From a6de08837563b235389d9b8ad7a9dd092eeab195 Mon Sep 17 00:00:00 2001
From: "Mosley, Franklin" <Franklin.Mosley@ellucian.com>
Date: Mon, 14 Mar 2016 23:13:44 -0500
Subject: [PATCH 1/6] Add new resource aws_lb_ssl_negotiation_policy

Added new resource to create an AWS ELB SSL negotiation policy, and an
acceptance test.
---
 builtin/providers/aws/provider.go             |   1 +
 .../resource_aws_lb_ssl_negotiation_policy.go | 181 ++++++++++++
 ...urce_aws_lb_ssl_negotiation_policy_test.go | 272 ++++++++++++++++++
 builtin/providers/aws/structure.go            |  38 +++
 4 files changed, 492 insertions(+)
 create mode 100644 builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy.go
 create mode 100644 builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy_test.go

diff --git a/builtin/providers/aws/provider.go b/builtin/providers/aws/provider.go
index dab42ba87c..c16e8cf9d3 100644
--- a/builtin/providers/aws/provider.go
+++ b/builtin/providers/aws/provider.go
@@ -223,6 +223,7 @@ func Provider() terraform.ResourceProvider {
 			"aws_load_balancer_policy":                     resourceAwsLoadBalancerPolicy(),
 			"aws_load_balancer_backend_server_policy":      resourceAwsLoadBalancerBackendServerPolicies(),
 			"aws_load_balancer_listener_policy":            resourceAwsLoadBalancerListenerPolicies(),
+			"aws_lb_ssl_negotiation_policy":                resourceAwsLBSSLNegotiationPolicy(),
 			"aws_main_route_table_association":             resourceAwsMainRouteTableAssociation(),
 			"aws_nat_gateway":                              resourceAwsNatGateway(),
 			"aws_network_acl":                              resourceAwsNetworkAcl(),
diff --git a/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy.go b/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy.go
new file mode 100644
index 0000000000..cee4a4d44e
--- /dev/null
+++ b/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy.go
@@ -0,0 +1,181 @@
+package aws
+
+import (
+	"bytes"
+	"fmt"
+	"log"
+	"strings"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/service/elb"
+	"github.com/hashicorp/terraform/helper/hashcode"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAwsLBSSLNegotiationPolicy() *schema.Resource {
+	return &schema.Resource{
+		// There is no concept of "updating" an LB policy in
+		// the AWS API.
+		Create: resourceAwsLBSSLNegotiationPolicyCreate,
+		Read:   resourceAwsLBSSLNegotiationPolicyRead,
+		Delete: resourceAwsLBSSLNegotiationPolicyDelete,
+
+		Schema: map[string]*schema.Schema{
+			"name": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+
+			"load_balancer": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+
+			"lb_port": &schema.Schema{
+				Type:     schema.TypeInt,
+				Required: true,
+				ForceNew: true,
+			},
+
+			"attribute": &schema.Schema{
+				Type:     schema.TypeSet,
+				Required: true,
+				ForceNew: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"name": &schema.Schema{
+							Type:     schema.TypeString,
+							Required: true,
+						},
+
+						"value": &schema.Schema{
+							Type:     schema.TypeString,
+							Required: true,
+						},
+					},
+				},
+				Set: func(v interface{}) int {
+					var buf bytes.Buffer
+					m := v.(map[string]interface{})
+					buf.WriteString(fmt.Sprintf("%s-", m["name"].(string)))
+					return hashcode.String(buf.String())
+				},
+			},
+		},
+	}
+}
+
+func resourceAwsLBSSLNegotiationPolicyCreate(d *schema.ResourceData, meta interface{}) error {
+	elbconn := meta.(*AWSClient).elbconn
+
+	// Provision the SSLNegotiationPolicy
+	lbspOpts := &elb.CreateLoadBalancerPolicyInput{
+		LoadBalancerName: aws.String(d.Get("load_balancer").(string)),
+		PolicyName:       aws.String(d.Get("name").(string)),
+		PolicyTypeName:   aws.String("SSLNegotiationPolicyType"),
+	}
+
+	// Check for Policy Attributes
+	if v, ok := d.GetOk("attribute"); ok {
+		// Expand the "attribute" set to aws-sdk-go compat []*elb.PolicyAttribute
+		lbspOpts.PolicyAttributes = expandPolicyAttributes(v.(*schema.Set).List())
+	}
+
+	log.Printf("[DEBUG] Load Balancer Policy opts: %#v", lbspOpts)
+	if _, err := elbconn.CreateLoadBalancerPolicy(lbspOpts); err != nil {
+		return fmt.Errorf("Error creating Load Balancer Policy: %s", err)
+	}
+
+	setLoadBalancerOpts := &elb.SetLoadBalancerPoliciesOfListenerInput{
+		LoadBalancerName: aws.String(d.Get("load_balancer").(string)),
+		LoadBalancerPort: aws.Int64(int64(d.Get("lb_port").(int))),
+		PolicyNames:      []*string{aws.String(d.Get("name").(string))},
+	}
+
+	log.Printf("[DEBUG] SSL Negotiation create configuration: %#v", setLoadBalancerOpts)
+	if _, err := elbconn.SetLoadBalancerPoliciesOfListener(setLoadBalancerOpts); err != nil {
+		return fmt.Errorf("Error setting SSLNegotiationPolicy: %s", err)
+	}
+
+	d.SetId(fmt.Sprintf("%s:%d:%s",
+		*lbspOpts.LoadBalancerName,
+		*setLoadBalancerOpts.LoadBalancerPort,
+		*lbspOpts.PolicyName))
+	return nil
+}
+
+func resourceAwsLBSSLNegotiationPolicyRead(d *schema.ResourceData, meta interface{}) error {
+	elbconn := meta.(*AWSClient).elbconn
+
+	lbName, lbPort, policyName := resourceAwsLBSSLNegotiationPolicyParseId(d.Id())
+
+	request := &elb.DescribeLoadBalancerPoliciesInput{
+		LoadBalancerName: aws.String(lbName),
+		PolicyNames:      []*string{aws.String(policyName)},
+	}
+
+	getResp, err := elbconn.DescribeLoadBalancerPolicies(request)
+	if err != nil {
+		if ec2err, ok := err.(awserr.Error); ok && ec2err.Code() == "PolicyNotFound" {
+			// The policy is gone.
+			d.SetId("")
+			return nil
+		}
+		return fmt.Errorf("Error retrieving policy: %s", err)
+	}
+
+	if len(getResp.PolicyDescriptions) != 1 {
+		return fmt.Errorf("Unable to find policy %#v", getResp.PolicyDescriptions)
+	}
+
+	// We can get away with this because there's only one policy returned
+	policyDesc := getResp.PolicyDescriptions[0]
+	attributes := flattenPolicyAttributes(policyDesc.PolicyAttributeDescriptions)
+	d.Set("attributes", attributes)
+
+	d.Set("name", policyName)
+	d.Set("load_balancer", lbName)
+	d.Set("lb_port", lbPort)
+
+	return nil
+}
+
+func resourceAwsLBSSLNegotiationPolicyDelete(d *schema.ResourceData, meta interface{}) error {
+	elbconn := meta.(*AWSClient).elbconn
+
+	lbName, _, policyName := resourceAwsLBSSLNegotiationPolicyParseId(d.Id())
+
+	// Perversely, if we Set an empty list of PolicyNames, we detach the
+	// policies attached to a listener, which is required to delete the
+	// policy itself.
+	setLoadBalancerOpts := &elb.SetLoadBalancerPoliciesOfListenerInput{
+		LoadBalancerName: aws.String(d.Get("load_balancer").(string)),
+		LoadBalancerPort: aws.Int64(int64(d.Get("lb_port").(int))),
+		PolicyNames:      []*string{},
+	}
+
+	if _, err := elbconn.SetLoadBalancerPoliciesOfListener(setLoadBalancerOpts); err != nil {
+		return fmt.Errorf("Error removing SSLNegotiationPolicy: %s", err)
+	}
+
+	request := &elb.DeleteLoadBalancerPolicyInput{
+		LoadBalancerName: aws.String(lbName),
+		PolicyName:       aws.String(policyName),
+	}
+
+	if _, err := elbconn.DeleteLoadBalancerPolicy(request); err != nil {
+		return fmt.Errorf("Error deleting SSL negotiation policy %s: %s", d.Id(), err)
+	}
+	return nil
+}
+
+// resourceAwsLBSSLNegotiationPolicyParseId takes an ID and parses it into
+// it's constituent parts. You need three axes (LB name, policy name, and LB
+// port) to create or identify an SSL negotiation policy in AWS's API.
+func resourceAwsLBSSLNegotiationPolicyParseId(id string) (string, string, string) {
+	parts := strings.SplitN(id, ":", 3)
+	return parts[0], parts[1], parts[2]
+}
diff --git a/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy_test.go b/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy_test.go
new file mode 100644
index 0000000000..58d948468f
--- /dev/null
+++ b/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy_test.go
@@ -0,0 +1,272 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/service/elb"
+
+	"github.com/hashicorp/terraform/helper/acctest"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSLBSSLNegotiationPolicy_basic(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckLBSSLNegotiationPolicyDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccSslNegotiationPolicyConfig(
+					fmt.Sprintf("tf-acctest-%s", acctest.RandString(10))),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckLBSSLNegotiationPolicy(
+						"aws_elb.lb",
+						"aws_lb_ssl_negotiation_policy.foo",
+					),
+					resource.TestCheckResourceAttr(
+						"aws_lb_ssl_negotiation_policy.foo", "attribute.#", "7"),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckLBSSLNegotiationPolicyDestroy(s *terraform.State) error {
+	elbconn := testAccProvider.Meta().(*AWSClient).elbconn
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_elb" && rs.Type != "aws_lb_ssl_negotiation_policy" {
+			continue
+		}
+
+		// Check that the ELB is destroyed
+		if rs.Type == "aws_elb" {
+			describe, err := elbconn.DescribeLoadBalancers(&elb.DescribeLoadBalancersInput{
+				LoadBalancerNames: []*string{aws.String(rs.Primary.ID)},
+			})
+
+			if err == nil {
+				if len(describe.LoadBalancerDescriptions) != 0 &&
+					*describe.LoadBalancerDescriptions[0].LoadBalancerName == rs.Primary.ID {
+					return fmt.Errorf("ELB still exists")
+				}
+			}
+
+			// Verify the error
+			providerErr, ok := err.(awserr.Error)
+			if !ok {
+				return err
+			}
+
+			if providerErr.Code() != "LoadBalancerNotFound" {
+				return fmt.Errorf("Unexpected error: %s", err)
+			}
+		} else {
+			// Check that the SSL Negotiation Policy is destroyed
+			elbName, _, policyName := resourceAwsLBSSLNegotiationPolicyParseId(rs.Primary.ID)
+			_, err := elbconn.DescribeLoadBalancerPolicies(&elb.DescribeLoadBalancerPoliciesInput{
+				LoadBalancerName: aws.String(elbName),
+				PolicyNames:      []*string{aws.String(policyName)},
+			})
+
+			if err == nil {
+				return fmt.Errorf("ELB SSL Negotiation Policy still exists")
+			}
+		}
+	}
+
+	return nil
+}
+
+func testAccCheckLBSSLNegotiationPolicy(elbResource string, policyResource string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[elbResource]
+		if !ok {
+			return fmt.Errorf("Not found: %s", elbResource)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No ID is set")
+		}
+
+		policy, ok := s.RootModule().Resources[policyResource]
+		if !ok {
+			return fmt.Errorf("Not found: %s", policyResource)
+		}
+
+		elbconn := testAccProvider.Meta().(*AWSClient).elbconn
+
+		elbName, _, policyName := resourceAwsLBSSLNegotiationPolicyParseId(policy.Primary.ID)
+		resp, err := elbconn.DescribeLoadBalancerPolicies(&elb.DescribeLoadBalancerPoliciesInput{
+			LoadBalancerName: aws.String(elbName),
+			PolicyNames:      []*string{aws.String(policyName)},
+		})
+
+		if err != nil {
+			fmt.Printf("[ERROR] Problem describing load balancer policy '%s': %s", policyName, err)
+			return err
+		}
+
+		if len(resp.PolicyDescriptions) != 1 {
+			return fmt.Errorf("Unable to find policy %#v", resp.PolicyDescriptions)
+		}
+
+		attrmap := policyAttributesToMap(&resp.PolicyDescriptions[0].PolicyAttributeDescriptions)
+		if attrmap["Protocol-TLSv1"] != "false" {
+			return fmt.Errorf("Policy attribute 'Protocol-TLSv1' was of value %s instead of false!", attrmap["Protocol-TLSv1"])
+		}
+		if attrmap["Protocol-TLSv1.1"] != "false" {
+			return fmt.Errorf("Policy attribute 'Protocol-TLSv1.1' was of value %s instead of false!", attrmap["Protocol-TLSv1.1"])
+		}
+		if attrmap["Protocol-TLSv1.2"] != "true" {
+			return fmt.Errorf("Policy attribute 'Protocol-TLSv1.2' was of value %s instead of true!", attrmap["Protocol-TLSv1.2"])
+		}
+		if attrmap["Server-Defined-Cipher-Order"] != "true" {
+			return fmt.Errorf("Policy attribute 'Server-Defined-Cipher-Order' was of value %s instead of true!", attrmap["Server-Defined-Cipher-Order"])
+		}
+		if attrmap["ECDHE-RSA-AES128-GCM-SHA256"] != "true" {
+			return fmt.Errorf("Policy attribute 'ECDHE-RSA-AES128-GCM-SHA256' was of value %s instead of true!", attrmap["ECDHE-RSA-AES128-GCM-SHA256"])
+		}
+		if attrmap["AES128-GCM-SHA256"] != "true" {
+			return fmt.Errorf("Policy attribute 'AES128-GCM-SHA256' was of value %s instead of true!", attrmap["AES128-GCM-SHA256"])
+		}
+		if attrmap["EDH-RSA-DES-CBC3-SHA"] != "false" {
+			return fmt.Errorf("Policy attribute 'EDH-RSA-DES-CBC3-SHA' was of value %s instead of false!", attrmap["EDH-RSA-DES-CBC3-SHA"])
+		}
+
+		return nil
+	}
+}
+
+func policyAttributesToMap(attributes *[]*elb.PolicyAttributeDescription) map[string]string {
+	attrmap := make(map[string]string)
+
+	for _, attrdef := range *attributes {
+		attrmap[*attrdef.AttributeName] = *attrdef.AttributeValue
+	}
+
+	return attrmap
+}
+
+// Sets the SSL Negotiation policy with attributes.
+// The IAM Server Cert config is lifted from
+// builtin/providers/aws/resource_aws_iam_server_certificate_test.go
+func testAccSslNegotiationPolicyConfig(certName string) string {
+	return fmt.Sprintf(`
+resource "aws_iam_server_certificate" "test_cert" {
+  name = "%s"
+  certificate_body = <<EOF
+-----BEGIN CERTIFICATE-----
+MIIDCDCCAfACAQEwDQYJKoZIhvcNAQELBQAwgY4xCzAJBgNVBAYTAlVTMREwDwYD
+VQQIDAhOZXcgWW9yazERMA8GA1UEBwwITmV3IFlvcmsxFjAUBgNVBAoMDUJhcmVm
+b290IExhYnMxGDAWBgNVBAMMD0phc29uIEJlcmxpbnNreTEnMCUGCSqGSIb3DQEJ
+ARYYamFzb25AYmFyZWZvb3Rjb2RlcnMuY29tMB4XDTE1MDYyMTA1MzcwNVoXDTE2
+MDYyMDA1MzcwNVowgYgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEL
+MAkGA1UEBwwCTlkxFjAUBgNVBAoMDUJhcmVmb290IExhYnMxGDAWBgNVBAMMD0ph
+c29uIEJlcmxpbnNreTEnMCUGCSqGSIb3DQEJARYYamFzb25AYmFyZWZvb3Rjb2Rl
+cnMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2AVGKRIx+EFM0kkg7
+6GoJv9uy0biEDHB4phQBqnDIf8J8/gq9eVvQrR5jJC9Uz4zp5wG/oLZlGuF92/jD
+bI/yS+DOAjrh30vN79Au74jGN2Cw8fIak40iDUwjZaczK2Gkna54XIO9pqMcbQ6Q
+mLUkQXsqlJ7Q4X2kL3b9iMsXcQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCDGNvU
+eioQMVPNlmmxW3+Rwo0Kl+/HtUOmqUDKUDvJnelxulBr7O8w75N/Z7h7+aBJCUkt
+tz+DwATZswXtsal6TuzHHpAhpFql82jQZVE8OYkrX84XKRQpm8ZnbyZObMdXTJWk
+ArC/rGVIWsvhlbgGM8zu7a3zbeuAESZ8Bn4ZbJxnoaRK8p36/alvzAwkgzSf3oUX
+HtU4LrdunevBs6/CbKCWrxYcvNCy8EcmHitqCfQL5nxCCXpgf/Mw1vmIPTwbPSJq
+oUkh5yjGRKzhh7QbG1TlFX6zUp4vb+UJn5+g4edHrqivRSjIqYrC45ygVMOABn21
+hpMXOlZL+YXfR4Kp
+-----END CERTIFICATE-----
+EOF
+  certificate_chain = <<EOF
+-----BEGIN CERTIFICATE-----
+MIID8TCCAtmgAwIBAgIJAKX2xeCkfFcbMA0GCSqGSIb3DQEBCwUAMIGOMQswCQYD
+VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRYw
+FAYDVQQKDA1CYXJlZm9vdCBMYWJzMRgwFgYDVQQDDA9KYXNvbiBCZXJsaW5za3kx
+JzAlBgkqhkiG9w0BCQEWGGphc29uQGJhcmVmb290Y29kZXJzLmNvbTAeFw0xNTA2
+MjEwNTM2MDZaFw0yNTA2MTgwNTM2MDZaMIGOMQswCQYDVQQGEwJVUzERMA8GA1UE
+CAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRYwFAYDVQQKDA1CYXJlZm9v
+dCBMYWJzMRgwFgYDVQQDDA9KYXNvbiBCZXJsaW5za3kxJzAlBgkqhkiG9w0BCQEW
+GGphc29uQGJhcmVmb290Y29kZXJzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAMteFbwfLz7NyQn3eDxxw22l1ZPBrzfPON0HOAq8nHat4kT4A2cI
+45kCtxKMzCVoG84tXoX/rbjGkez7lz9lEfvEuSh+I+UqinFA/sefhcE63foVMZu1
+2t6O3+utdxBvOYJwAQaiGW44x0h6fTyqDv6Gc5Ml0uoIVeMWPhT1MREoOcPDz1gb
+Ep3VT2aqFULLJedP37qbzS4D04rn1tS7pcm3wYivRyjVNEvs91NsWEvvE1WtS2Cl
+2RBt+ihXwq4UNB9UPYG75+FuRcQQvfqameyweyKT9qBmJLELMtYa/KTCYvSch4JY
+YVPAPOlhFlO4BcTto/gpBes2WEAWZtE/jnECAwEAAaNQME4wHQYDVR0OBBYEFOna
+aiYnm5583EY7FT/mXwTBuLZgMB8GA1UdIwQYMBaAFOnaaiYnm5583EY7FT/mXwTB
+uLZgMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBABp/dKQ489CCzzB1
+IX78p6RFAdda4e3lL6uVjeS3itzFIIiKvdf1/txhmsEeCEYz0El6aMnXLkpk7jAr
+kCwlAOOz2R2hlA8k8opKTYX4IQQau8DATslUFAFOvRGOim/TD/Yuch+a/VF2VQKz
+L2lUVi5Hjp9KvWe2HQYPjnJaZs/OKAmZQ4uP547dqFrTz6sWfisF1rJ60JH70cyM
+qjZQp/xYHTZIB8TCPvLgtVIGFmd/VAHVBFW2p9IBwtSxBIsEPwYQOV3XbwhhmGIv
+DWx5TpnEzH7ZM33RNbAKcdwOBxdRY+SI/ua5hYCm4QngAqY69lEuk4zXZpdDLPq1
+qxxQx0E=
+-----END CERTIFICATE-----
+EOF
+	private_key =  <<EOF
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQD2AVGKRIx+EFM0kkg76GoJv9uy0biEDHB4phQBqnDIf8J8/gq9
+eVvQrR5jJC9Uz4zp5wG/oLZlGuF92/jDbI/yS+DOAjrh30vN79Au74jGN2Cw8fIa
+k40iDUwjZaczK2Gkna54XIO9pqMcbQ6QmLUkQXsqlJ7Q4X2kL3b9iMsXcQIDAQAB
+AoGALmVBQ5p6BKx/hMKx7NqAZSZSAP+clQrji12HGGlUq/usanZfAC0LK+f6eygv
+5QbfxJ1UrxdYTukq7dm2qOSooOMUuukWInqC6ztjdLwH70CKnl0bkNB3/NkW2VNc
+32YiUuZCM9zaeBuEUclKNs+dhD2EeGdJF8KGntWGOTU/M4ECQQD9gdYb38PvaMdu
+opM3sKJF5n9pMoLDleBpCGqq3nD3DFn0V6PHQAwn30EhRN+7BbUEpde5PmfoIdAR
+uDlj/XPlAkEA+GyY1e4uU9rz+1K4ubxmtXTp9ZIR2LsqFy5L/MS5hqX2zq5GGq8g
+jZYDxnxPEUrxaWQH4nh0qdu3skUBi4a0nQJBAKJaqLkpUd7eB/t++zHLWeHSgP7q
+bny8XABod4f+9fICYwntpuJQzngqrxeTeIXaXdggLkxg/0LXhN4UUg0LoVECQQDE
+Pi1h2dyY+37/CzLH7q+IKopjJneYqQmv9C+sxs70MgjM7liM3ckub9IdqrdfJr+c
+DJw56APo5puvZNm6mbf1AkBVMDyfdOOyoHpJjrhmZWo6QqynujfwErrBYQ0sZQ3l
+O57Z0RUNQ8DRyymhLd2t5nAHTfpcFA1sBeKE6CziLbZB
+-----END RSA PRIVATE KEY-----
+EOF
+}
+resource "aws_elb" "lb" {
+	name = "test-lb"
+    availability_zones = ["us-east-1a"]
+    listener {
+    	instance_port = 8000
+        instance_protocol = "https"
+        lb_port = 443
+        lb_protocol = "https"
+        ssl_certificate_id = "${aws_iam_server_certificate.test_cert.arn}"
+	}
+}
+resource "aws_lb_ssl_negotiation_policy" "foo" {
+	name = "foo-policy"
+	load_balancer = "${aws_elb.lb.id}"
+	lb_port = 443
+	attribute {
+    	name = "Protocol-TLSv1"
+        value = "false"
+    }
+    attribute {
+        name = "Protocol-TLSv1.1"
+        value = "false" 
+    }       
+    attribute {
+        name = "Protocol-TLSv1.2"
+        value = "true"
+    }
+    attribute {
+        name = "Server-Defined-Cipher-Order"
+        value = "true"
+    }       
+    attribute {
+        name = "ECDHE-RSA-AES128-GCM-SHA256"
+        value = "true"
+    }
+    attribute {
+        name = "AES128-GCM-SHA256"
+        value = "true"
+    }
+    attribute {
+        name = "EDH-RSA-DES-CBC3-SHA"
+        value = "false"
+    }
+}
+`, certName)
+}
diff --git a/builtin/providers/aws/structure.go b/builtin/providers/aws/structure.go
index cdedb27ca0..db4e548a0d 100644
--- a/builtin/providers/aws/structure.go
+++ b/builtin/providers/aws/structure.go
@@ -1447,3 +1447,41 @@ func (s setMap) Map() map[string]interface{} {
 func (s setMap) MapList() []map[string]interface{} {
 	return []map[string]interface{}{s.Map()}
 }
+
+// Takes the result of flatmap.Expand for an array of policy attributes and
+// returns ELB API compatible objects
+func expandPolicyAttributes(configured []interface{}) []*elb.PolicyAttribute {
+	attributes := make([]*elb.PolicyAttribute, 0, len(configured))
+
+	// Loop over our configured attributes and create
+	// an array of aws-sdk-go compatible objects
+	for _, lRaw := range configured {
+		data := lRaw.(map[string]interface{})
+
+		a := &elb.PolicyAttribute{
+			AttributeName:  aws.String(data["name"].(string)),
+			AttributeValue: aws.String(data["value"].(string)),
+		}
+
+		attributes = append(attributes, a)
+
+	}
+
+	return attributes
+}
+
+// Flattens an array of PolicyAttributes into a []interface{}
+func flattenPolicyAttributes(list []*elb.PolicyAttributeDescription) []interface{} {
+	attributes := []interface{}{}
+	for _, attrdef := range list {
+		attribute := map[string]string{
+			"name":  *attrdef.AttributeName,
+			"value": *attrdef.AttributeValue,
+		}
+
+		attributes = append(attributes, attribute)
+
+	}
+
+	return attributes
+}

From 8a24dd8efe0dafb441e6ed8183114900fd9e66fe Mon Sep 17 00:00:00 2001
From: "Mosley, Franklin" <Franklin.Mosley@ellucian.com>
Date: Mon, 14 Mar 2016 23:25:15 -0500
Subject: [PATCH 2/6] Added resource documentation.

Updated the Terraform documentation to add a new page, and a link in
the sidebar, for the aws_lb_ssl_negotiation_policy resource.
---
 .../r/lb_ssl_negotiation_policy.html.markdown | 87 +++++++++++++++++++
 website/source/layouts/aws.erb                |  4 +
 2 files changed, 91 insertions(+)
 create mode 100644 website/source/docs/providers/aws/r/lb_ssl_negotiation_policy.html.markdown

diff --git a/website/source/docs/providers/aws/r/lb_ssl_negotiation_policy.html.markdown b/website/source/docs/providers/aws/r/lb_ssl_negotiation_policy.html.markdown
new file mode 100644
index 0000000000..f0b690ab75
--- /dev/null
+++ b/website/source/docs/providers/aws/r/lb_ssl_negotiation_policy.html.markdown
@@ -0,0 +1,87 @@
+---
+layout: "aws"
+page_title: "AWS: aws_lb_ssl_negotiation_policy"
+sidebar_current: "docs-aws-resource-lb-ssl-negotiation-policy"
+description: |-
+  Provides a load balancer SSL negotiation policy, which allows an ELB to control which ciphers and protocols are supported during SSL negotiations between a client and a load balancer.
+---
+
+# aws\_lb\_ssl\_negotiation\_policy
+
+Provides a load balancer SSL negotiation policy, which allows an ELB to control the ciphers and protocols that are supported during SSL negotiations between a client and a load balancer.
+
+## Example Usage
+
+```
+resource "aws_elb" "lb" {
+	name = "test-lb"
+    availability_zones = ["us-east-1a"]
+    listener {
+        instance_port = 8000
+        instance_protocol = "https"
+        lb_port = 443
+        lb_protocol = "https"
+        ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/certName"
+    }
+}
+
+resource "aws_lb_ssl_negotiation_policy" "foo" {
+	name = "foo-policy"
+	load_balancer = "${aws_elb.lb.id}"
+	lb_port = 443
+	attribute {
+    	name = "Protocol-TLSv1"
+        value = "false"
+    }
+    attribute {
+        name = "Protocol-TLSv1.1"
+        value = "false" 
+    }       
+    attribute {
+        name = "Protocol-TLSv1.2"
+        value = "true"
+    }
+    attribute {
+        name = "Server-Defined-Cipher-Order"
+        value = "true"
+    }       
+    attribute {
+        name = "ECDHE-RSA-AES128-GCM-SHA256"
+        value = "true"
+    }
+    attribute {
+        name = "AES128-GCM-SHA256"
+        value = "true"
+    }
+    attribute {
+        name = "EDH-RSA-DES-CBC3-SHA"
+        value = "false"
+    }
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` - (Required) The name of the SSL negotiation policy.
+* `load_balancer` - (Required) The load balancer to which the policy
+  should be attached.
+* `lb_port` - (Required) The load balancer port to which the policy
+  should be applied. This must be an active listener on the load
+balancer.
+* `attribute` - (At least one Required) An SSL Negotiation policy attribute. Each has two properties:
+	* `name` - The name of the attribute
+	* `value` - The value of the attribute
+
+To set your attributes, please see the [AWS Elastic Load Balancer Developer Guide](http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html) for a listing of the supported SSL protocols, SSL options, and SSL ciphers.
+
+## Attributes Reference
+
+The following attributes are exported:
+
+* `id` - The ID of the policy.
+* `name` - The name of the stickiness policy.
+* `load_balancer` - The load balancer to which the policy is attached.
+* `lb_port` - The load balancer port to which the policy is applied.
+* `attribute` - The SSL Negotiation policy attributes.
diff --git a/website/source/layouts/aws.erb b/website/source/layouts/aws.erb
index 6f9fbbe72e..6f1f4f1831 100644
--- a/website/source/layouts/aws.erb
+++ b/website/source/layouts/aws.erb
@@ -288,6 +288,10 @@
                             <a href="/docs/providers/aws/r/load_balancer_policy.html">aws_load_balancer_policy</a>
                         </li>
 
+                        <li<%= sidebar_current("docs-aws-resource-lb-ssl-negotiation-policy") %>>
+                            <a href="/docs/providers/aws/r/lb_ssl_negotiation_policy.html">aws_lb_ssl_negotiation_policy</a>
+                        </li>
+
                         <li<%= sidebar_current("docs-aws-resource-placement-group") %>>
                             <a href="/docs/providers/aws/r/placement_group.html">aws_placement_group</a>
                         </li>

From eb0cd14f416c56a8a2009c30fe47cb9c099546f0 Mon Sep 17 00:00:00 2001
From: "Mosley, Franklin" <Franklin.Mosley@ellucian.com>
Date: Tue, 15 Mar 2016 00:27:58 -0500
Subject: [PATCH 3/6] Changed `attribute` argument to be optional.

Changed the `attribute` argument of the resource to be optional vs.
required.
---
 .../providers/aws/resource_aws_lb_ssl_negotiation_policy.go   | 2 +-
 .../providers/aws/r/lb_ssl_negotiation_policy.html.markdown   | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy.go b/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy.go
index cee4a4d44e..dd8129de43 100644
--- a/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy.go
+++ b/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy.go
@@ -42,7 +42,7 @@ func resourceAwsLBSSLNegotiationPolicy() *schema.Resource {
 
 			"attribute": &schema.Schema{
 				Type:     schema.TypeSet,
-				Required: true,
+				Optional: true,
 				ForceNew: true,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
diff --git a/website/source/docs/providers/aws/r/lb_ssl_negotiation_policy.html.markdown b/website/source/docs/providers/aws/r/lb_ssl_negotiation_policy.html.markdown
index f0b690ab75..e45b00a7ba 100644
--- a/website/source/docs/providers/aws/r/lb_ssl_negotiation_policy.html.markdown
+++ b/website/source/docs/providers/aws/r/lb_ssl_negotiation_policy.html.markdown
@@ -70,11 +70,11 @@ The following arguments are supported:
 * `lb_port` - (Required) The load balancer port to which the policy
   should be applied. This must be an active listener on the load
 balancer.
-* `attribute` - (At least one Required) An SSL Negotiation policy attribute. Each has two properties:
+* `attribute` - (Optional) An SSL Negotiation policy attribute. Each has two properties:
 	* `name` - The name of the attribute
 	* `value` - The value of the attribute
 
-To set your attributes, please see the [AWS Elastic Load Balancer Developer Guide](http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html) for a listing of the supported SSL protocols, SSL options, and SSL ciphers.
+To set your attributes, please see the [AWS Elastic Load Balancing Developer Guide](http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html) for a listing of the supported SSL protocols, SSL options, and SSL ciphers.
 
 ## Attributes Reference
 

From 6d7933b41a2c8376106d7615e4ed59cd37bb3d7c Mon Sep 17 00:00:00 2001
From: "Mosley, Franklin" <Franklin.Mosley@ellucian.com>
Date: Tue, 15 Mar 2016 02:20:50 -0500
Subject: [PATCH 4/6] Added tests for
 expandPolicyAttributes/flattenPolicyAttributes

---
 .../resource_aws_lb_ssl_negotiation_policy.go |   6 +-
 builtin/providers/aws/structure.go            |   4 +-
 builtin/providers/aws/structure_test.go       | 104 ++++++++++++++++++
 3 files changed, 111 insertions(+), 3 deletions(-)

diff --git a/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy.go b/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy.go
index dd8129de43..5d0ae78506 100644
--- a/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy.go
+++ b/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy.go
@@ -80,8 +80,12 @@ func resourceAwsLBSSLNegotiationPolicyCreate(d *schema.ResourceData, meta interf
 
 	// Check for Policy Attributes
 	if v, ok := d.GetOk("attribute"); ok {
+		var err error
 		// Expand the "attribute" set to aws-sdk-go compat []*elb.PolicyAttribute
-		lbspOpts.PolicyAttributes = expandPolicyAttributes(v.(*schema.Set).List())
+		lbspOpts.PolicyAttributes, err = expandPolicyAttributes(v.(*schema.Set).List())
+		if err != nil {
+			return err
+		}
 	}
 
 	log.Printf("[DEBUG] Load Balancer Policy opts: %#v", lbspOpts)
diff --git a/builtin/providers/aws/structure.go b/builtin/providers/aws/structure.go
index db4e548a0d..0c9fb77ce2 100644
--- a/builtin/providers/aws/structure.go
+++ b/builtin/providers/aws/structure.go
@@ -1450,7 +1450,7 @@ func (s setMap) MapList() []map[string]interface{} {
 
 // Takes the result of flatmap.Expand for an array of policy attributes and
 // returns ELB API compatible objects
-func expandPolicyAttributes(configured []interface{}) []*elb.PolicyAttribute {
+func expandPolicyAttributes(configured []interface{}) ([]*elb.PolicyAttribute, error) {
 	attributes := make([]*elb.PolicyAttribute, 0, len(configured))
 
 	// Loop over our configured attributes and create
@@ -1467,7 +1467,7 @@ func expandPolicyAttributes(configured []interface{}) []*elb.PolicyAttribute {
 
 	}
 
-	return attributes
+	return attributes, nil
 }
 
 // Flattens an array of PolicyAttributes into a []interface{}
diff --git a/builtin/providers/aws/structure_test.go b/builtin/providers/aws/structure_test.go
index d83e458a40..f80c4bb320 100644
--- a/builtin/providers/aws/structure_test.go
+++ b/builtin/providers/aws/structure_test.go
@@ -1012,3 +1012,107 @@ func TestFlattenApiGatewayStageKeys(t *testing.T) {
 		}
 	}
 }
+
+func TestExpandPolicyAttributes(t *testing.T) {
+	expanded := []interface{}{
+		map[string]interface{}{
+			"name":  "Protocol-TLSv1",
+			"value": "false",
+		},
+		map[string]interface{}{
+			"name":  "Protocol-TLSv1.1",
+			"value": "false",
+		},
+		map[string]interface{}{
+			"name":  "Protocol-TLSv1.2",
+			"value": "true",
+		},
+	}
+	attributes, err := expandPolicyAttributes(expanded)
+	if err != nil {
+		t.Fatalf("bad: %#v", err)
+	}
+
+	if len(attributes) != 3 {
+		t.Fatalf("expected number of attributes to be 3, but got %s", len(attributes))
+	}
+
+	expected := &elb.PolicyAttribute{
+		AttributeName:  aws.String("Protocol-TLSv1.2"),
+		AttributeValue: aws.String("true"),
+	}
+
+	if !reflect.DeepEqual(attributes[2], expected) {
+		t.Fatalf(
+			"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
+			attributes[2],
+			expected)
+	}
+}
+
+func TestExpandPolicyAttributes_invalid(t *testing.T) {
+	expanded := []interface{}{
+		map[string]interface{}{
+			"name":  "Protocol-TLSv1.2",
+			"value": "true",
+		},
+	}
+	attributes, err := expandPolicyAttributes(expanded)
+	if err != nil {
+		t.Fatalf("bad: %#v", err)
+	}
+
+	expected := &elb.PolicyAttribute{
+		AttributeName:  aws.String("Protocol-TLSv1.2"),
+		AttributeValue: aws.String("false"),
+	}
+
+	if reflect.DeepEqual(attributes[0], expected) {
+		t.Fatalf(
+			"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
+			attributes[0],
+			expected)
+	}
+}
+
+func TestExpandPolicyAttributes_empty(t *testing.T) {
+	var expanded []interface{}
+
+	attributes, err := expandPolicyAttributes(expanded)
+	if err != nil {
+		t.Fatalf("bad: %#v", err)
+	}
+
+	if len(attributes) != 0 {
+		t.Fatalf("expected number of attributes to be 0, but got %s", len(attributes))
+	}
+}
+
+func TestFlattenPolicyAttributes(t *testing.T) {
+	cases := []struct {
+		Input  []*elb.PolicyAttributeDescription
+		Output []interface{}
+	}{
+		{
+			Input: []*elb.PolicyAttributeDescription{
+				&elb.PolicyAttributeDescription{
+					AttributeName:  aws.String("Protocol-TLSv1.2"),
+					AttributeValue: aws.String("true"),
+				},
+			},
+			Output: []interface{}{
+				map[string]string{
+					"name":  "Protocol-TLSv1.2",
+					"value": "true",
+				},
+			},
+		},
+	}
+
+	for _, tc := range cases {
+		output := flattenPolicyAttributes(tc.Input)
+		if !reflect.DeepEqual(output, tc.Output) {
+			t.Fatalf("Got:\n\n%#v\n\nExpected:\n\n%#v", output, tc.Output)
+		}
+	}
+}

From 4d55b8e9eaad1587fab4805a068658dc192ba3d4 Mon Sep 17 00:00:00 2001
From: "Mosley, Franklin" <Franklin.Mosley@ellucian.com>
Date: Tue, 15 Mar 2016 14:49:50 -0500
Subject: [PATCH 5/6] Corrected printf verb of wrong type

Corrected printf verb by changing it from a string type to an int type.
---
 builtin/providers/aws/structure_test.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/builtin/providers/aws/structure_test.go b/builtin/providers/aws/structure_test.go
index f80c4bb320..90a66653b9 100644
--- a/builtin/providers/aws/structure_test.go
+++ b/builtin/providers/aws/structure_test.go
@@ -1034,7 +1034,7 @@ func TestExpandPolicyAttributes(t *testing.T) {
 	}
 
 	if len(attributes) != 3 {
-		t.Fatalf("expected number of attributes to be 3, but got %s", len(attributes))
+		t.Fatalf("expected number of attributes to be 3, but got %d", len(attributes))
 	}
 
 	expected := &elb.PolicyAttribute{
@@ -1084,7 +1084,7 @@ func TestExpandPolicyAttributes_empty(t *testing.T) {
 	}
 
 	if len(attributes) != 0 {
-		t.Fatalf("expected number of attributes to be 0, but got %s", len(attributes))
+		t.Fatalf("expected number of attributes to be 0, but got %d", len(attributes))
 	}
 }
 

From 742089f10c3a30ebbf0020edff9053bc857d6a30 Mon Sep 17 00:00:00 2001
From: Kraig Amador <Kraig.Amador@ticketmaster.com>
Date: Wed, 10 Aug 2016 13:31:36 -0700
Subject: [PATCH 6/6] Fixing the certs, test now passes

---
 ...urce_aws_lb_ssl_negotiation_policy_test.go | 109 ++++++++----------
 1 file changed, 50 insertions(+), 59 deletions(-)

diff --git a/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy_test.go b/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy_test.go
index 58d948468f..8244ce093c 100644
--- a/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy_test.go
+++ b/builtin/providers/aws/resource_aws_lb_ssl_negotiation_policy_test.go
@@ -161,78 +161,69 @@ resource "aws_iam_server_certificate" "test_cert" {
   name = "%s"
   certificate_body = <<EOF
 -----BEGIN CERTIFICATE-----
-MIIDCDCCAfACAQEwDQYJKoZIhvcNAQELBQAwgY4xCzAJBgNVBAYTAlVTMREwDwYD
-VQQIDAhOZXcgWW9yazERMA8GA1UEBwwITmV3IFlvcmsxFjAUBgNVBAoMDUJhcmVm
-b290IExhYnMxGDAWBgNVBAMMD0phc29uIEJlcmxpbnNreTEnMCUGCSqGSIb3DQEJ
-ARYYamFzb25AYmFyZWZvb3Rjb2RlcnMuY29tMB4XDTE1MDYyMTA1MzcwNVoXDTE2
-MDYyMDA1MzcwNVowgYgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEL
-MAkGA1UEBwwCTlkxFjAUBgNVBAoMDUJhcmVmb290IExhYnMxGDAWBgNVBAMMD0ph
-c29uIEJlcmxpbnNreTEnMCUGCSqGSIb3DQEJARYYamFzb25AYmFyZWZvb3Rjb2Rl
-cnMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2AVGKRIx+EFM0kkg7
-6GoJv9uy0biEDHB4phQBqnDIf8J8/gq9eVvQrR5jJC9Uz4zp5wG/oLZlGuF92/jD
-bI/yS+DOAjrh30vN79Au74jGN2Cw8fIak40iDUwjZaczK2Gkna54XIO9pqMcbQ6Q
-mLUkQXsqlJ7Q4X2kL3b9iMsXcQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCDGNvU
-eioQMVPNlmmxW3+Rwo0Kl+/HtUOmqUDKUDvJnelxulBr7O8w75N/Z7h7+aBJCUkt
-tz+DwATZswXtsal6TuzHHpAhpFql82jQZVE8OYkrX84XKRQpm8ZnbyZObMdXTJWk
-ArC/rGVIWsvhlbgGM8zu7a3zbeuAESZ8Bn4ZbJxnoaRK8p36/alvzAwkgzSf3oUX
-HtU4LrdunevBs6/CbKCWrxYcvNCy8EcmHitqCfQL5nxCCXpgf/Mw1vmIPTwbPSJq
-oUkh5yjGRKzhh7QbG1TlFX6zUp4vb+UJn5+g4edHrqivRSjIqYrC45ygVMOABn21
-hpMXOlZL+YXfR4Kp
+MIICqzCCAhSgAwIBAgIJAOH3Ca1oeCfOMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQKEwlIYXNoaWNvcnAx
+FjAUBgNVBAMTDWhhc2hpY29ycC5jb20wHhcNMTYwODEwMTcxNDEwWhcNMTcwODEw
+MTcxNDEwWjBkMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIG
+A1UEBwwLTG9zIEFuZ2VsZXMxEjAQBgNVBAoMCUhhc2hpY29ycDEWMBQGA1UEAwwN
+aGFzaGljb3JwLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlQMKKTiK
+bawxxGOwX9iyIm/ITyVwjnSyyZ8kuz7flXUAw4u/ZqGmRck0gdOBlzPcvdu/ngCZ
+wMg6x03oe7iouDQHapQ6kCAUwl6zDmSOnjj8b4fKiaxW6Kw/UynrUjbjbdqKKsH3
+fBYxa1sIVhnsDBCaOnnznkCXFbeiMeUX6YkCAwEAAaN7MHkwCQYDVR0TBAIwADAs
+BglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
+VR0OBBYEFB+VNDp3tesqOLJTZEbOXIzINdecMB8GA1UdIwQYMBaAFDnmEwagl6fs
+/9oVTSmNdPUkhaRDMA0GCSqGSIb3DQEBBQUAA4GBAHMTokhZfM66L1dI8e21p4yp
+F2GMGYNqR2CLy7pCk3z9NovB5F1plk1cDnbpJPS/jXU7N5i3LgfjjbYmlNsezV3u
+gzYm7p7D6/AiMheL6VljPor5ZXXcq2yZ3xMJu6/hrSJGj0wtg9xsNPYPDGCyH+iI
+zAYQVBuFaLoTi3Fs7g1s
 -----END CERTIFICATE-----
 EOF
   certificate_chain = <<EOF
 -----BEGIN CERTIFICATE-----
-MIID8TCCAtmgAwIBAgIJAKX2xeCkfFcbMA0GCSqGSIb3DQEBCwUAMIGOMQswCQYD
-VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRYw
-FAYDVQQKDA1CYXJlZm9vdCBMYWJzMRgwFgYDVQQDDA9KYXNvbiBCZXJsaW5za3kx
-JzAlBgkqhkiG9w0BCQEWGGphc29uQGJhcmVmb290Y29kZXJzLmNvbTAeFw0xNTA2
-MjEwNTM2MDZaFw0yNTA2MTgwNTM2MDZaMIGOMQswCQYDVQQGEwJVUzERMA8GA1UE
-CAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRYwFAYDVQQKDA1CYXJlZm9v
-dCBMYWJzMRgwFgYDVQQDDA9KYXNvbiBCZXJsaW5za3kxJzAlBgkqhkiG9w0BCQEW
-GGphc29uQGJhcmVmb290Y29kZXJzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAMteFbwfLz7NyQn3eDxxw22l1ZPBrzfPON0HOAq8nHat4kT4A2cI
-45kCtxKMzCVoG84tXoX/rbjGkez7lz9lEfvEuSh+I+UqinFA/sefhcE63foVMZu1
-2t6O3+utdxBvOYJwAQaiGW44x0h6fTyqDv6Gc5Ml0uoIVeMWPhT1MREoOcPDz1gb
-Ep3VT2aqFULLJedP37qbzS4D04rn1tS7pcm3wYivRyjVNEvs91NsWEvvE1WtS2Cl
-2RBt+ihXwq4UNB9UPYG75+FuRcQQvfqameyweyKT9qBmJLELMtYa/KTCYvSch4JY
-YVPAPOlhFlO4BcTto/gpBes2WEAWZtE/jnECAwEAAaNQME4wHQYDVR0OBBYEFOna
-aiYnm5583EY7FT/mXwTBuLZgMB8GA1UdIwQYMBaAFOnaaiYnm5583EY7FT/mXwTB
-uLZgMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBABp/dKQ489CCzzB1
-IX78p6RFAdda4e3lL6uVjeS3itzFIIiKvdf1/txhmsEeCEYz0El6aMnXLkpk7jAr
-kCwlAOOz2R2hlA8k8opKTYX4IQQau8DATslUFAFOvRGOim/TD/Yuch+a/VF2VQKz
-L2lUVi5Hjp9KvWe2HQYPjnJaZs/OKAmZQ4uP547dqFrTz6sWfisF1rJ60JH70cyM
-qjZQp/xYHTZIB8TCPvLgtVIGFmd/VAHVBFW2p9IBwtSxBIsEPwYQOV3XbwhhmGIv
-DWx5TpnEzH7ZM33RNbAKcdwOBxdRY+SI/ua5hYCm4QngAqY69lEuk4zXZpdDLPq1
-qxxQx0E=
+MIICyzCCAjSgAwIBAgIJAOH3Ca1oeCfNMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQKEwlIYXNoaWNvcnAx
+FjAUBgNVBAMTDWhhc2hpY29ycC5jb20wHhcNMTYwODEwMTcxMTAzWhcNMTkwODEw
+MTcxMTAzWjBOMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAG
+A1UEChMJSGFzaGljb3JwMRYwFAYDVQQDEw1oYXNoaWNvcnAuY29tMIGfMA0GCSqG
+SIb3DQEBAQUAA4GNADCBiQKBgQDOOIUDgTP+v6yXq0cI99S99jrczNv274BfmBzS
+XhExPnm62s5dnLGtzFokat/DIN0pyOh0C4+QnS4Qk7r31UCh1jLJRVkJJHtet8TM
+7PhebIUIAFaQQ5+792L7ZkCXkzl0MxENeE0avGUf5QXMd7/eUt36BOS4KaEfGVUw
+2Ldy0wIDAQABo4GwMIGtMB0GA1UdDgQWBBQ55hMGoJen7P/aFU0pjXT1JIWkQzB+
+BgNVHSMEdzB1gBQ55hMGoJen7P/aFU0pjXT1JIWkQ6FSpFAwTjELMAkGA1UEBhMC
+VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAoTCUhhc2hpY29ycDEWMBQG
+A1UEAxMNaGFzaGljb3JwLmNvbYIJAOH3Ca1oeCfNMAwGA1UdEwQFMAMBAf8wDQYJ
+KoZIhvcNAQEFBQADgYEAvKhhRHHWuUl253pjlQJxHqJLv3a9g7pcF0vGkImw30lu
+B0LFpM6xZmfoFR3aflTWDGHDbwNbP+VatZNwZt7GpO7qiLOXCV9/UM0utxI1Doyd
+6oOaCDXtDDI9NliSFyAvNG5PKafR3ysWHsqEa/7VDWnRGYvCAIsaAEyurl4Gogk=
 -----END CERTIFICATE-----
 EOF
-	private_key =  <<EOF
+  private_key =  <<EOF
 -----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQD2AVGKRIx+EFM0kkg76GoJv9uy0biEDHB4phQBqnDIf8J8/gq9
-eVvQrR5jJC9Uz4zp5wG/oLZlGuF92/jDbI/yS+DOAjrh30vN79Au74jGN2Cw8fIa
-k40iDUwjZaczK2Gkna54XIO9pqMcbQ6QmLUkQXsqlJ7Q4X2kL3b9iMsXcQIDAQAB
-AoGALmVBQ5p6BKx/hMKx7NqAZSZSAP+clQrji12HGGlUq/usanZfAC0LK+f6eygv
-5QbfxJ1UrxdYTukq7dm2qOSooOMUuukWInqC6ztjdLwH70CKnl0bkNB3/NkW2VNc
-32YiUuZCM9zaeBuEUclKNs+dhD2EeGdJF8KGntWGOTU/M4ECQQD9gdYb38PvaMdu
-opM3sKJF5n9pMoLDleBpCGqq3nD3DFn0V6PHQAwn30EhRN+7BbUEpde5PmfoIdAR
-uDlj/XPlAkEA+GyY1e4uU9rz+1K4ubxmtXTp9ZIR2LsqFy5L/MS5hqX2zq5GGq8g
-jZYDxnxPEUrxaWQH4nh0qdu3skUBi4a0nQJBAKJaqLkpUd7eB/t++zHLWeHSgP7q
-bny8XABod4f+9fICYwntpuJQzngqrxeTeIXaXdggLkxg/0LXhN4UUg0LoVECQQDE
-Pi1h2dyY+37/CzLH7q+IKopjJneYqQmv9C+sxs70MgjM7liM3ckub9IdqrdfJr+c
-DJw56APo5puvZNm6mbf1AkBVMDyfdOOyoHpJjrhmZWo6QqynujfwErrBYQ0sZQ3l
-O57Z0RUNQ8DRyymhLd2t5nAHTfpcFA1sBeKE6CziLbZB
+MIICXQIBAAKBgQCVAwopOIptrDHEY7Bf2LIib8hPJXCOdLLJnyS7Pt+VdQDDi79m
+oaZFyTSB04GXM9y927+eAJnAyDrHTeh7uKi4NAdqlDqQIBTCXrMOZI6eOPxvh8qJ
+rFborD9TKetSNuNt2ooqwfd8FjFrWwhWGewMEJo6efOeQJcVt6Ix5RfpiQIDAQAB
+AoGAdx8p9U/84bXhRxVGfyi1JvBjmlncxBUohCPT8lhN1qXlSW2jQgGB8ZHqhsq1
+c1GDaseMRFxIjaPD0WZHrvgs73ReoDGTLf9Ne3mkE3g8Rp0Bg8CFG8ZFHvCbzAtQ
+F441nXsa/E3fUajfuxOeIEz8sJUG8VpMMtNUGB2cmJxzlYECQQDGosn4g0trBkn+
+wwwJ3CEnymTUZxgFQWr4UhGnScRHaHBJmw0sW9KsVOB5D4DEw/O7BDdVvpCoBlG1
+GhL/XFcZAkEAwAuINbY5jKTpa2Xve1MUJXpgGpuraYWCXaAn9sdSUhm6wHONhDHr
+O0S0a3P0aMA5M4GQ5JHeUq53r8/2oP2j8QJBAIzObu+8WqT2Y1O1/f2rTtF/FnS+
+0/c9xU9cFemJUBryfM6gm/j66l+BF1KZ28UfxtGmjnc4zCBfwmHnptngIlkCQFv5
+aeuncRptpKjd8frTSBPG7x3vLgHkghIK8Pjcbw2I6wrejIkiSzFgbzQDHavJW9vS
+Eq2VOq/IhOO7qrdholECQQDFmlx7LQsVEOQ26xQX/ieZQolfDqZLA6zhJFec3k2l
+wbEcTx10meJdinnhawqW7L0bhifeiTaPxbaCBXv/wiiL
 -----END RSA PRIVATE KEY-----
 EOF
 }
 resource "aws_elb" "lb" {
-	name = "test-lb"
+  name = "test-lb"
     availability_zones = ["us-east-1a"]
     listener {
-    	instance_port = 8000
-        instance_protocol = "https"
-        lb_port = 443
-        lb_protocol = "https"
-        ssl_certificate_id = "${aws_iam_server_certificate.test_cert.arn}"
+      instance_port = 8000
+      instance_protocol = "https"
+      lb_port = 443
+      lb_protocol = "https"
+      ssl_certificate_id = "${aws_iam_server_certificate.test_cert.arn}"
 	}
 }
 resource "aws_lb_ssl_negotiation_policy" "foo" {