Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add drop_invalid_header_fields to AWS ALB Resource #11257

Merged
merged 4 commits into from
Mar 16, 2020
Merged

Add drop_invalid_header_fields to AWS ALB Resource #11257

merged 4 commits into from
Mar 16, 2020

Conversation

kireledan
Copy link
Contributor

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #10862

Release note for CHANGELOG:

* resource/aws_lb: Add drop_invalid_header_fields argument (#10862)

Output from acceptance testing:

 ❯ make testacc TEST=./aws TESTARGS='-run=TestAccAWSLB_applicationLoadBalancer_updateDropInvalidHeaderFields'                  [12:11:14]
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSLB_applicationLoadBalancer_updateDropInvalidHeaderFields -timeout 120m
=== RUN   TestAccAWSLB_applicationLoadBalancer_updateDropInvalidHeaderFields
=== PAUSE TestAccAWSLB_applicationLoadBalancer_updateDropInvalidHeaderFields
=== CONT  TestAccAWSLB_applicationLoadBalancer_updateDropInvalidHeaderFields
--- PASS: TestAccAWSLB_applicationLoadBalancer_updateDropInvalidHeaderFields (435.52s)
PASS
ok      github.com/terraform-providers/terraform-provider-aws/aws       436.321s..

@kireledan kireledan requested a review from a team December 11, 2019 20:48
@ghost ghost added size/M Managed by automation to categorize the size of a PR. needs-triage Waiting for first response or review from a maintainer. service/elbv2 Issues and PRs that pertain to the elbv2 service. documentation Introduces or discusses updates to documentation. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. labels Dec 11, 2019
@jonDowdle
Copy link

@bflad Any chance you could take a look at this?

@paultyng paultyng removed the needs-triage Waiting for first response or review from a maintainer. label Jan 9, 2020
kireledan added 4 commits January 13, 2020 12:21
resource/aws_lb: Add drop invalid headers attribute
b53e346 
Amazon application load balancers have an option to drop invalid
headers. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html

This commit adds the attribute to the aws_lb resource with its
respective default (false).
tests/resource/aws_lb: Add test for dropping invalid headers
d8cf8a8 
This commit adds the proper acceptance tests for creating / updating
load balancers with the drop invalid headers attribute.
data/resource/aws_lb: Add drop_invalid_header_fields
88d9ef8 
This commit adds the data for the new drop_invalid_header_fields
attribute for the aws load balancer.
docs/resource/aws_lb: Add documentation for new drop_invalid_header flag
fcfa5ff 
This commit adds the documentation for the new
drop_invalid_header_fields attribute for aws application load balancers.
Sourced from
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html.
@kireledan
Copy link
Contributor Author

Rebased against master

@jonDowdle
Copy link

Can this get eyes on it? We haven't heard anything back yet.

@jonDowdle
Copy link

@paultyng I saw you removed the needs-triage label. Is there anything we need to do before this can be merged?

@BRMatt
Copy link

BRMatt commented Mar 13, 2020
edited
Loading

We came across this today after seeing a slack security bounty on http request smugging, and a comment about the implications on AWS ALBs on hackernews. Apparently the AWS ALB does not drop invalid headers by default, which opens the door for attackers to exploit vulnerable systems behind the ALB.

It would be helpful if we could configure this option with terraform to prevent this kind of exploit.

@jonDowdle
Copy link

Agreed. This has been waiting for 3 months now. I'm not sure who or what needs to happen for it to get merged.

@bflad bflad self-assigned this Mar 16, 2020
@bflad bflad added the enhancement Requests to existing resources that expand the functionality or scope. label Mar 16, 2020
@bflad bflad added this to the v2.54.0 milestone Mar 16, 2020
bflad
bflad approved these changes Mar 16, 2020
View reviewed changes
Copy link
Contributor

@bflad bflad left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks @kireledan 🚀

Output from acceptance testing:

--- PASS: TestAccAWSLB_ALB_AccessLogs (300.79s)
--- PASS: TestAccAWSLB_ALB_AccessLogs_Prefix (233.57s)
--- PASS: TestAccAWSLB_ALB_basic (186.52s)
--- PASS: TestAccAWSLB_applicationLoadBalancer_updateDeletionProtection (245.95s)
--- PASS: TestAccAWSLB_applicationLoadBalancer_updateDropInvalidHeaderFields (266.58s)
--- PASS: TestAccAWSLB_applicationLoadBalancer_updateHttp2 (255.14s)
--- PASS: TestAccAWSLB_generatedName (161.51s)
--- PASS: TestAccAWSLB_generatesNameForZeroValue (175.70s)
--- PASS: TestAccAWSLB_namePrefix (164.32s)
--- PASS: TestAccAWSLB_networkLoadbalancer_subnet_change (206.46s)
--- PASS: TestAccAWSLB_networkLoadbalancer_updateCrossZone (309.71s)
--- PASS: TestAccAWSLB_networkLoadbalancerEIP (253.74s)
--- PASS: TestAccAWSLB_NLB_AccessLogs (321.22s)
--- PASS: TestAccAWSLB_NLB_AccessLogs_Prefix (294.94s)
--- PASS: TestAccAWSLB_NLB_basic (211.48s)
--- PASS: TestAccAWSLB_noSecurityGroup (259.76s)
--- PASS: TestAccAWSLB_tags (247.25s)
--- PASS: TestAccAWSLB_updatedIpAddressType (227.20s)
--- PASS: TestAccAWSLB_updatedSecurityGroups (206.30s)
--- PASS: TestAccAWSLB_updatedSubnets (207.97s)

--- PASS: TestAccDataSourceAWSLB_basic (217.50s)

--- PASS: TestAccDataSourceAWSLBBackwardsCompatibility (160.35s)

aws/data_source_aws_lb.go
@@ -103,6 +103,11 @@ func dataSourceAwsLb() *schema.Resource {
Computed: true,
},

"drop_invalid_header_fields": {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This new attribute is missing documentation in website/docs/d/lb.html.markdown

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah looks like that data source documentation is still using the older style of referencing the resource documentation:

See the [LB Resource](/docs/providers/aws/r/lb.html) for details on the
returned attributes - they are identical.

So this is fine. 👍

@bflad bflad merged commit 956f2e6 into hashicorp:master Mar 16, 2020
bflad added a commit that referenced this pull request Mar 16, 2020
@bflad
Update CHANGELOG for #11257
aa57545
@kireledan kireledan deleted the kireledan/aws-lb-header-opt branch March 16, 2020 17:44
@kireledan kireledan restored the kireledan/aws-lb-header-opt branch March 16, 2020 17:44
@kireledan kireledan deleted the kireledan/aws-lb-header-opt branch March 16, 2020 17:44
@kireledan kireledan restored the kireledan/aws-lb-header-opt branch March 16, 2020 17:45
@ghost
Copy link

ghost commented Mar 19, 2020

This has been released in version 2.54.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Apr 15, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 15, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bflad bflad bflad approved these changes

Assignees

@bflad bflad

Labels
documentation Introduces or discusses updates to documentation. enhancement Requests to existing resources that expand the functionality or scope. service/elbv2 Issues and PRs that pertain to the elbv2 service. size/M Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Milestone
v2.54.0
Development

Successfully merging this pull request may close these issues.

aws_lb needs to support setting the drop_invalid_header_fields setting
5 participants
@kireledan @jonDowdle @BRMatt @bflad @paultyng