resource/aws_lb_listener: Update validation and flattener and expander for `mutual_authentication`

[gdavison]

Description

In the AWS API, the valid values for MutualAuthenticationAttributes depends on the value of Mode.

When the mode is off, no other values can be set.
When the mode is passthrough, only TrustStoreArn can be set.
When the mode is validate, both TrustStoreArn and IgnoreClientCertificateExpiry can be set, and IgnoreClientCertificateExpiry should default to false.

The provider schema currently defaults ignore_client_certificate_expiry to false in all cases, and allows both ignore_client_certificate_expiry and trust_store_arn to be set regardless of the value of mode.

• Add a plan modifier to ignore_client_certificate_expiry to default to false only if mode is validate, and null otherwise Has to be handled in flatteners and expanders in SDK
• Add a validator to only allow ignore_client_certificate_expiry to be set if mode is validate
• Add a validator to only allow trust_store_arn to be set and required it if mode is validate
• Add a validator to only allow advertise_trust_store_ca_names to be set if mode is validate

This is a breaking change

Affected Resource(s) and/or Data Source(s)

aws_lb_listener

Potential Terraform Configuration

No response

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[wvannuffele4]

In addition to the suggestions made here, TrustStoreArn is currently mandatory when the mode is passthrough.

This should not be the case. It is not logical to require a trust store when using passthrough mode, and the AWS API does not enforce this. We've tested passthrough mTLS functionality on listeners without a truststore and this works as you'd expect.

[YakDriver]

To clarify, we will update the aws_lb_listener resource to improve validation and handling of the mutual_authentication attributes. Currently, the provider schema incorrectly defaults ignore_client_certificate_expiry to false in all cases and allows both ignore_client_certificate_expiry and trust_store_arn to be set regardless of the mode value. We will modify the schema to enforce the correct behavior: ignore_client_certificate_expiry will default to false only when mode is validate and will be null otherwise. Additionally, we will introduce validation rules to ensure ignore_client_certificate_expiry can only be set when mode is validate, and trust_store_arn can only be set when mode is validate or passthrough. Finally, we will remove the incorrect requirement that trust_store_arn must be set when mode is passthrough, aligning the provider with the AWS API behavior.

The user impact will be that configurations relying on previously incorrect defaults or invalid attribute combinations may now fail validation. Users setting ignore_client_certificate_expiry when mode is not validate or requiring trust_store_arn in passthrough mode will need to update their configurations. However, this change brings the provider in line with AWS API expectations, ensuring more predictable and accurate behavior.

[jar-b]

Closed via #42326. These changes will be available in the v6.0.0 beta release later next week.

[github-actions]

Warning

This Issue has been closed, meaning that any additional comments are much easier for the maintainers to miss. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.