From f18a621d035562189035da8f1aaa61cdc580f371 Mon Sep 17 00:00:00 2001
From: Andrew Starr-Bochicchio <a.starr.b@gmail.com>
Date: Mon, 25 Mar 2019 18:39:33 -0400
Subject: [PATCH] Add support for enabling PROXY Protocol on Load Balancers.

---
 .../datasource_digitalocean_loadbalancer.go   |  6 ++
 .../resource_digitalocean_loadbalancer.go     |  8 +++
 ...resource_digitalocean_loadbalancer_test.go | 71 +++++++++++++++++++
 website/docs/r/loadbalancer.html.markdown     |  3 +
 4 files changed, 88 insertions(+)

diff --git a/digitalocean/datasource_digitalocean_loadbalancer.go b/digitalocean/datasource_digitalocean_loadbalancer.go
index f4e8c816..c3ea057e 100644
--- a/digitalocean/datasource_digitalocean_loadbalancer.go
+++ b/digitalocean/datasource_digitalocean_loadbalancer.go
@@ -167,6 +167,11 @@ func dataSourceDigitalOceanLoadbalancer() *schema.Resource {
 				Computed:    true,
 				Description: "whether http requests will be redirected to https",
 			},
+			"enable_proxy_protocol": {
+				Type:        schema.TypeBool,
+				Computed:    true,
+				Description: "whether PROXY Protocol should be used to pass information from connecting client requests to the backend service",
+			},
 		},
 	}
 }
@@ -220,6 +225,7 @@ func dataSourceDigitalOceanLoadbalancerRead(d *schema.ResourceData, meta interfa
 	d.Set("status", loadbalancer.Status)
 	d.Set("droplet_tag", loadbalancer.Tag)
 	d.Set("redirect_http_to_https", loadbalancer.RedirectHttpToHttps)
+	d.Set("enable_proxy_protocol", loadbalancer.EnableProxyProtocol)
 
 	if err := d.Set("droplet_ids", flattenDropletIds(loadbalancer.DropletIDs)); err != nil {
 		return fmt.Errorf("[DEBUG] Error setting Load Balancer droplet_ids - error: %#v", err)
diff --git a/digitalocean/resource_digitalocean_loadbalancer.go b/digitalocean/resource_digitalocean_loadbalancer.go
index e8ac79c2..2ba56bca 100644
--- a/digitalocean/resource_digitalocean_loadbalancer.go
+++ b/digitalocean/resource_digitalocean_loadbalancer.go
@@ -199,6 +199,12 @@ func resourceDigitalOceanLoadbalancer() *schema.Resource {
 				Default:  false,
 			},
 
+			"enable_proxy_protocol": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
+
 			"ip": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -259,6 +265,7 @@ func buildLoadBalancerRequest(d *schema.ResourceData) (*godo.LoadBalancerRequest
 		Region:              d.Get("region").(string),
 		Algorithm:           d.Get("algorithm").(string),
 		RedirectHttpToHttps: d.Get("redirect_http_to_https").(bool),
+		EnableProxyProtocol: d.Get("enable_proxy_protocol").(bool),
 		ForwardingRules:     expandForwardingRules(d.Get("forwarding_rule").([]interface{})),
 	}
 
@@ -337,6 +344,7 @@ func resourceDigitalOceanLoadbalancerRead(d *schema.ResourceData, meta interface
 	d.Set("algorithm", loadbalancer.Algorithm)
 	d.Set("region", loadbalancer.Region.Slug)
 	d.Set("redirect_http_to_https", loadbalancer.RedirectHttpToHttps)
+	d.Set("enable_proxy_protocol", loadbalancer.EnableProxyProtocol)
 	d.Set("droplet_tag", loadbalancer.Tag)
 
 	if err := d.Set("droplet_ids", flattenDropletIds(loadbalancer.DropletIDs)); err != nil {
diff --git a/digitalocean/resource_digitalocean_loadbalancer_test.go b/digitalocean/resource_digitalocean_loadbalancer_test.go
index a128c056..d5e60b0e 100644
--- a/digitalocean/resource_digitalocean_loadbalancer_test.go
+++ b/digitalocean/resource_digitalocean_loadbalancer_test.go
@@ -294,6 +294,44 @@ func TestAccDigitalOceanLoadbalancer_stickySessions(t *testing.T) {
 	})
 }
 
+func TestAccDigitalOceanLoadbalancer_sslTermination(t *testing.T) {
+	var loadbalancer godo.LoadBalancer
+	rInt := acctest.RandInt()
+	privateKeyMaterial, leafCertMaterial, certChainMaterial := generateTestCertMaterial(t)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckDigitalOceanLoadbalancerDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckDigitalOceanLoadbalancerConfig_sslTermination(rInt, privateKeyMaterial, leafCertMaterial, certChainMaterial),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckDigitalOceanLoadbalancerExists("digitalocean_loadbalancer.foobar", &loadbalancer),
+					resource.TestCheckResourceAttr(
+						"digitalocean_loadbalancer.foobar", "name", fmt.Sprintf("loadbalancer-%d", rInt)),
+					resource.TestCheckResourceAttr(
+						"digitalocean_loadbalancer.foobar", "region", "nyc3"),
+					resource.TestCheckResourceAttr(
+						"digitalocean_loadbalancer.foobar", "forwarding_rule.#", "1"),
+					resource.TestCheckResourceAttr(
+						"digitalocean_loadbalancer.foobar", "forwarding_rule.0.entry_port", "443"),
+					resource.TestCheckResourceAttr(
+						"digitalocean_loadbalancer.foobar", "forwarding_rule.0.entry_protocol", "https"),
+					resource.TestCheckResourceAttr(
+						"digitalocean_loadbalancer.foobar", "forwarding_rule.0.target_port", "80"),
+					resource.TestCheckResourceAttr(
+						"digitalocean_loadbalancer.foobar", "forwarding_rule.0.target_protocol", "http"),
+					resource.TestCheckResourceAttr(
+						"digitalocean_loadbalancer.foobar", "redirect_http_to_https", "true"),
+					resource.TestCheckResourceAttr(
+						"digitalocean_loadbalancer.foobar", "enable_proxy_protocol", "true"),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckDigitalOceanLoadbalancerDestroy(s *terraform.State) error {
 	client := testAccProvider.Meta().(*CombinedConfig).godoClient()
 
@@ -502,3 +540,36 @@ resource "digitalocean_loadbalancer" "foobar" {
   droplet_ids = ["${digitalocean_droplet.foobar.id}"]
 }`, rInt, rInt)
 }
+
+func testAccCheckDigitalOceanLoadbalancerConfig_sslTermination(rInt int, privateKeyMaterial, leafCert, certChain string) string {
+	return fmt.Sprintf(`
+resource "digitalocean_certificate" "foobar" {
+  name = "certificate-%d"
+  private_key = <<EOF
+%s
+EOF
+  leaf_certificate = <<EOF
+%s
+EOF
+  certificate_chain = <<EOF
+%s
+EOF
+}
+
+resource "digitalocean_loadbalancer" "foobar" {
+  name                   = "loadbalancer-%d"
+  region                 = "nyc3"
+  redirect_http_to_https = true
+  enable_proxy_protocol  = true
+
+  forwarding_rule {
+    entry_port      = 443
+    entry_protocol  = "https"
+
+    target_port     = 80
+    target_protocol = "http"
+
+    certificate_id  = "${digitalocean_certificate.foobar.id}"
+  }
+}`, rInt, privateKeyMaterial, leafCert, certChain, rInt)
+}
diff --git a/website/docs/r/loadbalancer.html.markdown b/website/docs/r/loadbalancer.html.markdown
index 8e92e5a1..ae21d4c9 100644
--- a/website/docs/r/loadbalancer.html.markdown
+++ b/website/docs/r/loadbalancer.html.markdown
@@ -107,6 +107,9 @@ Load Balancer. The `sticky_sessions` block is documented below. Only 1 sticky_se
 * `redirect_http_to_https` - (Optional) A boolean value indicating whether
 HTTP requests to the Load Balancer on port 80 will be redirected to HTTPS on port 443.
 Default value is `false`.
+* `enable_proxy_protocol` - (Optional) A boolean value indicating whether PROXY
+Protocol should be used to pass information from connecting client requests to
+the backend service. Default value is `false`.
 * `droplet_ids` (Optional) - A list of the IDs of each droplet to be attached to the Load Balancer.
 * `droplet_tag` (Optional) - The name of a Droplet tag corresponding to Droplets to be assigned to the Load Balancer.