Merge pull request #35289 from rodrigost23/b-aws_lb_listener-mtls-pas…

…sthrough r/aws_lb_listener: Fix mutual_authentication mode passthrough
hashicorp · Jan 17, 2024 · f9ccecb · f9ccecb
2 parents e33470f + 8e278a1
commit f9ccecb
Show file tree

Hide file tree

Showing 3 changed files with 128 additions and 8 deletions.
diff --git a/.changelog/35289.txt b/.changelog/35289.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_lb_listener: Fix `ValidationError: Mutual Authentication mode passthrough does not support ignoring certificate expiry` errors when `mutual_authentication.mode` is set to `passthrough`
+```
diff --git a/internal/service/elbv2/listener.go b/internal/service/elbv2/listener.go
@@ -918,17 +918,22 @@ func expandMutualAuthenticationAttributes(l []interface{}) *elbv2.MutualAuthenti
 		return nil
 	}
 
-	mode := tfMap["mode"].(string)
-	if mode == mutualAuthenticationOff {
+	switch mode := tfMap["mode"].(string); mode {
+	case mutualAuthenticationOff:
 		return &elbv2.MutualAuthenticationAttributes{
 			Mode: aws.String(mode),
 		}
-	}
-
-	return &elbv2.MutualAuthenticationAttributes{
-		Mode:                          aws.String(mode),
-		TrustStoreArn:                 aws.String(tfMap["trust_store_arn"].(string)),
-		IgnoreClientCertificateExpiry: aws.Bool(tfMap["ignore_client_certificate_expiry"].(bool)),
+	case mutualAuthenticationPassthrough:
+		return &elbv2.MutualAuthenticationAttributes{
+			Mode:          aws.String(mode),
+			TrustStoreArn: aws.String(tfMap["trust_store_arn"].(string)),
+		}
+	default:
+		return &elbv2.MutualAuthenticationAttributes{
+			Mode:                          aws.String(mode),
+			TrustStoreArn:                 aws.String(tfMap["trust_store_arn"].(string)),
+			IgnoreClientCertificateExpiry: aws.Bool(tfMap["ignore_client_certificate_expiry"].(bool)),
+		}
 	}
 }
 

diff --git a/internal/service/elbv2/listener_test.go b/internal/service/elbv2/listener_test.go
@@ -349,6 +349,53 @@ func TestAccELBV2Listener_mutualAuthentication(t *testing.T) {
 	})
 }
 
+func TestAccELBV2Listener_mutualAuthenticationPassthrough(t *testing.T) {
+	ctx := acctest.Context(t)
+	var conf elbv2.Listener
+	key := acctest.TLSRSAPrivateKeyPEM(t, 2048)
+	resourceName := "aws_lb_listener.test"
+	certificate := acctest.TLSRSAX509SelfSignedCertificatePEM(t, key, "example.com")
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, elbv2.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckListenerDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccListenerConfig_mutualAuthenticationPassthrough(rName, key, certificate),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckListenerExists(ctx, resourceName, &conf),
+					resource.TestCheckResourceAttr(resourceName, "mutual_authentication.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "mutual_authentication.0.mode", "passthrough"),
+					resource.TestCheckResourceAttr(resourceName, "mutual_authentication.0.ignore_client_certificate_expiry", "false"),
+					resource.TestCheckResourceAttr(resourceName, "mutual_authentication.0.trust_store_arn", ""),
+
+					resource.TestCheckResourceAttrPair(resourceName, "load_balancer_arn", "aws_lb.test", "arn"),
+
+					acctest.MatchResourceAttrRegionalARN(resourceName, "arn", "elasticloadbalancing", regexache.MustCompile("listener/.+$")),
+					resource.TestCheckResourceAttr(resourceName, "protocol", "HTTPS"),
+					resource.TestCheckResourceAttr(resourceName, "port", "443"),
+					resource.TestCheckResourceAttr(resourceName, "default_action.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "default_action.0.order", "1"),
+					resource.TestCheckResourceAttr(resourceName, "default_action.0.type", "forward"),
+					resource.TestCheckResourceAttrPair(resourceName, "default_action.0.target_group_arn", "aws_lb_target_group.test", "arn"),
+					resource.TestCheckResourceAttr(resourceName, "default_action.0.redirect.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "default_action.0.fixed_response.#", "0"),
+					resource.TestCheckResourceAttrPair(resourceName, "certificate_arn", "aws_iam_server_certificate.test", "arn"),
+					resource.TestCheckResourceAttr(resourceName, "ssl_policy", "ELBSecurityPolicy-2016-08"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func TestAccELBV2Listener_LoadBalancerARN_gatewayLoadBalancer(t *testing.T) {
 	ctx := acctest.Context(t)
 	var conf elbv2.Listener
@@ -1299,6 +1346,71 @@ resource "aws_iam_server_certificate" "test" {
 `, rName, acctest.TLSPEMEscapeNewlines(certificate), acctest.TLSPEMEscapeNewlines(key)))
 }
 
+func testAccListenerConfig_mutualAuthenticationPassthrough(rName string, key, certificate string) string {
+	return acctest.ConfigCompose(
+		testAccListenerConfig_base(rName),
+		fmt.Sprintf(`
+resource "aws_lb_listener" "test" {
+  load_balancer_arn = aws_lb.test.id
+  protocol          = "HTTPS"
+  port              = "443"
+  ssl_policy        = "ELBSecurityPolicy-2016-08"
+  certificate_arn   = aws_iam_server_certificate.test.arn
+
+  default_action {
+    target_group_arn = aws_lb_target_group.test.id
+    type             = "forward"
+  }
+
+  mutual_authentication {
+    mode = "passthrough"
+  }
+}
+
+resource "aws_lb" "test" {
+  name            = %[1]q
+  internal        = true
+  security_groups = [aws_security_group.test.id]
+  subnets         = aws_subnet.test[*].id
+
+  idle_timeout               = 30
+  enable_deletion_protection = false
+
+  tags = {
+    Name = %[1]q
+  }
+}
+
+resource "aws_lb_target_group" "test" {
+  name     = %[1]q
+  port     = 8080
+  protocol = "HTTP"
+  vpc_id   = aws_vpc.test.id
+
+  health_check {
+    path                = "/health"
+    interval            = 60
+    port                = 8081
+    protocol            = "HTTP"
+    timeout             = 3
+    healthy_threshold   = 3
+    unhealthy_threshold = 3
+    matcher             = "200-299"
+  }
+
+  tags = {
+    Name = %[1]q
+  }
+}
+
+resource "aws_iam_server_certificate" "test" {
+  name             = %[1]q
+  certificate_body = "%[2]s"
+  private_key      = "%[3]s"
+}
+`, rName, acctest.TLSPEMEscapeNewlines(certificate), acctest.TLSPEMEscapeNewlines(key)))
+}
+
 func testAccListenerConfig_arnGateway(rName string) string {
 	return acctest.ConfigCompose(
 		acctest.ConfigAvailableAZsNoOptIn(),