From ec15ec5a525fcccac8aa9cc191bb9a881a1f5b5f Mon Sep 17 00:00:00 2001 From: Roberth Kulbin Date: Sun, 21 Nov 2021 11:16:42 +0000 Subject: [PATCH 01/12] r-aws_lb: add desync_mitigation_mode attribute --- internal/service/elbv2/load_balancer.go | 29 +++++ internal/service/elbv2/load_balancer_test.go | 128 +++++++++++++++++++ website/docs/r/lb.html.markdown | 1 + 3 files changed, 158 insertions(+) diff --git a/internal/service/elbv2/load_balancer.go b/internal/service/elbv2/load_balancer.go index 0b9d74c9340..a5faa8ca394 100644 --- a/internal/service/elbv2/load_balancer.go +++ b/internal/service/elbv2/load_balancer.go @@ -251,6 +251,18 @@ func ResourceLoadBalancer() *schema.Resource { Computed: true, }, + "desync_mitigation_mode": { + Type: schema.TypeString, + Optional: true, + Default: "defensive", + ValidateFunc: validation.StringInSlice([]string{ + "monitor", + "defensive", + "strictest", + }, false), + DiffSuppressFunc: suppressIfLBTypeNot(elbv2.LoadBalancerTypeEnumApplication), + }, + "tags": tftags.TagsSchema(), "tags_all": tftags.TagsSchemaComputed(), }, @@ -263,6 +275,12 @@ func suppressIfLBType(t string) schema.SchemaDiffSuppressFunc { } } +func suppressIfLBTypeNot(t string) schema.SchemaDiffSuppressFunc { + return func(k string, old string, new string, d *schema.ResourceData) bool { + return d.Get("load_balancer_type").(string) != t + } +} + func resourceLoadBalancerCreate(d *schema.ResourceData, meta interface{}) error { conn := meta.(*conns.AWSClient).ELBV2Conn defaultTagsConfig := meta.(*conns.AWSClient).DefaultTagsConfig @@ -468,6 +486,13 @@ func resourceLoadBalancerUpdate(d *schema.ResourceData, meta interface{}) error }) } + if d.HasChange("desync_mitigation_mode") || d.IsNewResource() { + attributes = append(attributes, &elbv2.LoadBalancerAttribute{ + Key: aws.String("routing.http.desync_mitigation_mode"), + Value: aws.String(d.Get("desync_mitigation_mode").(string)), + }) + } + case elbv2.LoadBalancerTypeEnumGateway, elbv2.LoadBalancerTypeEnumNetwork: if d.HasChange("enable_cross_zone_load_balancing") || d.IsNewResource() { attributes = append(attributes, &elbv2.LoadBalancerAttribute{ @@ -805,6 +830,10 @@ func flattenResource(d *schema.ResourceData, meta interface{}, lb *elbv2.LoadBal crossZoneLbEnabled := aws.StringValue(attr.Value) == "true" log.Printf("[DEBUG] Setting NLB Cross Zone Load Balancing Enabled: %t", crossZoneLbEnabled) d.Set("enable_cross_zone_load_balancing", crossZoneLbEnabled) + case "routing.http.desync_mitigation_mode": + desyncMitigationMode := aws.StringValue(attr.Value) + log.Printf("[DEBUG] Setting ALB Desync Mitigation Mode: %s", desyncMitigationMode) + d.Set("desync_mitigation_mode", desyncMitigationMode) } } diff --git a/internal/service/elbv2/load_balancer_test.go b/internal/service/elbv2/load_balancer_test.go index a4781f48c60..9fe2fedb377 100644 --- a/internal/service/elbv2/load_balancer_test.go +++ b/internal/service/elbv2/load_balancer_test.go @@ -92,6 +92,7 @@ func TestAccELBV2LoadBalancer_ALB_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "tags.Name", "TestAccAWSALB_basic"), resource.TestCheckResourceAttrSet(resourceName, "vpc_id"), resource.TestCheckResourceAttrSet(resourceName, "zone_id"), + resource.TestCheckResourceAttr(resourceName, "desync_mitigation_mode", "defensive"), ), }, }, @@ -1108,6 +1109,55 @@ func TestAccELBV2LoadBalancer_NetworkLoadBalancerSubnet_change(t *testing.T) { }) } +func TestAccAWSLB_applicationLoadBalancer_updateDesyncMitigationMode(t *testing.T) { + var pre, mid, post elbv2.LoadBalancer + lbName := fmt.Sprintf("testaccawsalb-desync-%s", sdkacctest.RandString(4)) + resourceName := "aws_lb.lb_test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acctest.PreCheck(t) }, + ErrorCheck: acctest.ErrorCheck(t, elbv2.EndpointsID), + Providers: acctest.Providers, + CheckDestroy: testAccCheckLoadBalancerDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSLBConfig_desyncMitigationMode(lbName, "strictest"), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckLoadBalancerExists(resourceName, &pre), + testAccCheckLoadBalancerAttribute(resourceName, "routing.http.desync_mitigation_mode", "strictest"), + resource.TestCheckResourceAttr(resourceName, "desync_mitigation_mode", "strictest"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccAWSLBConfig_desyncMitigationMode(lbName, "monitor"), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckLoadBalancerExists(resourceName, &mid), + testAccCheckLoadBalancerAttribute(resourceName, "routing.http.desync_mitigation_mode", "monitor"), + resource.TestCheckResourceAttr(resourceName, "desync_mitigation_mode", "monitor"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccAWSLBConfig_desyncMitigationMode(lbName, "defensive"), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckLoadBalancerExists(resourceName, &post), + testAccCheckLoadBalancerAttribute(resourceName, "routing.http.desync_mitigation_mode", "defensive"), + resource.TestCheckResourceAttr(resourceName, "desync_mitigation_mode", "defensive"), + ), + }, + }, + }) +} + func testAccChecklbARNs(pre, post *elbv2.LoadBalancer) resource.TestCheckFunc { return func(s *terraform.State) error { if aws.StringValue(pre.LoadBalancerArn) != aws.StringValue(post.LoadBalancerArn) { @@ -2853,3 +2903,81 @@ resource "aws_security_group" "alb_test" { } `, lbName)) } + +func testAccAWSLBConfig_desyncMitigationMode(lbName string, mode string) string { + return fmt.Sprintf(` + resource "aws_lb" "lb_test" { + name = "%s" + internal = true + security_groups = ["${aws_security_group.alb_test.id}"] + subnets = "${aws_subnet.alb_test.*.id}" + + idle_timeout = 30 + enable_deletion_protection = false + + desync_mitigation_mode = %q + + tags = { + Name = "TestAccAWSALB_desync" + } + } + + variable "subnets" { + default = ["10.0.1.0/24", "10.0.2.0/24"] + type = list + } + + data "aws_availability_zones" "available" { + state = "available" + + filter { + name = "opt-in-status" + values = ["opt-in-not-required"] + } + } + + resource "aws_vpc" "alb_test" { + cidr_block = "10.0.0.0/16" + + tags = { + Name = "terraform-testacc-lb-desync" + } + } + + resource "aws_subnet" "alb_test" { + count = 2 + vpc_id = "${aws_vpc.alb_test.id}" + cidr_block = "${element(var.subnets, count.index)}" + map_public_ip_on_launch = true + availability_zone = "${element(data.aws_availability_zones.available.names, count.index)}" + + tags = { + Name = "tf-acc-lb-desync-${count.index}" + } + } + + resource "aws_security_group" "alb_test" { + name = "allow_all_alb_test_desync" + description = "Used for ALB Testing" + vpc_id = "${aws_vpc.alb_test.id}" + + ingress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "TestAccAWSALB_desync" + } + } + `, lbName, mode) +} diff --git a/website/docs/r/lb.html.markdown b/website/docs/r/lb.html.markdown index d572957f1ee..8f8cb1b88a7 100644 --- a/website/docs/r/lb.html.markdown +++ b/website/docs/r/lb.html.markdown @@ -122,6 +122,7 @@ for load balancers of type `network` will force a recreation of the resource. * `enable_http2` - (Optional) Indicates whether HTTP/2 is enabled in `application` load balancers. Defaults to `true`. * `customer_owned_ipv4_pool` - (Optional) The ID of the customer owned ipv4 pool to use for this load balancer. * `ip_address_type` - (Optional) The type of IP addresses used by the subnets for your load balancer. The possible values are `ipv4` and `dualstack` +* `desync_mitigation_mode` - (Optional) Determines how the load balancer handles requests that might pose a security risk to an application due to HTTP desync. Valid values are `monitor`, `defensive` (default), `strictest`. * `tags` - (Optional) A map of tags to assign to the resource. If configured with a provider [`default_tags` configuration block](/docs/providers/aws/index.html#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level. Access Logs (`access_logs`) support the following: From 5dbacb4c0a8f9765ffd9100f6f98dd3195460462 Mon Sep 17 00:00:00 2001 From: Roberth Kulbin Date: Sun, 21 Nov 2021 11:36:48 +0000 Subject: [PATCH 02/12] d-aws_lb: add desync_mitigation_mode attribute --- internal/service/elbv2/load_balancer_data_source.go | 8 ++++++++ internal/service/elbv2/load_balancer_data_source_test.go | 5 +++++ 2 files changed, 13 insertions(+) diff --git a/internal/service/elbv2/load_balancer_data_source.go b/internal/service/elbv2/load_balancer_data_source.go index e2aec46b2b0..7afff023ed0 100644 --- a/internal/service/elbv2/load_balancer_data_source.go +++ b/internal/service/elbv2/load_balancer_data_source.go @@ -153,6 +153,11 @@ func DataSourceLoadBalancer() *schema.Resource { Computed: true, }, + "desync_mitigation_mode": { + Type: schema.TypeString, + Computed: true, + }, + "tags": tftags.TagsSchemaComputed(), }, } @@ -290,6 +295,9 @@ func dataSourceLoadBalancerRead(d *schema.ResourceData, meta interface{}) error case "load_balancing.cross_zone.enabled": crossZoneLbEnabled := aws.StringValue(attr.Value) == "true" d.Set("enable_cross_zone_load_balancing", crossZoneLbEnabled) + case "routing.http.desync_mitigation_mode": + desyncMitigationMode := aws.StringValue(attr.Value) + d.Set("desync_mitigation_mode", desyncMitigationMode) } } diff --git a/internal/service/elbv2/load_balancer_data_source_test.go b/internal/service/elbv2/load_balancer_data_source_test.go index 5a36b245068..75751ddbd3e 100644 --- a/internal/service/elbv2/load_balancer_data_source_test.go +++ b/internal/service/elbv2/load_balancer_data_source_test.go @@ -40,6 +40,7 @@ func TestAccELBV2LoadBalancerDataSource_basic(t *testing.T) { resource.TestCheckResourceAttrPair(dataSourceName, "arn", resourceName, "arn"), resource.TestCheckResourceAttrPair(dataSourceName, "ip_address_type", resourceName, "ip_address_type"), resource.TestCheckResourceAttrPair(dataSourceName, "subnet_mapping.#", resourceName, "subnet_mapping.#"), + resource.TestCheckResourceAttrPair(dataSourceName, "desync_mitigation_mode", resourceName, "desync_mitigation_mode"), resource.TestCheckResourceAttrPair(dataSourceName2, "name", resourceName, "name"), resource.TestCheckResourceAttrPair(dataSourceName2, "internal", resourceName, "internal"), resource.TestCheckResourceAttrPair(dataSourceName2, "subnets.#", resourceName, "subnets.#"), @@ -55,6 +56,7 @@ func TestAccELBV2LoadBalancerDataSource_basic(t *testing.T) { resource.TestCheckResourceAttrPair(dataSourceName2, "arn", resourceName, "arn"), resource.TestCheckResourceAttrPair(dataSourceName2, "ip_address_type", resourceName, "ip_address_type"), resource.TestCheckResourceAttrPair(dataSourceName2, "subnet_mapping.#", resourceName, "subnet_mapping.#"), + resource.TestCheckResourceAttrPair(dataSourceName2, "desync_mitigation_mode", resourceName, "desync_mitigation_mode"), resource.TestCheckResourceAttrPair(dataSourceName3, "name", resourceName, "name"), resource.TestCheckResourceAttrPair(dataSourceName3, "internal", resourceName, "internal"), resource.TestCheckResourceAttrPair(dataSourceName3, "subnets.#", resourceName, "subnets.#"), @@ -70,6 +72,7 @@ func TestAccELBV2LoadBalancerDataSource_basic(t *testing.T) { resource.TestCheckResourceAttrPair(dataSourceName3, "arn", resourceName, "arn"), resource.TestCheckResourceAttrPair(dataSourceName3, "ip_address_type", resourceName, "ip_address_type"), resource.TestCheckResourceAttrPair(dataSourceName3, "subnet_mapping.#", resourceName, "subnet_mapping.#"), + resource.TestCheckResourceAttrPair(dataSourceName3, "desync_mitigation_mode", resourceName, "desync_mitigation_mode"), ), }, }, @@ -197,6 +200,8 @@ resource "aws_lb" "test" { idle_timeout = 30 enable_deletion_protection = false + desync_mitigation_mode = "defensive" + tags = { Name = %[1]q Config = "Basic" From def32ed2b3b6ede87d34f9a87ecce2256625a42a Mon Sep 17 00:00:00 2001 From: Roberth Kulbin Date: Sun, 21 Nov 2021 11:56:35 +0000 Subject: [PATCH 03/12] r-aws_elb: add desync_mitigation_mode attribute --- internal/service/elb/load_balancer.go | 28 ++++- internal/service/elb/load_balancer_test.go | 136 +++++++++++++++++++++ 2 files changed, 162 insertions(+), 2 deletions(-) diff --git a/internal/service/elb/load_balancer.go b/internal/service/elb/load_balancer.go index 0c6f106ac49..7fae5b657ec 100644 --- a/internal/service/elb/load_balancer.go +++ b/internal/service/elb/load_balancer.go @@ -15,7 +15,7 @@ import ( // nosemgrep: aws-sdk-go-multiple-service-imports "github.com/aws/aws-sdk-go/service/ec2" "github.com/aws/aws-sdk-go/service/elb" "github.com/hashicorp/aws-sdk-go-base/tfawserr" - multierror "github.com/hashicorp/go-multierror" + "github.com/hashicorp/go-multierror" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" @@ -255,6 +255,17 @@ func ResourceLoadBalancer() *schema.Resource { Computed: true, }, + "desync_mitigation_mode": { + Type: schema.TypeString, + Optional: true, + Default: "defensive", + ValidateFunc: validation.StringInSlice([]string{ + "monitor", + "defensive", + "strictest", + }, false), + }, + "tags": tftags.TagsSchema(), "tags_all": tftags.TagsSchemaComputed(), }, @@ -453,6 +464,13 @@ func flattenLoadBalancerEResource(d *schema.ResourceData, ec2conn *ec2.EC2, elbc } } + for _, attr := range lbAttrs.AdditionalAttributes { + switch aws.StringValue(attr.Key) { + case "elb.http.desyncmitigationmode": + d.Set("desync_mitigation_mode", aws.StringValue(attr.Value)) + } + } + tags, err := ListTags(elbconn, d.Id()) if err != nil { @@ -580,10 +598,16 @@ func resourceLoadBalancerUpdate(d *schema.ResourceData, meta interface{}) error } } - if d.HasChanges("cross_zone_load_balancing", "idle_timeout", "access_logs") { + if d.HasChanges("cross_zone_load_balancing", "idle_timeout", "access_logs", "desync_mitigation_mode") { attrs := elb.ModifyLoadBalancerAttributesInput{ LoadBalancerName: aws.String(d.Get("name").(string)), LoadBalancerAttributes: &elb.LoadBalancerAttributes{ + AdditionalAttributes: []*elb.AdditionalAttribute{ + { + Key: aws.String("elb.http.desyncmitigationmode"), + Value: aws.String(d.Get("desync_mitigation_mode").(string)), + }, + }, CrossZoneLoadBalancing: &elb.CrossZoneLoadBalancing{ Enabled: aws.Bool(d.Get("cross_zone_load_balancing").(bool)), }, diff --git a/internal/service/elb/load_balancer_test.go b/internal/service/elb/load_balancer_test.go index 7efb89a61d8..1b6c79ece5a 100644 --- a/internal/service/elb/load_balancer_test.go +++ b/internal/service/elb/load_balancer_test.go @@ -44,6 +44,7 @@ func TestAccELBLoadBalancer_basic(t *testing.T) { "lb_protocol": "http", }), resource.TestCheckResourceAttr(resourceName, "cross_zone_load_balancing", "true"), + resource.TestCheckResourceAttr(resourceName, "desync_mitigation_mode", "defensive"), resource.TestCheckResourceAttr(resourceName, "tags.%", "0"), ), }, @@ -667,6 +668,71 @@ func TestAccELBLoadBalancer_securityGroups(t *testing.T) { }) } +func TestAccELBLoadBalancer_desyncMitigationMode(t *testing.T) { + resourceName := "aws_elb.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acctest.PreCheck(t) }, + ErrorCheck: acctest.ErrorCheck(t, elb.EndpointsID), + Providers: acctest.Providers, + CheckDestroy: testAccCheckLoadBalancerDestroy, + Steps: []resource.TestStep{ + { + Config: testAccLoadBalancerConfigDesyncMitigationMode, + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, "desync_mitigation_mode", "strictest"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccELBLoadBalancer_desyncMitigationMode_update(t *testing.T) { + resourceName := "aws_elb.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acctest.PreCheck(t) }, + ErrorCheck: acctest.ErrorCheck(t, elb.EndpointsID), + Providers: acctest.Providers, + CheckDestroy: testAccCheckLoadBalancerDestroy, + Steps: []resource.TestStep{ + { + Config: testAccLoadBalancerConfigDesyncMitigationMode_update_default, + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, "desync_mitigation_mode", "defensive"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccLoadBalancerConfigDesyncMitigationMode_update_monitor, + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, "desync_mitigation_mode", "monitor"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccLoadBalancerConfigDesyncMitigationMode_update_default, + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, "desync_mitigation_mode", "defensive"), + ), + }, + }, + }) +} + // Unit test for listeners hash func TestLoadBalancerListenerHash(t *testing.T) { cases := map[string]struct { @@ -1839,3 +1905,73 @@ resource "aws_internet_gateway" "gw" { } } ` + +const testAccLoadBalancerConfigDesyncMitigationMode = ` + data "aws_availability_zones" "available" { + state = "available" + + filter { + name = "opt-in-status" + values = ["opt-in-not-required"] + } + } + + resource "aws_elb" "test" { + availability_zones = [data.aws_availability_zones.available.names[0]] + + listener { + instance_port = 8000 + instance_protocol = "http" + lb_port = 80 + lb_protocol = "http" + } + + desync_mitigation_mode = "strictest" + } + ` + +const testAccLoadBalancerConfigDesyncMitigationMode_update_default = ` + data "aws_availability_zones" "available" { + state = "available" + + filter { + name = "opt-in-status" + values = ["opt-in-not-required"] + } + } + + resource "aws_elb" "test" { + availability_zones = [data.aws_availability_zones.available.names[0]] + + listener { + instance_port = 8000 + instance_protocol = "http" + lb_port = 80 + lb_protocol = "http" + } + } + ` + +const testAccLoadBalancerConfigDesyncMitigationMode_update_monitor = ` + data "aws_availability_zones" "available" { + state = "available" + + filter { + name = "opt-in-status" + values = ["opt-in-not-required"] + } + } + + resource "aws_elb" "test" { + availability_zones = [data.aws_availability_zones.available.names[0]] + + listener { + instance_port = 8000 + instance_protocol = "http" + lb_port = 80 + lb_protocol = "http" + } + + desync_mitigation_mode = "monitor" + } + ` From 8239509fe2165884036e27fd7a875caae2b61faf Mon Sep 17 00:00:00 2001 From: Roberth Kulbin Date: Sun, 21 Nov 2021 12:13:43 +0000 Subject: [PATCH 04/12] d-aws_elb: add desync_mitigation_mode attribute --- internal/service/elb/load_balancer_data_source.go | 12 ++++++++++++ .../service/elb/load_balancer_data_source_test.go | 1 + 2 files changed, 13 insertions(+) diff --git a/internal/service/elb/load_balancer_data_source.go b/internal/service/elb/load_balancer_data_source.go index 405963ad920..9d9a56abbf4 100644 --- a/internal/service/elb/load_balancer_data_source.go +++ b/internal/service/elb/load_balancer_data_source.go @@ -188,6 +188,11 @@ func DataSourceLoadBalancer() *schema.Resource { Set: schema.HashString, }, + "desync_mitigation_mode": { + Type: schema.TypeString, + Computed: true, + }, + "tags": tftags.TagsSchemaComputed(), "zone_id": { @@ -304,6 +309,13 @@ func dataSourceLoadBalancerRead(d *schema.ResourceData, meta interface{}) error } } + for _, attr := range lbAttrs.AdditionalAttributes { + switch aws.StringValue(attr.Key) { + case "elb.http.desyncmitigationmode": + d.Set("desync_mitigation_mode", aws.StringValue(attr.Value)) + } + } + tags, err := ListTags(conn, d.Id()) if err != nil { diff --git a/internal/service/elb/load_balancer_data_source_test.go b/internal/service/elb/load_balancer_data_source_test.go index 197829eda7d..0ee52aa85c4 100644 --- a/internal/service/elb/load_balancer_data_source_test.go +++ b/internal/service/elb/load_balancer_data_source_test.go @@ -29,6 +29,7 @@ func TestAccELBLoadBalancerDataSource_basic(t *testing.T) { resource.TestCheckResourceAttr(dataSourceName, "internal", "true"), resource.TestCheckResourceAttr(dataSourceName, "subnets.#", "2"), resource.TestCheckResourceAttr(dataSourceName, "security_groups.#", "1"), + resource.TestCheckResourceAttr(dataSourceName, "desync_mitigation_mode", "defensive"), resource.TestCheckResourceAttr(dataSourceName, "tags.%", "2"), resource.TestCheckResourceAttr(dataSourceName, "tags.Name", rName), resource.TestCheckResourceAttr(dataSourceName, "tags.TestName", t.Name()), From 4102fce4e7888c7eb12c61944a82ef3170b78f93 Mon Sep 17 00:00:00 2001 From: Roberth Kulbin Date: Sun, 21 Nov 2021 12:14:19 +0000 Subject: [PATCH 05/12] r-aws_elb: add missing doc --- website/docs/r/elb.html.markdown | 1 + 1 file changed, 1 insertion(+) diff --git a/website/docs/r/elb.html.markdown b/website/docs/r/elb.html.markdown index fd94e01dd21..dcfc96484ce 100644 --- a/website/docs/r/elb.html.markdown +++ b/website/docs/r/elb.html.markdown @@ -88,6 +88,7 @@ The following arguments are supported: * `idle_timeout` - (Optional) The time in seconds that the connection is allowed to be idle. Default: `60` * `connection_draining` - (Optional) Boolean to enable connection draining. Default: `false` * `connection_draining_timeout` - (Optional) The time in seconds to allow for connections to drain. Default: `300` +* `desync_mitigation_mode` - (Optional) Determines how the load balancer handles requests that might pose a security risk to an application due to HTTP desync. Valid values are `monitor`, `defensive` (default), `strictest`. * `tags` - (Optional) A map of tags to assign to the resource. If configured with a provider [`default_tags` configuration block](https://www.terraform.io/docs/providers/aws/index.html#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level. Exactly one of `availability_zones` or `subnets` must be specified: this From f5cdaab5fb27b4bcfaecb89749af8c4893370bad Mon Sep 17 00:00:00 2001 From: Roberth Kulbin Date: Sun, 21 Nov 2021 14:37:44 +0000 Subject: [PATCH 06/12] r-aws_elb: undo import change --- internal/service/elb/load_balancer.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/service/elb/load_balancer.go b/internal/service/elb/load_balancer.go index 7fae5b657ec..7dab0295d35 100644 --- a/internal/service/elb/load_balancer.go +++ b/internal/service/elb/load_balancer.go @@ -15,7 +15,7 @@ import ( // nosemgrep: aws-sdk-go-multiple-service-imports "github.com/aws/aws-sdk-go/service/ec2" "github.com/aws/aws-sdk-go/service/elb" "github.com/hashicorp/aws-sdk-go-base/tfawserr" - "github.com/hashicorp/go-multierror" + multierror "github.com/hashicorp/go-multierror" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" From 2d41510d8b3ead99f285e6d6891e0532cd9b15da Mon Sep 17 00:00:00 2001 From: Roberth Kulbin Date: Sun, 21 Nov 2021 15:24:51 +0000 Subject: [PATCH 07/12] linter fix --- internal/service/elb/load_balancer_test.go | 121 ++++++++------- internal/service/elbv2/load_balancer_test.go | 148 +++++++++---------- 2 files changed, 134 insertions(+), 135 deletions(-) diff --git a/internal/service/elb/load_balancer_test.go b/internal/service/elb/load_balancer_test.go index 1b6c79ece5a..61d350e081b 100644 --- a/internal/service/elb/load_balancer_test.go +++ b/internal/service/elb/load_balancer_test.go @@ -1907,71 +1907,70 @@ resource "aws_internet_gateway" "gw" { ` const testAccLoadBalancerConfigDesyncMitigationMode = ` - data "aws_availability_zones" "available" { - state = "available" - - filter { - name = "opt-in-status" - values = ["opt-in-not-required"] - } - } +data "aws_availability_zones" "available" { + state = "available" - resource "aws_elb" "test" { - availability_zones = [data.aws_availability_zones.available.names[0]] + filter { + name = "opt-in-status" + values = ["opt-in-not-required"] + } +} - listener { - instance_port = 8000 - instance_protocol = "http" - lb_port = 80 - lb_protocol = "http" - } +resource "aws_elb" "test" { + availability_zones = [data.aws_availability_zones.available.names[0]] + listener { + instance_port = 8000 + instance_protocol = "http" + lb_port = 80 + lb_protocol = "http" + } - desync_mitigation_mode = "strictest" - } - ` + desync_mitigation_mode = "strictest" +} +` const testAccLoadBalancerConfigDesyncMitigationMode_update_default = ` - data "aws_availability_zones" "available" { - state = "available" - - filter { - name = "opt-in-status" - values = ["opt-in-not-required"] - } - } - - resource "aws_elb" "test" { - availability_zones = [data.aws_availability_zones.available.names[0]] - - listener { - instance_port = 8000 - instance_protocol = "http" - lb_port = 80 - lb_protocol = "http" - } - } - ` +data "aws_availability_zones" "available" { + state = "available" + + filter { + name = "opt-in-status" + values = ["opt-in-not-required"] + } +} + +resource "aws_elb" "test" { + availability_zones = [data.aws_availability_zones.available.names[0]] + + listener { + instance_port = 8000 + instance_protocol = "http" + lb_port = 80 + lb_protocol = "http" + } +} +` const testAccLoadBalancerConfigDesyncMitigationMode_update_monitor = ` - data "aws_availability_zones" "available" { - state = "available" - - filter { - name = "opt-in-status" - values = ["opt-in-not-required"] - } - } - - resource "aws_elb" "test" { - availability_zones = [data.aws_availability_zones.available.names[0]] - - listener { - instance_port = 8000 - instance_protocol = "http" - lb_port = 80 - lb_protocol = "http" - } - - desync_mitigation_mode = "monitor" - } - ` +data "aws_availability_zones" "available" { + state = "available" + + filter { + name = "opt-in-status" + values = ["opt-in-not-required"] + } +} + +resource "aws_elb" "test" { + availability_zones = [data.aws_availability_zones.available.names[0]] + + listener { + instance_port = 8000 + instance_protocol = "http" + lb_port = 80 + lb_protocol = "http" + } + + desync_mitigation_mode = "monitor" +} +` diff --git a/internal/service/elbv2/load_balancer_test.go b/internal/service/elbv2/load_balancer_test.go index 9fe2fedb377..22e2ea159b4 100644 --- a/internal/service/elbv2/load_balancer_test.go +++ b/internal/service/elbv2/load_balancer_test.go @@ -2906,78 +2906,78 @@ resource "aws_security_group" "alb_test" { func testAccAWSLBConfig_desyncMitigationMode(lbName string, mode string) string { return fmt.Sprintf(` - resource "aws_lb" "lb_test" { - name = "%s" - internal = true - security_groups = ["${aws_security_group.alb_test.id}"] - subnets = "${aws_subnet.alb_test.*.id}" - - idle_timeout = 30 - enable_deletion_protection = false - - desync_mitigation_mode = %q - - tags = { - Name = "TestAccAWSALB_desync" - } - } - - variable "subnets" { - default = ["10.0.1.0/24", "10.0.2.0/24"] - type = list - } - - data "aws_availability_zones" "available" { - state = "available" - - filter { - name = "opt-in-status" - values = ["opt-in-not-required"] - } - } - - resource "aws_vpc" "alb_test" { - cidr_block = "10.0.0.0/16" - - tags = { - Name = "terraform-testacc-lb-desync" - } - } - - resource "aws_subnet" "alb_test" { - count = 2 - vpc_id = "${aws_vpc.alb_test.id}" - cidr_block = "${element(var.subnets, count.index)}" - map_public_ip_on_launch = true - availability_zone = "${element(data.aws_availability_zones.available.names, count.index)}" - - tags = { - Name = "tf-acc-lb-desync-${count.index}" - } - } - - resource "aws_security_group" "alb_test" { - name = "allow_all_alb_test_desync" - description = "Used for ALB Testing" - vpc_id = "${aws_vpc.alb_test.id}" - - ingress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - - tags = { - Name = "TestAccAWSALB_desync" - } - } - `, lbName, mode) +resource "aws_lb" "lb_test" { + name = "%s" + internal = true + security_groups = ["${aws_security_group.alb_test.id}"] + subnets = aws_subnet.alb_test.*.id + + idle_timeout = 30 + enable_deletion_protection = false + + desync_mitigation_mode = %q + + tags = { + Name = "TestAccAWSALB_desync" + } +} + +variable "subnets" { + default = ["10.0.1.0/24", "10.0.2.0/24"] + type = list +} + +data "aws_availability_zones" "available" { + state = "available" + + filter { + name = "opt-in-status" + values = ["opt-in-not-required"] + } +} + +resource "aws_vpc" "alb_test" { + cidr_block = "10.0.0.0/16" + + tags = { + Name = "terraform-testacc-lb-desync" + } +} + +resource "aws_subnet" "alb_test" { + count = 2 + vpc_id = aws_vpc.alb_test.id + cidr_block = "${element(var.subnets, count.index)}" + map_public_ip_on_launch = true + availability_zone = "${element(data.aws_availability_zones.available.names, count.index)}" + + tags = { + Name = "tf-acc-lb-desync-${count.index}" + } +} + +resource "aws_security_group" "alb_test" { + name = "allow_all_alb_test_desync" + description = "Used for ALB Testing" + vpc_id = aws_vpc.alb_test.id + + ingress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "TestAccAWSALB_desync" + } +} +`, lbName, mode) } From 235731da1093b9fbb4ccd8abd76dc8ff1015c6b9 Mon Sep 17 00:00:00 2001 From: Roberth Kulbin Date: Sun, 21 Nov 2021 15:26:32 +0000 Subject: [PATCH 08/12] linter fix --- internal/service/elbv2/load_balancer_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/service/elbv2/load_balancer_test.go b/internal/service/elbv2/load_balancer_test.go index 22e2ea159b4..56f5f1222a2 100644 --- a/internal/service/elbv2/load_balancer_test.go +++ b/internal/service/elbv2/load_balancer_test.go @@ -1109,7 +1109,7 @@ func TestAccELBV2LoadBalancer_NetworkLoadBalancerSubnet_change(t *testing.T) { }) } -func TestAccAWSLB_applicationLoadBalancer_updateDesyncMitigationMode(t *testing.T) { +func TestAccELBV2LoadBalancer_updateDesyncMitigationMode(t *testing.T) { var pre, mid, post elbv2.LoadBalancer lbName := fmt.Sprintf("testaccawsalb-desync-%s", sdkacctest.RandString(4)) resourceName := "aws_lb.lb_test" From 529df17ad47db002429724b3d14b5911772eef9c Mon Sep 17 00:00:00 2001 From: Roberth Kulbin Date: Sun, 21 Nov 2021 16:14:57 +0000 Subject: [PATCH 09/12] linter fix --- internal/service/elbv2/load_balancer_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/service/elbv2/load_balancer_test.go b/internal/service/elbv2/load_balancer_test.go index 56f5f1222a2..19efe2cdc46 100644 --- a/internal/service/elbv2/load_balancer_test.go +++ b/internal/service/elbv2/load_balancer_test.go @@ -2947,9 +2947,9 @@ resource "aws_vpc" "alb_test" { resource "aws_subnet" "alb_test" { count = 2 vpc_id = aws_vpc.alb_test.id - cidr_block = "${element(var.subnets, count.index)}" + cidr_block = element(var.subnets, count.index)} map_public_ip_on_launch = true - availability_zone = "${element(data.aws_availability_zones.available.names, count.index)}" + availability_zone = element(data.aws_availability_zones.available.names, count.index) tags = { Name = "tf-acc-lb-desync-${count.index}" From f97d44d4554fbba6d9bde4a1e75a1ca87d916241 Mon Sep 17 00:00:00 2001 From: Roberth Kulbin Date: Sun, 21 Nov 2021 17:06:09 +0000 Subject: [PATCH 10/12] linter fix --- internal/service/elbv2/load_balancer_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/service/elbv2/load_balancer_test.go b/internal/service/elbv2/load_balancer_test.go index 19efe2cdc46..18ba42924ef 100644 --- a/internal/service/elbv2/load_balancer_test.go +++ b/internal/service/elbv2/load_balancer_test.go @@ -2909,7 +2909,7 @@ func testAccAWSLBConfig_desyncMitigationMode(lbName string, mode string) string resource "aws_lb" "lb_test" { name = "%s" internal = true - security_groups = ["${aws_security_group.alb_test.id}"] + security_groups = [aws_security_group.alb_test.id] subnets = aws_subnet.alb_test.*.id idle_timeout = 30 @@ -2947,7 +2947,7 @@ resource "aws_vpc" "alb_test" { resource "aws_subnet" "alb_test" { count = 2 vpc_id = aws_vpc.alb_test.id - cidr_block = element(var.subnets, count.index)} + cidr_block = element(var.subnets, count.index) map_public_ip_on_launch = true availability_zone = element(data.aws_availability_zones.available.names, count.index) From 3dd8df31d0164c61c5863266516604ca3a61b088 Mon Sep 17 00:00:00 2001 From: Roberth Kulbin Date: Sun, 21 Nov 2021 18:10:01 +0000 Subject: [PATCH 11/12] force ci run From 1e4fff6cc2bc7d66c9d17839f052bbf47010de67 Mon Sep 17 00:00:00 2001 From: Angie Pinilla Date: Mon, 22 Nov 2021 15:45:08 -0500 Subject: [PATCH 12/12] Update CHANGELOG for #14764 --- .changelog/14764.txt | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .changelog/14764.txt diff --git a/.changelog/14764.txt b/.changelog/14764.txt new file mode 100644 index 00000000000..d2a67400fd9 --- /dev/null +++ b/.changelog/14764.txt @@ -0,0 +1,15 @@ +```release-note:enhancement +data-source/aws_elb: Add `desync_mitigation_mode` attribute +``` + +```release-note:enhancement +data-source/aws_lb: Add `desync_mitigation_mode` attribute +``` + +```release-note:enhancement +resource/aws_elb: Add `desync_mitigation_mode` argument +``` + +```release-note:enhancement +resource/aws_lb: Add `desync_mitigation_mode` argument +```