r/aws_lb: Add enforce_security_group_inbound_rules_on_private_link_traffic

[evan-cleary]

Description

Adds the enforce_security_group_inbound_rules_on_private_link_traffic attribute to the aws_lb and aws_alb resources. This attribute controls whether inbound security group rules are checked for traffic originating from a PrivateLink.

This attribute is only supported by load_balancer_type = "network" resources.

"enforce_security_group_inbound_rules_on_private_link_traffic": {
	Type:             schema.TypeString,
	Optional:         true,
	Computed:         true,
	ValidateFunc:     validation.StringInSlice(elbv2.EnforceSecurityGroupInboundRulesOnPrivateLinkTrafficEnum_Values(), false),
	DiffSuppressFunc: suppressIfLBTypeNot(elbv2.LoadBalancerTypeEnumNetwork),
},

Valid values for the attribute are on and off per documentation and the API Enum. Went with computed for this attribute due to the fact that it can be managed outside of the terraform resource. Prior to implementation of this attribute, if organizations had set this manually on resource, applying the default on value could have the unintended side effect of turning inbound rule enforcement back on.

Tests Implemented

• If enforced unset, computed value should be "" if enforce never previously set.
• Existing LB with enforce = off
• Updating LB with enforce from off to on
• Updating LB with enforce from on to off
• Relinquish control of enforce and verify last value still present

Relations

Closes #33766

References

• SetSecurityGroups API Docs
• LB Security Group Docs

Output from Acceptance Testing

% make testacc TESTS='TestAccELBV2LoadBalancer_(NetworkLoadBalancer_(enforcePrivateLink|updateSecurityGroups)|ApplicationLoadBalancer_updatedSecurityGroups)' PKG=elbv2
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/elbv2/... -v -count 1 -parallel 20 -run='TestAccELBV2LoadBalancer_(NetworkLoadBalancer_(enforcePrivateLink|updateSecurityGroups)|ApplicationLoadBalancer_updatedSecurityGroups)'  -timeout 360m
=== RUN   TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updatedSecurityGroups
=== PAUSE TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updatedSecurityGroups
=== RUN   TestAccELBV2LoadBalancer_NetworkLoadBalancer_updateSecurityGroups
=== PAUSE TestAccELBV2LoadBalancer_NetworkLoadBalancer_updateSecurityGroups
=== RUN   TestAccELBV2LoadBalancer_NetworkLoadBalancer_enforcePrivateLink
=== PAUSE TestAccELBV2LoadBalancer_NetworkLoadBalancer_enforcePrivateLink
=== CONT  TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updatedSecurityGroups
=== CONT  TestAccELBV2LoadBalancer_NetworkLoadBalancer_enforcePrivateLink
=== CONT  TestAccELBV2LoadBalancer_NetworkLoadBalancer_updateSecurityGroups
--- PASS: TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updatedSecurityGroups (210.08s)
--- PASS: TestAccELBV2LoadBalancer_NetworkLoadBalancer_enforcePrivateLink (308.52s)
--- PASS: TestAccELBV2LoadBalancer_NetworkLoadBalancer_updateSecurityGroups (714.57s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/elbv2      716.603s

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

• Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
• Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

[ewbankkit]

LGTM 🚀.

% make testacc TESTARGS='-run=TestAccELBV2LoadBalancerDataSource_basic\|TestAccELBV2LoadBalancer_' PKG=elbv2 ACCTEST_PARALLELISM=3
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/elbv2/... -v -count 1 -parallel 3  -run=TestAccELBV2LoadBalancerDataSource_basic\|TestAccELBV2LoadBalancer_ -timeout 360m
=== RUN   TestAccELBV2LoadBalancerDataSource_basic
=== PAUSE TestAccELBV2LoadBalancerDataSource_basic
=== RUN   TestAccELBV2LoadBalancer_ALB_basic
=== PAUSE TestAccELBV2LoadBalancer_ALB_basic
=== RUN   TestAccELBV2LoadBalancer_NLB_basic
=== PAUSE TestAccELBV2LoadBalancer_NLB_basic
=== RUN   TestAccELBV2LoadBalancer_LoadBalancerType_gateway
=== PAUSE TestAccELBV2LoadBalancer_LoadBalancerType_gateway
=== RUN   TestAccELBV2LoadBalancer_disappears
=== PAUSE TestAccELBV2LoadBalancer_disappears
=== RUN   TestAccELBV2LoadBalancer_nameGenerated
=== PAUSE TestAccELBV2LoadBalancer_nameGenerated
=== RUN   TestAccELBV2LoadBalancer_nameGeneratedForZeroValue
=== PAUSE TestAccELBV2LoadBalancer_nameGeneratedForZeroValue
=== RUN   TestAccELBV2LoadBalancer_namePrefix
=== PAUSE TestAccELBV2LoadBalancer_namePrefix
=== RUN   TestAccELBV2LoadBalancer_duplicateName
=== PAUSE TestAccELBV2LoadBalancer_duplicateName
=== RUN   TestAccELBV2LoadBalancer_tags
=== PAUSE TestAccELBV2LoadBalancer_tags
=== RUN   TestAccELBV2LoadBalancer_ipv6SubnetMapping
=== PAUSE TestAccELBV2LoadBalancer_ipv6SubnetMapping
=== RUN   TestAccELBV2LoadBalancer_LoadBalancerTypeGateway_enableCrossZoneLoadBalancing
=== PAUSE TestAccELBV2LoadBalancer_LoadBalancerTypeGateway_enableCrossZoneLoadBalancing
=== RUN   TestAccELBV2LoadBalancer_ALB_outpost
=== PAUSE TestAccELBV2LoadBalancer_ALB_outpost
=== RUN   TestAccELBV2LoadBalancer_networkLoadBalancerEIP
=== PAUSE TestAccELBV2LoadBalancer_networkLoadBalancerEIP
=== RUN   TestAccELBV2LoadBalancer_NLB_privateIPv4Address
=== PAUSE TestAccELBV2LoadBalancer_NLB_privateIPv4Address
=== RUN   TestAccELBV2LoadBalancer_backwardsCompatibility
=== PAUSE TestAccELBV2LoadBalancer_backwardsCompatibility
=== RUN   TestAccELBV2LoadBalancer_NetworkLoadBalancer_updateCrossZone
=== PAUSE TestAccELBV2LoadBalancer_NetworkLoadBalancer_updateCrossZone
=== RUN   TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateHTTP2
=== PAUSE TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateHTTP2
=== RUN   TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateDropInvalidHeaderFields
=== PAUSE TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateDropInvalidHeaderFields
=== RUN   TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updatePreserveHostHeader
=== PAUSE TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updatePreserveHostHeader
=== RUN   TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateDeletionProtection
=== PAUSE TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateDeletionProtection
=== RUN   TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateWAFFailOpen
=== PAUSE TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateWAFFailOpen
=== RUN   TestAccELBV2LoadBalancer_updateIPAddressType
=== PAUSE TestAccELBV2LoadBalancer_updateIPAddressType
=== RUN   TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updatedSecurityGroups
=== PAUSE TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updatedSecurityGroups
=== RUN   TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateSubnets
=== PAUSE TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateSubnets
=== RUN   TestAccELBV2LoadBalancer_ApplicationLoadBalancer_noSecurityGroup
=== PAUSE TestAccELBV2LoadBalancer_ApplicationLoadBalancer_noSecurityGroup
=== RUN   TestAccELBV2LoadBalancer_ApplicationLoadBalancer_accessLogs
=== PAUSE TestAccELBV2LoadBalancer_ApplicationLoadBalancer_accessLogs
=== RUN   TestAccELBV2LoadBalancer_ApplicationLoadBalancer_accessLogsPrefix
=== PAUSE TestAccELBV2LoadBalancer_ApplicationLoadBalancer_accessLogsPrefix
=== RUN   TestAccELBV2LoadBalancer_NetworkLoadBalancer_accessLogs
=== PAUSE TestAccELBV2LoadBalancer_NetworkLoadBalancer_accessLogs
=== RUN   TestAccELBV2LoadBalancer_NetworkLoadBalancer_accessLogsPrefix
=== PAUSE TestAccELBV2LoadBalancer_NetworkLoadBalancer_accessLogsPrefix
=== RUN   TestAccELBV2LoadBalancer_NetworkLoadBalancer_updateDNSRecordClientRoutingPolicy
=== PAUSE TestAccELBV2LoadBalancer_NetworkLoadBalancer_updateDNSRecordClientRoutingPolicy
=== RUN   TestAccELBV2LoadBalancer_NetworkLoadBalancer_updateSecurityGroups
=== PAUSE TestAccELBV2LoadBalancer_NetworkLoadBalancer_updateSecurityGroups
=== RUN   TestAccELBV2LoadBalancer_NetworkLoadBalancer_enforcePrivateLink
=== PAUSE TestAccELBV2LoadBalancer_NetworkLoadBalancer_enforcePrivateLink
=== RUN   TestAccELBV2LoadBalancer_NetworkLoadBalancer_updateSubnets
=== PAUSE TestAccELBV2LoadBalancer_NetworkLoadBalancer_updateSubnets
=== RUN   TestAccELBV2LoadBalancer_updateDesyncMitigationMode
=== PAUSE TestAccELBV2LoadBalancer_updateDesyncMitigationMode
=== RUN   TestAccELBV2LoadBalancer_ALB_updateTLSVersionAndCipherSuite
=== PAUSE TestAccELBV2LoadBalancer_ALB_updateTLSVersionAndCipherSuite
=== RUN   TestAccELBV2LoadBalancer_ALB_updateXffHeaderProcessingMode
=== PAUSE TestAccELBV2LoadBalancer_ALB_updateXffHeaderProcessingMode
=== RUN   TestAccELBV2LoadBalancer_ALB_updateXffClientPort
=== PAUSE TestAccELBV2LoadBalancer_ALB_updateXffClientPort
=== CONT  TestAccELBV2LoadBalancerDataSource_basic
=== CONT  TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updatePreserveHostHeader
=== CONT  TestAccELBV2LoadBalancer_NetworkLoadBalancer_accessLogsPrefix
--- PASS: TestAccELBV2LoadBalancerDataSource_basic (207.80s)
=== CONT  TestAccELBV2LoadBalancer_updateDesyncMitigationMode
--- PASS: TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updatePreserveHostHeader (295.71s)
=== CONT  TestAccELBV2LoadBalancer_ALB_updateXffClientPort
--- PASS: TestAccELBV2LoadBalancer_NetworkLoadBalancer_accessLogsPrefix (342.01s)
=== CONT  TestAccELBV2LoadBalancer_ALB_updateXffHeaderProcessingMode
--- PASS: TestAccELBV2LoadBalancer_updateDesyncMitigationMode (315.51s)
=== CONT  TestAccELBV2LoadBalancer_ALB_updateTLSVersionAndCipherSuite
--- PASS: TestAccELBV2LoadBalancer_ALB_updateXffClientPort (292.20s)
=== CONT  TestAccELBV2LoadBalancer_NetworkLoadBalancer_enforcePrivateLink
--- PASS: TestAccELBV2LoadBalancer_ALB_updateXffHeaderProcessingMode (293.34s)
=== CONT  TestAccELBV2LoadBalancer_NetworkLoadBalancer_updateSubnets
--- PASS: TestAccELBV2LoadBalancer_ALB_updateTLSVersionAndCipherSuite (307.46s)
=== CONT  TestAccELBV2LoadBalancer_NetworkLoadBalancer_updateSecurityGroups
--- PASS: TestAccELBV2LoadBalancer_NetworkLoadBalancer_enforcePrivateLink (367.41s)
=== CONT  TestAccELBV2LoadBalancer_ipv6SubnetMapping
--- PASS: TestAccELBV2LoadBalancer_NetworkLoadBalancer_updateSubnets (460.51s)
=== CONT  TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateDropInvalidHeaderFields
--- PASS: TestAccELBV2LoadBalancer_ipv6SubnetMapping (237.03s)
=== CONT  TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateHTTP2
--- PASS: TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateDropInvalidHeaderFields (291.20s)
=== CONT  TestAccELBV2LoadBalancer_NetworkLoadBalancer_updateCrossZone
--- PASS: TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateHTTP2 (291.39s)
=== CONT  TestAccELBV2LoadBalancer_backwardsCompatibility
--- PASS: TestAccELBV2LoadBalancer_NetworkLoadBalancer_updateSecurityGroups (702.93s)
=== CONT  TestAccELBV2LoadBalancer_NLB_privateIPv4Address
--- PASS: TestAccELBV2LoadBalancer_NetworkLoadBalancer_updateCrossZone (292.33s)
=== CONT  TestAccELBV2LoadBalancer_networkLoadBalancerEIP
--- PASS: TestAccELBV2LoadBalancer_backwardsCompatibility (206.89s)
=== CONT  TestAccELBV2LoadBalancer_ALB_outpost
    acctest.go:1155: skipping since no Outposts found
--- SKIP: TestAccELBV2LoadBalancer_ALB_outpost (0.48s)
=== CONT  TestAccELBV2LoadBalancer_LoadBalancerTypeGateway_enableCrossZoneLoadBalancing
--- PASS: TestAccELBV2LoadBalancer_NLB_privateIPv4Address (214.65s)
=== CONT  TestAccELBV2LoadBalancer_NetworkLoadBalancer_updateDNSRecordClientRoutingPolicy
--- PASS: TestAccELBV2LoadBalancer_networkLoadBalancerEIP (211.19s)
=== CONT  TestAccELBV2LoadBalancer_nameGenerated
--- PASS: TestAccELBV2LoadBalancer_LoadBalancerTypeGateway_enableCrossZoneLoadBalancing (230.24s)
=== CONT  TestAccELBV2LoadBalancer_tags
--- PASS: TestAccELBV2LoadBalancer_NetworkLoadBalancer_updateDNSRecordClientRoutingPolicy (311.82s)
=== CONT  TestAccELBV2LoadBalancer_duplicateName
--- PASS: TestAccELBV2LoadBalancer_nameGenerated (202.20s)
=== CONT  TestAccELBV2LoadBalancer_namePrefix
--- PASS: TestAccELBV2LoadBalancer_tags (290.19s)
=== CONT  TestAccELBV2LoadBalancer_nameGeneratedForZeroValue
--- PASS: TestAccELBV2LoadBalancer_duplicateName (213.79s)
=== CONT  TestAccELBV2LoadBalancer_LoadBalancerType_gateway
--- PASS: TestAccELBV2LoadBalancer_namePrefix (211.15s)
=== CONT  TestAccELBV2LoadBalancer_disappears
--- PASS: TestAccELBV2LoadBalancer_nameGeneratedForZeroValue (209.45s)
=== CONT  TestAccELBV2LoadBalancer_NLB_basic
--- PASS: TestAccELBV2LoadBalancer_LoadBalancerType_gateway (205.43s)
=== CONT  TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateSubnets
--- PASS: TestAccELBV2LoadBalancer_disappears (200.71s)
=== CONT  TestAccELBV2LoadBalancer_NetworkLoadBalancer_accessLogs
--- PASS: TestAccELBV2LoadBalancer_NLB_basic (202.47s)
=== CONT  TestAccELBV2LoadBalancer_ApplicationLoadBalancer_accessLogsPrefix
--- PASS: TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateSubnets (265.01s)
=== CONT  TestAccELBV2LoadBalancer_ApplicationLoadBalancer_accessLogs
--- PASS: TestAccELBV2LoadBalancer_NetworkLoadBalancer_accessLogs (379.55s)
=== CONT  TestAccELBV2LoadBalancer_ApplicationLoadBalancer_noSecurityGroup
--- PASS: TestAccELBV2LoadBalancer_ApplicationLoadBalancer_accessLogsPrefix (321.67s)
=== CONT  TestAccELBV2LoadBalancer_ALB_basic
--- PASS: TestAccELBV2LoadBalancer_ApplicationLoadBalancer_noSecurityGroup (194.78s)
=== CONT  TestAccELBV2LoadBalancer_updateIPAddressType
--- PASS: TestAccELBV2LoadBalancer_ApplicationLoadBalancer_accessLogs (360.18s)
=== CONT  TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updatedSecurityGroups
--- PASS: TestAccELBV2LoadBalancer_ALB_basic (220.14s)
=== CONT  TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateWAFFailOpen
--- PASS: TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updatedSecurityGroups (247.66s)
=== CONT  TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateDeletionProtection
--- PASS: TestAccELBV2LoadBalancer_updateIPAddressType (275.19s)
--- PASS: TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateWAFFailOpen (307.13s)
--- PASS: TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateDeletionProtection (299.40s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/elbv2	3666.950s

US GovCloud

% make testacc TESTARGS='-run=TestAccELBV2LoadBalancerDataSource_basic\|TestAccELBV2LoadBalancer_ALB_basic\|TestAccELBV2LoadBalancer_NLB_basic' PKG=elbv2 ACCTEST_PARALLELISM=3
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/elbv2/... -v -count 1 -parallel 3  -run=TestAccELBV2LoadBalancerDataSource_basic\|TestAccELBV2LoadBalancer_ALB_basic\|TestAccELBV2LoadBalancer_NLB_basic -timeout 360m
=== RUN   TestAccELBV2LoadBalancerDataSource_basic
=== PAUSE TestAccELBV2LoadBalancerDataSource_basic
=== RUN   TestAccELBV2LoadBalancer_ALB_basic
=== PAUSE TestAccELBV2LoadBalancer_ALB_basic
=== RUN   TestAccELBV2LoadBalancer_NLB_basic
=== PAUSE TestAccELBV2LoadBalancer_NLB_basic
=== CONT  TestAccELBV2LoadBalancerDataSource_basic
=== CONT  TestAccELBV2LoadBalancer_NLB_basic
=== CONT  TestAccELBV2LoadBalancer_ALB_basic
=== NAME  TestAccELBV2LoadBalancer_NLB_basic
    load_balancer_test.go:118: Step 1/1 error: Error running apply: exit status 1
        
        Error: failure configuring LB attributes: InvalidConfigurationRequest: Load balancer attribute key 'dns_record.client_routing_policy' is not supported on load balancers with type 'network'
        	status code: 400, request id: 48aa8f95-9df3-41c8-a00f-e0ed282034dc
        
          with aws_lb.test,
          on terraform_plugin_test.tf line 42, in resource "aws_lb" "test":
          42: resource "aws_lb" "test" {
        
--- FAIL: TestAccELBV2LoadBalancer_NLB_basic (183.38s)
--- PASS: TestAccELBV2LoadBalancer_ALB_basic (208.17s)
--- PASS: TestAccELBV2LoadBalancerDataSource_basic (208.51s)
FAIL
FAIL	github.com/hashicorp/terraform-provider-aws/internal/service/elbv2	213.970s
FAIL
make: *** [testacc] Error 1

Failure is unrelated to this change. See #34140.

[ewbankkit]

@evan-cleary Thanks for the contribution 🎉 👏.

[wenfengp]

Hi @ewbankkit, can we merge the #34140 to unblock the US GovCloud provisioning with the latest TF AWS provider? Thanks!

[github-actions]

This functionality has been released in v5.30.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.