From 57957c0e1ed1c961442d8913967761fa25ddb880 Mon Sep 17 00:00:00 2001 From: Brian Flad Date: Tue, 16 Feb 2021 16:15:23 -0500 Subject: [PATCH 1/2] resource/aws_lb_listener_certificate: Prevent resource ID parsing error with IAM Server Certificate names containing underscores Reference: https://github.com/hashicorp/terraform-provider-aws/issues/17639 Previously: ``` === CONT TestAccAwsLbListenerCertificate_CertificateArn_Underscores resource_aws_lb_listener_certificate_test.go:54: Step 1/2 error: Error running apply: exit status 1 Error: error parsing ELBv2 Listener Certificate ID (arn:aws:elasticloadbalancing:us-west-2:123456789012:listener/app/tf-acc-test-1918488772698388616/37ea83aabfff17e9/c77f900678310ecd_arn:aws:iam::123456789012:server-certificate/tf_acc_test_1918488772698388616): unexpected format for ID ("arn:aws:elasticloadbalancing:us-west-2:123456789012:listener/app/tf-acc-test-1918488772698388616/37ea83aabfff17e9/c77f900678310ecd_arn:aws:iam::123456789012:server-certificate/tf_acc_test_1918488772698388616"), expected listener-arn_certificate-arn --- FAIL: TestAccAwsLbListenerCertificate_CertificateArn_Underscores (161.31s) ``` Output from acceptance testing in AWS Commercial: ``` --- PASS: TestAccAwsLbListenerCertificate_disappears (165.35s) --- PASS: TestAccAwsLbListenerCertificate_CertificateArn_Underscores (167.76s) --- PASS: TestAccAwsLbListenerCertificate_basic (168.14s) --- PASS: TestAccAwsLbListenerCertificate_multiple (243.26s) ``` Output from acceptance testing in AWS GovCloud (US): ``` --- PASS: TestAccAwsLbListenerCertificate_CertificateArn_Underscores (159.16s) --- PASS: TestAccAwsLbListenerCertificate_disappears (162.81s) --- PASS: TestAccAwsLbListenerCertificate_basic (170.08s) --- PASS: TestAccAwsLbListenerCertificate_multiple (272.30s) ``` --- .changelog/pending.txt | 3 + aws/internal/service/elbv2/id.go | 2 +- ...source_aws_lb_listener_certificate_test.go | 100 ++++++++++++++++++ 3 files changed, 104 insertions(+), 1 deletion(-) create mode 100644 .changelog/pending.txt diff --git a/.changelog/pending.txt b/.changelog/pending.txt new file mode 100644 index 00000000000..fef7ea91cd3 --- /dev/null +++ b/.changelog/pending.txt @@ -0,0 +1,3 @@ +```release-note:bug +resource/aws_lb_listener_certificate: Prevent resource ID parsing error with IAM Server Certificate names containing underscores +``` diff --git a/aws/internal/service/elbv2/id.go b/aws/internal/service/elbv2/id.go index 34ff840e676..288dfeaf746 100644 --- a/aws/internal/service/elbv2/id.go +++ b/aws/internal/service/elbv2/id.go @@ -8,7 +8,7 @@ import ( const listenerCertificateIDSeparator = "_" func ListenerCertificateParseID(id string) (string, string, error) { - parts := strings.Split(id, listenerCertificateIDSeparator) + parts := strings.SplitN(id, listenerCertificateIDSeparator, 2) if len(parts) == 2 && parts[0] != "" && parts[1] != "" { return parts[0], parts[1], nil } diff --git a/aws/resource_aws_lb_listener_certificate_test.go b/aws/resource_aws_lb_listener_certificate_test.go index ff6a71320e6..3d5f4a07edc 100644 --- a/aws/resource_aws_lb_listener_certificate_test.go +++ b/aws/resource_aws_lb_listener_certificate_test.go @@ -42,6 +42,37 @@ func TestAccAwsLbListenerCertificate_basic(t *testing.T) { }) } +// Reference: https://github.com/hashicorp/terraform-provider-aws/issues/17639 +func TestAccAwsLbListenerCertificate_CertificateArn_Underscores(t *testing.T) { + key := tlsRsaPrivateKeyPem(2048) + certificate := tlsRsaX509SelfSignedCertificatePem(key, "example.com") + iamServerCertificateResourceName := "aws_iam_server_certificate.test" + lbListenerResourceName := "aws_lb_listener.test" + resourceName := "aws_lb_listener_certificate.test" + rName := acctest.RandomWithPrefix("tf-acc-test") + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAwsLbListenerCertificateDestroy, + Steps: []resource.TestStep{ + { + Config: testAccLbListenerCertificateConfigCertificateArnUnderscores(rName, key, certificate), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsLbListenerCertificateExists(resourceName), + resource.TestCheckResourceAttrPair(resourceName, "certificate_arn", iamServerCertificateResourceName, "arn"), + resource.TestCheckResourceAttrPair(resourceName, "listener_arn", lbListenerResourceName, "arn"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func TestAccAwsLbListenerCertificate_multiple(t *testing.T) { keys := make([]string, 4) certificates := make([]string, 4) @@ -267,6 +298,75 @@ resource "aws_lb_listener_certificate" "test" { ` } +func testAccLbListenerCertificateConfigCertificateArnUnderscores(rName, key, certificate string) string { + return fmt.Sprintf(` +data "aws_availability_zones" "available" { + state = "available" + + filter { + name = "opt-in-status" + values = ["opt-in-not-required"] + } +} + +resource "aws_vpc" "test" { + cidr_block = "10.0.0.0/16" + + tags = { + Name = "terraform-testacc-lb-listener-certificate" + } +} + +resource "aws_subnet" "test" { + count = 2 + + availability_zone = data.aws_availability_zones.available.names[count.index] + cidr_block = cidrsubnet(aws_vpc.test.cidr_block, 8, count.index) + vpc_id = aws_vpc.test.id + + tags = { + Name = "tf-acc-lb-listener-certificate-${count.index}" + } +} + +resource "aws_lb_target_group" "test" { + port = 80 + protocol = "HTTP" + vpc_id = aws_vpc.test.id +} + +resource "aws_lb" "test" { + internal = true + name = %[1]q + subnets = aws_subnet.test[*].id +} + +resource "aws_iam_server_certificate" "test" { + name = replace("%[1]s", "-", "_") + certificate_body = "%[2]s" + private_key = "%[3]s" +} + +resource "aws_lb_listener" "test" { + load_balancer_arn = aws_lb.test.arn + port = "443" + protocol = "HTTPS" + ssl_policy = "ELBSecurityPolicy-2016-08" + certificate_arn = aws_iam_server_certificate.test.arn + + default_action { + target_group_arn = aws_lb_target_group.test.arn + type = "forward" + } +} + +resource "aws_lb_listener_certificate" "test" { + certificate_arn = aws_iam_server_certificate.test.arn + listener_arn = aws_lb_listener.test.arn +} +`, rName, tlsPemEscapeNewlines(certificate), tlsPemEscapeNewlines(key)) +} + func testAccLbListenerCertificateConfigMultiple(rName string, keys, certificates []string) string { return testAccLbListenerCertificateConfigLbListenerBase(rName, keys[0], certificates[0]) + fmt.Sprintf(` resource "aws_lb_listener_certificate" "default" { From ae405ed90c694249fb4e1bc423455c40c09bcb05 Mon Sep 17 00:00:00 2001 From: Brian Flad Date: Tue, 16 Feb 2021 16:16:41 -0500 Subject: [PATCH 2/2] Update CHANGELOG for #17645 --- .changelog/{pending.txt => 17645.txt} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .changelog/{pending.txt => 17645.txt} (100%) diff --git a/.changelog/pending.txt b/.changelog/17645.txt similarity index 100% rename from .changelog/pending.txt rename to .changelog/17645.txt