hashicorp · ericrichtert · Nov 7, 2021 · Nov 7, 2021 · Nov 7, 2021 · Dec 5, 2021
@@ -0,0 +1,4 @@
+```release-note:enhancement
+resource/aws_lb: Add `tls_version_and_cipher_suite` argument to the loadbalancer
+resource/aws_lb: Add `xff_client_port` argument to the loadbalancer
+```
@@ -206,6 +206,20 @@ func ResourceLoadBalancer() *schema.Resource {
 				DiffSuppressFunc: suppressIfLBType("network"),
 			},
 
+			"tls_version_and_cipher_suite": {
+				Type:             schema.TypeBool,
+				Optional:         true,
+				Default:          false,
+				DiffSuppressFunc: suppressIfLBType("network"),
+			},
+
+			"xff_client_port": {
+				Type:             schema.TypeBool,
+				Optional:         true,
+				Default:          false,
+				DiffSuppressFunc: suppressIfLBType("network"),
+			},
+
 			"enable_cross_zone_load_balancing": {
 				Type:             schema.TypeBool,
 				Optional:         true,
@@ -501,6 +515,20 @@ func resourceLoadBalancerUpdate(d *schema.ResourceData, meta interface{}) error
 			})
 		}
 
+		if d.HasChange("tls_version_and_cipher_suite") || d.IsNewResource() {
+			attributes = append(attributes, &elbv2.LoadBalancerAttribute{
+				Key:   aws.String("routing.http.x_amzn_tls_version_and_cipher_suite.enabled"),
+				Value: aws.String(strconv.FormatBool(d.Get("tls_version_and_cipher_suite").(bool))),
+			})
+		}
+
+		if d.HasChange("xff_client_port") || d.IsNewResource() {
+			attributes = append(attributes, &elbv2.LoadBalancerAttribute{
+				Key:   aws.String("routing.http.xff_client_port.enabled"),
+				Value: aws.String(strconv.FormatBool(d.Get("xff_client_port").(bool))),
+			})
+		}
+
 		if d.HasChange("desync_mitigation_mode") || d.IsNewResource() {
 			attributes = append(attributes, &elbv2.LoadBalancerAttribute{
 				Key:   aws.String("routing.http.desync_mitigation_mode"),
@@ -833,6 +861,14 @@ func flattenResource(d *schema.ResourceData, meta interface{}, lb *elbv2.LoadBal
 			dropInvalidHeaderFieldsEnabled := aws.StringValue(attr.Value) == "true"
 			log.Printf("[DEBUG] Setting LB Invalid Header Fields Enabled: %t", dropInvalidHeaderFieldsEnabled)
 			d.Set("drop_invalid_header_fields", dropInvalidHeaderFieldsEnabled)
+		case "routing.http.x_amzn_tls_version_and_cipher_suite.enabled":
+			amznTLSHeadersEnabled := aws.StringValue(attr.Value) == "true"
+			log.Printf("[DEBUG] Setting LB TLS Headers Fields Enabled: %t", amznTLSHeadersEnabled)
+			d.Set("tls_version_and_cipher_suite", amznTLSHeadersEnabled)
+		case "routing.http.xff_client_port.enabled":
+			amznTLSHeadersEnabled := aws.StringValue(attr.Value) == "true"
+			log.Printf("[DEBUG] Setting LB TLS Headers Fields Enabled: %t", amznTLSHeadersEnabled)
+			d.Set("xff_client_port", amznTLSHeadersEnabled)
 		case "deletion_protection.enabled":
 			protectionEnabled := aws.StringValue(attr.Value) == "true"
 			log.Printf("[DEBUG] Setting LB Deletion Protection Enabled: %t", protectionEnabled)

@@ -564,6 +564,86 @@ func TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateHTTP2(t *testing.T)
 	})
 }
 
+func TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateTLSVersionAndCipherSuite(t *testing.T) {
+	var pre, mid, post elbv2.LoadBalancer
+	lbName := fmt.Sprintf("testAccAWSalb-headers-%s", sdkacctest.RandString(10))
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { acctest.PreCheck(t) },
+		ErrorCheck:   acctest.ErrorCheck(t, elbv2.EndpointsID),
+		Providers:    acctest.Providers,
+		CheckDestroy: testAccCheckLoadBalancerDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccLoadBalancerConfig_enableTLSVersionAndCipherSuite(lbName, false),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckLoadBalancerExists("aws_lb.lb_test", &pre),
+					testAccCheckLoadBalancerAttribute("aws_lb.lb_test", "routing.http.x_amzn_tls_version_and_cipher_suite.enabled", "false"),
+					resource.TestCheckResourceAttr("aws_lb.lb_test", "tls_version_and_cipher_suite", "false"),
+				),
+			},
+			{
+				Config: testAccLoadBalancerConfig_enableTLSVersionAndCipherSuite(lbName, true),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckLoadBalancerExists("aws_lb.lb_test", &mid),
+					testAccCheckLoadBalancerAttribute("aws_lb.lb_test", "routing.http.x_amzn_tls_version_and_cipher_suite.enabled", "true"),
+					resource.TestCheckResourceAttr("aws_lb.lb_test", "tls_version_and_cipher_suite", "true"),
+					testAccChecklbARNs(&pre, &mid),
+				),
+			},
+			{
+				Config: testAccLoadBalancerConfig_enableTLSVersionAndCipherSuite(lbName, false),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckLoadBalancerExists("aws_lb.lb_test", &post),
+					testAccCheckLoadBalancerAttribute("aws_lb.lb_test", "routing.http.x_amzn_tls_version_and_cipher_suite.enabled", "false"),
+					resource.TestCheckResourceAttr("aws_lb.lb_test", "tls_version_and_cipher_suite", "false"),
+					testAccChecklbARNs(&mid, &post),
+				),
+			},
+		},
+	})
+}
+
+func TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateXFFClientPort(t *testing.T) {
+	var pre, mid, post elbv2.LoadBalancer
+	lbName := fmt.Sprintf("testAccAWSalb-headers-%s", sdkacctest.RandString(10))
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { acctest.PreCheck(t) },
+		ErrorCheck:   acctest.ErrorCheck(t, elbv2.EndpointsID),
+		Providers:    acctest.Providers,
+		CheckDestroy: testAccCheckLoadBalancerDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccLoadBalancerConfig_updateXFFClientPort(lbName, false),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckLoadBalancerExists("aws_lb.lb_test", &pre),
+					testAccCheckLoadBalancerAttribute("aws_lb.lb_test", "routing.http.xff_client_port.enabled", "false"),
+					resource.TestCheckResourceAttr("aws_lb.lb_test", "xff_client_port", "false"),
+				),
+			},
+			{
+				Config: testAccLoadBalancerConfig_updateXFFClientPort(lbName, true),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckLoadBalancerExists("aws_lb.lb_test", &mid),
+					testAccCheckLoadBalancerAttribute("aws_lb.lb_test", "routing.http.xff_client_port.enabled", "true"),
+					resource.TestCheckResourceAttr("aws_lb.lb_test", "xff_client_port", "true"),
+					testAccChecklbARNs(&pre, &mid),
+				),
+			},
+			{
+				Config: testAccLoadBalancerConfig_updateXFFClientPort(lbName, false),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckLoadBalancerExists("aws_lb.lb_test", &post),
+					testAccCheckLoadBalancerAttribute("aws_lb.lb_test", "routing.http.xff_client_port.enabled", "false"),
+					resource.TestCheckResourceAttr("aws_lb.lb_test", "xff_client_port", "false"),
+					testAccChecklbARNs(&mid, &post),
+				),
+			},
+		},
+	})
+}
+
 func TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateDropInvalidHeaderFields(t *testing.T) {
 	var pre, mid, post elbv2.LoadBalancer
 	lbName := fmt.Sprintf("testAccAWSalb-headers-%s", sdkacctest.RandString(10))
@@ -1784,6 +1864,144 @@ resource "aws_security_group" "alb_test" {
 `, lbName, http2))
 }
 
+func testAccLoadBalancerConfig_enableTLSVersionAndCipherSuite(lbName string, tls_version_and_cipher_suite bool) string {
+	return acctest.ConfigCompose(acctest.ConfigAvailableAZsNoOptIn(), fmt.Sprintf(`
+resource "aws_lb" "lb_test" {
+  name            = "%s"
+  internal        = true
+  security_groups = [aws_security_group.alb_test.id]
+  subnets         = aws_subnet.alb_test[*].id
+
+  idle_timeout               = 30
+  enable_deletion_protection = false
+
+  tls_version_and_cipher_suite = %t
+
+  tags = {
+    Name = "TestAccAWSALB_basic"
+  }
+}
+
+variable "subnets" {
+  default = ["10.0.1.0/24", "10.0.2.0/24"]
+  type    = list(string)
+}
+
+resource "aws_vpc" "alb_test" {
+  cidr_block = "10.0.0.0/16"
+
+  tags = {
+    Name = "terraform-testacc-lb-basic"
+  }
+}
+
+resource "aws_subnet" "alb_test" {
+  count                   = 2
+  vpc_id                  = aws_vpc.alb_test.id
+  cidr_block              = element(var.subnets, count.index)
+  map_public_ip_on_launch = true
+  availability_zone       = element(data.aws_availability_zones.available.names, count.index)
+
+  tags = {
+    Name = "tf-acc-lb-basic-${count.index}"
+  }
+}
+
+resource "aws_security_group" "alb_test" {
+  name        = "allow_all_alb_test"
+  description = "Used for ALB Testing"
+  vpc_id      = aws_vpc.alb_test.id
+
+  ingress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "TestAccAWSALB_basic"
+  }
+}
+`, lbName, tls_version_and_cipher_suite))
+}
+
+func testAccLoadBalancerConfig_updateXFFClientPort(lbName string, xff_client_port bool) string {
+	return acctest.ConfigCompose(acctest.ConfigAvailableAZsNoOptIn(), fmt.Sprintf(`
+resource "aws_lb" "lb_test" {
+  name            = "%s"
+  internal        = true
+  security_groups = [aws_security_group.alb_test.id]
+  subnets         = aws_subnet.alb_test[*].id
+
+  idle_timeout               = 30
+  enable_deletion_protection = false
+
+  xff_client_port = %t
+
+  tags = {
+    Name = "TestAccAWSALB_basic"
+  }
+}
+
+variable "subnets" {
+  default = ["10.0.1.0/24", "10.0.2.0/24"]
+  type    = list(string)
+}
+
+resource "aws_vpc" "alb_test" {
+  cidr_block = "10.0.0.0/16"
+
+  tags = {
+    Name = "terraform-testacc-lb-basic"
+  }
+}
+
+resource "aws_subnet" "alb_test" {
+  count                   = 2
+  vpc_id                  = aws_vpc.alb_test.id
+  cidr_block              = element(var.subnets, count.index)
+  map_public_ip_on_launch = true
+  availability_zone       = element(data.aws_availability_zones.available.names, count.index)
+
+  tags = {
+    Name = "tf-acc-lb-basic-${count.index}"
+  }
+}
+
+resource "aws_security_group" "alb_test" {
+  name        = "allow_all_alb_test"
+  description = "Used for ALB Testing"
+  vpc_id      = aws_vpc.alb_test.id
+
+  ingress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "TestAccAWSALB_basic"
+  }
+}
+`, lbName, xff_client_port))
+}
+
 func testAccLoadBalancerConfig_enableDropInvalidHeaderFields(lbName string, dropInvalid bool) string {
 	return acctest.ConfigCompose(acctest.ConfigAvailableAZsNoOptIn(), fmt.Sprintf(`
 resource "aws_lb" "lb_test" {

@@ -109,6 +109,8 @@ Terraform will autogenerate a name beginning with `tf-lb`.
 * `load_balancer_type` - (Optional) The type of load balancer to create. Possible values are `application`, `gateway`, or `network`. The default value is `application`.
 * `security_groups` - (Optional) A list of security group IDs to assign to the LB. Only valid for Load Balancers of type `application`.
 * `drop_invalid_header_fields` - (Optional) Indicates whether HTTP headers with header fields that are not valid are removed by the load balancer (true) or routed to targets (false). The default is false. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens. Only valid for Load Balancers of type `application`.
+* `tls_version_and_cipher_suite` - (Optional) Indicates whether the two headers (x-amzn-tls-version and x-amzn-tls-cipher-suite), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The x-amzn-tls-version header has information about the TLS protocol version negotiated with the client, and the x-amzn-tls-cipher-suite header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are true and false. The default is `false`. Only valid for Load Balancers of type `application`.
+* `xff_client_port` - (Optional) Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer. The possible values are true and false. The default is `false`. Only valid for Load Balancers of type `application`.
 * `access_logs` - (Optional) An Access Logs block. Access Logs documented below.
 * `subnets` - (Optional) A list of subnet IDs to attach to the LB. Subnets
 cannot be updated for Load Balancers of type `network`. Changing this value