConfigCompose(acctest.ConfigAvailableAZsNoOptIn(), fmt.Sprintf(`
+resource "aws_iam_server_certificate" "test" {
+  count            = 2
+  name_prefix      = %[1]q
+  certificate_body = "%[2]s"
+  private_key      = "%[3]s"
+}
+
+resource "aws_elb" "test" {
+  name               = %[1]q
+  availability_zones = [data.aws_availability_zones.available.names[0]]
+
+  listener {
+    instance_port      = 443
+    instance_protocol  = "http"
+    lb_port            = 443
+    lb_protocol        = "https"
+    ssl_certificate_id = aws_iam_server_certificate.test[%[4]d].arn
+  }
+}
+
+resource "aws_load_balancer_policy" "test" {
+  load_balancer_name = aws_elb.test.name
+  policy_name        = %[1]q
+  policy_type_name   = "SSLNegotiationPolicyType"
+
+  policy_attribute {
+    name  = "Reference-Security-Policy"
+    value = "ELBSecurityPolicy-TLS-1-2-2017-01"
+  }
+}
+
+resource "aws_load_balancer_listener_policy" "test" {
+  load_balancer_name = aws_elb.test.name
+  load_balancer_port = 443
+
+  policy_names = [
+    aws_load_balancer_policy.test.policy_name,
+  ]
+
+  triggers = {
+    certificate_arn = aws_iam_server_certificate.test[%[4]d].arn,
+  }
+}
+`, rName, acctest.TLSPEMEscapeNewlines(certificate), acctest.TLSPEMEscapeNewlines(key), certToUse))
+}
diff --git a/website/docs/r/lb_ssl_negotiation_policy.html.markdown b/website/docs/r/lb_ssl_negotiation_policy.html.markdown
@@ -81,6 +81,7 @@ balancer.
 * `attribute` - (Optional) An SSL Negotiation policy attribute. Each has two properties:
     * `name` - The name of the attribute
     * `value` - The value of the attribute
+* `triggers` - (Optional) Map of arbitrary keys and values that, when changed, will trigger a redeployment. To force a redeployment without changing these keys/values, use the [`terraform taint` command](https://www.terraform.io/docs/commands/taint.html).
 
 To set your attributes, please see the [AWS Elastic Load Balancing Developer Guide](http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html) for a listing of the supported SSL protocols, SSL options, and SSL ciphers.
 

diff --git a/website/docs/r/load_balancer_listener_policy.html.markdown b/website/docs/r/load_balancer_listener_policy.html.markdown
@@ -110,6 +110,7 @@ The following arguments are supported:
 * `load_balancer_name` - (Required) The load balancer to attach the policy to.
 * `load_balancer_port` - (Required) The load balancer listener port to apply the policy to.
 * `policy_names` - (Required) List of Policy Names to apply to the backend server.
+* `triggers` - (Optional) Map of arbitrary keys and values that, when changed, will trigger an update. To force an update without changing these keys/values, use the [`terraform taint` command](https://www.terraform.io/docs/commands/taint.html).
 
 ## Attributes Reference