ResiLien
/
terraform
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add Fastly SSL validation fields (#12578) 

* Add Fastly SSL validation fields

The ssl_hostname field has been deprecated by Fastly. Instead the new
standard is to use the ssl_cert_hostname and ssl_sni_hostname fields:

- ssl_cert_hostname: Used only for certificate verification.
- ssl_sni_hostname: Used only for SNI in the handshake.

Add these fields to the backend block to better support SSL services.

* Add deprecation notice for ssl_hostname
This commit is contained in:
Jeremy Livingston 2017-03-13 14:49:39 -04:00 committed by Paul Stack
parent 5ddf73146f
commit 070b2b9d59
3 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
builtin/providers/fastly/resource_fastly_service_v1.go
View File

@ -189,6 +189,19 @@ func resourceServiceV1() *schema.Resource {
Optional: true, Optional: true,
Default: "", Default: "",
Description: "SSL certificate hostname", Description: "SSL certificate hostname",
Deprecated: "Use ssl_cert_hostname and ssl_sni_hostname instead.",
},
"ssl_cert_hostname": {
Type: schema.TypeString,
Optional: true,
Default: "",
Description: "SSL certificate hostname for cert verification",
},
"ssl_sni_hostname": {
Type: schema.TypeString,
Optional: true,
Default: "",
Description: "SSL certificate hostname for SNI verification",
}, },
// UseSSL is something we want to support in the future, but // UseSSL is something we want to support in the future, but
// requires SSL setup we don't yet have // requires SSL setup we don't yet have
@ -1011,6 +1024,8 @@ func resourceServiceV1Update(d *schema.ResourceData, meta interface{}) error {
AutoLoadbalance: gofastly.CBool(df["auto_loadbalance"].(bool)), AutoLoadbalance: gofastly.CBool(df["auto_loadbalance"].(bool)),
SSLCheckCert: gofastly.CBool(df["ssl_check_cert"].(bool)), SSLCheckCert: gofastly.CBool(df["ssl_check_cert"].(bool)),
SSLHostname: df["ssl_hostname"].(string), SSLHostname: df["ssl_hostname"].(string),
SSLCertHostname: df["ssl_cert_hostname"].(string),
SSLSNIHostname: df["ssl_sni_hostname"].(string),
Shield: df["shield"].(string), Shield: df["shield"].(string),
Port: uint(df["port"].(int)), Port: uint(df["port"].(int)),
BetweenBytesTimeout: uint(df["between_bytes_timeout"].(int)), BetweenBytesTimeout: uint(df["between_bytes_timeout"].(int)),
@ -1917,6 +1932,8 @@ func flattenBackends(backendList []*gofastly.Backend) []map[string]interface{} {
"shield": b.Shield, "shield": b.Shield,
"ssl_check_cert": gofastly.CBool(b.SSLCheckCert), "ssl_check_cert": gofastly.CBool(b.SSLCheckCert),
"ssl_hostname": b.SSLHostname, "ssl_hostname": b.SSLHostname,
"ssl_cert_hostname": b.SSLCertHostname,
"ssl_sni_hostname": b.SSLSNIHostname,
"weight": int(b.Weight), "weight": int(b.Weight),
"request_condition": b.RequestCondition, "request_condition": b.RequestCondition,
} }

4
builtin/providers/fastly/resource_fastly_service_v1_test.go
View File

@ -73,6 +73,8 @@ func TestResourceFastlyFlattenBackend(t *testing.T) {
RequestCondition: "", RequestCondition: "",
SSLCheckCert: true, SSLCheckCert: true,
SSLHostname: "", SSLHostname: "",
SSLCertHostname: "",
SSLSNIHostname: "",
Shield: "New York", Shield: "New York",
Weight: uint(100), Weight: uint(100),
}, },
@ -91,6 +93,8 @@ func TestResourceFastlyFlattenBackend(t *testing.T) {
"request_condition": "", "request_condition": "",
"ssl_check_cert": gofastly.CBool(true), "ssl_check_cert": gofastly.CBool(true),
"ssl_hostname": "", "ssl_hostname": "",
"ssl_cert_hostname": "",
"ssl_sni_hostname": "",
"shield": "New York", "shield": "New York",
"weight": 100, "weight": 100,
}, },

4
website/source/docs/providers/fastly/r/service_v1.html.markdown
View File

@ -180,7 +180,9 @@ Default `200`.
* `port` - (Optional) The port number on which the Backend responds. Default `80`. * `port` - (Optional) The port number on which the Backend responds. Default `80`.
* `request_condition` - (Optional, string) Name of already defined `condition`, which if met, will select this backend during a request. * `request_condition` - (Optional, string) Name of already defined `condition`, which if met, will select this backend during a request.
* `ssl_check_cert` - (Optional) Be strict about checking SSL certs. Default `true`. * `ssl_check_cert` - (Optional) Be strict about checking SSL certs. Default `true`.
* `ssl_hostname` - (Optional) Used for both SNI during the TLS handshake and to validate the cert. * `ssl_hostname` - (Optional, deprecated by Fastly) Used for both SNI during the TLS handshake and to validate the cert.
* `ssl_cert_hostname` - (Optional) Overrides ssl_hostname, but only for cert verification. Does not affect SNI at all.
* `ssl_sni_hostname` - (Optional) Overrides ssl_hostname, but only for SNI in the handshake. Does not affect cert validation at all.
* `shield` - (Optional) The POP of the shield designated to reduce inbound load. * `shield` - (Optional) The POP of the shield designated to reduce inbound load.
* `weight` - (Optional) The [portion of traffic](https://docs.fastly.com/guides/performance-tuning/load-balancing-configuration.html#how-weight-affects-load-balancing) to send to this Backend. Each Backend receives `weight / total` of the traffic. Default `100`. * `weight` - (Optional) The [portion of traffic](https://docs.fastly.com/guides/performance-tuning/load-balancing-configuration.html#how-weight-affects-load-balancing) to send to this Backend. Each Backend receives `weight / total` of the traffic. Default `100`.