providers/aws: Document and validate ELB ssl_cert and protocol requirements

2015-11-12 11:10:52 -06:00 · 2015-11-12 11:10:52 -06:00 · fddafd2b96
parent dcf40661c8
commit fddafd2b96
3 changed files with 50 additions and 5 deletions
--- a/builtin/providers/aws/structure.go
+++ b/builtin/providers/aws/structure.go
@ -44,7 +44,23 @@ func expandListeners(configured []interface{}) ([]*elb.Listener, error) {
 			l.SSLCertificateId = aws.String(v.(string))
 		}

-		listeners = append(listeners, l)
+                var valid bool
+                if l.SSLCertificateId != nil && *l.SSLCertificateId != "" {
+                        // validate the protocol is correct
+                        for _, p := range []string{"https", "ssl"} {
+                                if (*l.InstanceProtocol == p) || (*l.Protocol == p) {
+                                        valid = true
+                                }
+                        }
+                } else {
+                        valid = true
+                }
+
+                if valid {
+                        listeners = append(listeners, l)
+                } else {
+                        return nil, fmt.Errorf("[ERR] Invalid ssl_certificate_id / Protocol combination. Must be either HTTPS or SSL")
+                }
 	}

 	return listeners, nil
--- a/builtin/providers/aws/structure_test.go
+++ b/builtin/providers/aws/structure_test.go
@ -2,6 +2,7 @@ package aws

 import (
 	"reflect"
+        "strings"
 	"testing"

 	"github.com/aws/aws-sdk-go/aws"
@ -314,7 +315,31 @@ func TestExpandListeners(t *testing.T) {
 			listeners[0],
 			expected)
 	}
+}

+// this test should produce an error from expandlisteners on an invalid
+// combination
+func TestExpandListeners_invalid(t *testing.T) {
+        expanded := []interface{}{
+                map[string]interface{}{
+                        "instance_port":      8000,
+                        "lb_port":            80,
+                        "instance_protocol":  "http",
+                        "lb_protocol":        "http",
+                        "ssl_certificate_id": "something",
+                },
+        }
+        _, err := expandListeners(expanded)
+        if err != nil {
+                // Check the error we got
+                if !strings.Contains(err.Error(), "Protocol combination") {
+                        t.Fatalf("Got error in TestExpandListeners_invalid, but not what we expected: %s", err)
+                }
+        }
+
+        if err == nil {
+                t.Fatalf("Expected TestExpandListeners_invalid to fail, but passed")
+        }
 }

 func TestFlattenHealthCheck(t *testing.T) {
--- a/website/source/docs/providers/aws/r/elb.html.markdown
+++ b/website/source/docs/providers/aws/r/elb.html.markdown
@ -33,7 +33,7 @@ resource "aws_elb" "bar" {

  listener {
    instance_port = 8000
-    instance_protocol = "http"
+    instance_protocol = "https"
    lb_port = 443
    lb_protocol = "https"
    ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/certName"
@ -90,10 +90,14 @@ Access Logs support the following:
 Listeners support the following:

 * `instance_port` - (Required) The port on the instance to route to
-* `instance_protocol` - (Required) The protocol to use to the instance.
+* `instance_protocol` - (Required) The protocol to use to the instance. Valid
+  values are `HTTP`, `HTTPS`, `TCP`, or `SSL`
 * `lb_port` - (Required) The port to listen on for the load balancer
-* `lb_protocol` - (Required) The protocol to listen on.
-* `ssl_certificate_id` - (Optional) The id of an SSL certificate you have uploaded to AWS IAM.
+* `lb_protocol` - (Required) The protocol to listen on. Valid values are `HTTP`,
+  `HTTPS`, `TCP`, or `SSL`
+* `ssl_certificate_id` - (Optional) The id of an SSL certificate you have
+uploaded to AWS IAM. **Only valid when `instance_protocol` and
+  `lb_protocol` are either HTTPS or SSL**

 Health Check supports the following: