From 070b2b9d597b8895c02b981e1090d79f5faee6a3 Mon Sep 17 00:00:00 2001 From: Jeremy Livingston Date: Mon, 13 Mar 2017 14:49:39 -0400 Subject: [PATCH] Add Fastly SSL validation fields (#12578) * Add Fastly SSL validation fields The ssl_hostname field has been deprecated by Fastly. Instead the new standard is to use the ssl_cert_hostname and ssl_sni_hostname fields: - ssl_cert_hostname: Used only for certificate verification. - ssl_sni_hostname: Used only for SNI in the handshake. Add these fields to the backend block to better support SSL services. * Add deprecation notice for ssl_hostname --- .../fastly/resource_fastly_service_v1.go | 17 +++++++++++++++++ .../fastly/resource_fastly_service_v1_test.go | 4 ++++ .../providers/fastly/r/service_v1.html.markdown | 4 +++- 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/builtin/providers/fastly/resource_fastly_service_v1.go b/builtin/providers/fastly/resource_fastly_service_v1.go index 1fd709c6f..da734c9f0 100644 --- a/builtin/providers/fastly/resource_fastly_service_v1.go +++ b/builtin/providers/fastly/resource_fastly_service_v1.go @@ -189,6 +189,19 @@ func resourceServiceV1() *schema.Resource { Optional: true, Default: "", Description: "SSL certificate hostname", + Deprecated: "Use ssl_cert_hostname and ssl_sni_hostname instead.", + }, + "ssl_cert_hostname": { + Type: schema.TypeString, + Optional: true, + Default: "", + Description: "SSL certificate hostname for cert verification", + }, + "ssl_sni_hostname": { + Type: schema.TypeString, + Optional: true, + Default: "", + Description: "SSL certificate hostname for SNI verification", }, // UseSSL is something we want to support in the future, but // requires SSL setup we don't yet have @@ -1011,6 +1024,8 @@ func resourceServiceV1Update(d *schema.ResourceData, meta interface{}) error { AutoLoadbalance: gofastly.CBool(df["auto_loadbalance"].(bool)), SSLCheckCert: gofastly.CBool(df["ssl_check_cert"].(bool)), SSLHostname: df["ssl_hostname"].(string), + SSLCertHostname: df["ssl_cert_hostname"].(string), + SSLSNIHostname: df["ssl_sni_hostname"].(string), Shield: df["shield"].(string), Port: uint(df["port"].(int)), BetweenBytesTimeout: uint(df["between_bytes_timeout"].(int)), @@ -1917,6 +1932,8 @@ func flattenBackends(backendList []*gofastly.Backend) []map[string]interface{} { "shield": b.Shield, "ssl_check_cert": gofastly.CBool(b.SSLCheckCert), "ssl_hostname": b.SSLHostname, + "ssl_cert_hostname": b.SSLCertHostname, + "ssl_sni_hostname": b.SSLSNIHostname, "weight": int(b.Weight), "request_condition": b.RequestCondition, } diff --git a/builtin/providers/fastly/resource_fastly_service_v1_test.go b/builtin/providers/fastly/resource_fastly_service_v1_test.go index 0dba2f8a6..c05006138 100644 --- a/builtin/providers/fastly/resource_fastly_service_v1_test.go +++ b/builtin/providers/fastly/resource_fastly_service_v1_test.go @@ -73,6 +73,8 @@ func TestResourceFastlyFlattenBackend(t *testing.T) { RequestCondition: "", SSLCheckCert: true, SSLHostname: "", + SSLCertHostname: "", + SSLSNIHostname: "", Shield: "New York", Weight: uint(100), }, @@ -91,6 +93,8 @@ func TestResourceFastlyFlattenBackend(t *testing.T) { "request_condition": "", "ssl_check_cert": gofastly.CBool(true), "ssl_hostname": "", + "ssl_cert_hostname": "", + "ssl_sni_hostname": "", "shield": "New York", "weight": 100, }, diff --git a/website/source/docs/providers/fastly/r/service_v1.html.markdown b/website/source/docs/providers/fastly/r/service_v1.html.markdown index 994ad7f82..fa995c367 100644 --- a/website/source/docs/providers/fastly/r/service_v1.html.markdown +++ b/website/source/docs/providers/fastly/r/service_v1.html.markdown @@ -180,7 +180,9 @@ Default `200`. * `port` - (Optional) The port number on which the Backend responds. Default `80`. * `request_condition` - (Optional, string) Name of already defined `condition`, which if met, will select this backend during a request. * `ssl_check_cert` - (Optional) Be strict about checking SSL certs. Default `true`. -* `ssl_hostname` - (Optional) Used for both SNI during the TLS handshake and to validate the cert. +* `ssl_hostname` - (Optional, deprecated by Fastly) Used for both SNI during the TLS handshake and to validate the cert. +* `ssl_cert_hostname` - (Optional) Overrides ssl_hostname, but only for cert verification. Does not affect SNI at all. +* `ssl_sni_hostname` - (Optional) Overrides ssl_hostname, but only for SNI in the handshake. Does not affect cert validation at all. * `shield` - (Optional) The POP of the shield designated to reduce inbound load. * `weight` - (Optional) The [portion of traffic](https://docs.fastly.com/guides/performance-tuning/load-balancing-configuration.html#how-weight-affects-load-balancing) to send to this Backend. Each Backend receives `weight / total` of the traffic. Default `100`.