resource/aws_route53_resolver_firewall_domain_list: Add new resource

aws/internal/service/route53resolver/finder/finder.go

@@ -94,3 +94,23 @@ func FirewallRuleGroupByID(conn *route53resolver.Route53Resolver, firewallGroupI
 
 	return output.FirewallRuleGroup, nil
 }
+
+// FirewallDomainListByID returns the DNS Firewall rule group corresponding to the specified ID.
+// Returns nil if no DNS Firewall rule group is found.
+func FirewallDomainListByID(conn *route53resolver.Route53Resolver, firewallDomainListId string) (*route53resolver.FirewallDomainList, error) {
+	input := &route53resolver.GetFirewallDomainListInput{
+		FirewallDomainListId: aws.String(firewallDomainListId),
+	}
+
+	output, err := conn.GetFirewallDomainList(input)
+
+	if err != nil {
+		return nil, err
+	}
+
+	if output == nil {
+		return nil, nil
+	}
+
+	return output.FirewallDomainList, nil
+}

aws/internal/service/route53resolver/waiter/status.go

@@ -17,6 +17,9 @@ const (
 
 	resolverDnssecConfigStatusNotFound = "NotFound"
 	resolverDnssecConfigStatusUnknown  = "Unknown"
+
+	firewallDomainListStatusNotFound = "NotFound"
+	firewallDomainListStatusUnknown  = "Unknown"
 )
 
 // QueryLogConfigAssociationStatus fetches the QueryLogConfigAssociation and its Status
@@ -81,3 +84,24 @@ func DnssecConfigStatus(conn *route53resolver.Route53Resolver, dnssecConfigID st
 		return dnssecConfig, aws.StringValue(dnssecConfig.ValidationStatus), nil
 	}
 }
+
+// FirewallDomainListStatus fetches the FirewallDomainList and its Status
+func FirewallDomainListStatus(conn *route53resolver.Route53Resolver, firewallDomainListId string) resource.StateRefreshFunc {
+	return func() (interface{}, string, error) {
+		firewallDomainList, err := finder.FirewallDomainListByID(conn, firewallDomainListId)
+
+		if tfawserr.ErrCodeEquals(err, route53resolver.ErrCodeResourceNotFoundException) {
+			return nil, firewallDomainListStatusNotFound, nil
+		}
+
+		if err != nil {
+			return nil, firewallDomainListStatusUnknown, err
+		}
+
+		if firewallDomainList == nil {
+			return nil, firewallDomainListStatusNotFound, nil
+		}
+
+		return firewallDomainList, aws.StringValue(firewallDomainList.Status), nil
+	}
+}

aws/internal/service/route53resolver/waiter/waiter.go

@@ -1,8 +1,10 @@
 package waiter
 
 import (
+	"fmt"
 	"time"
 
+	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/route53resolver"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 )
@@ -25,6 +27,12 @@ const (
 
 	// Maximum amount of time to wait for a DnssecConfig to return DISABLED
 	DnssecConfigDeletedTimeout = 5 * time.Minute
+
+	// Maximum amount of time to wait for a FirewallDomainList to be updated
+	FirewallDomainListUpdatedTimeout = 5 * time.Minute
+
+	// Maximum amount of time to wait for a FirewallDomainList to be deleted
+	FirewallDomainListDeletedTimeout = 5 * time.Minute
 )
 
 // QueryLogConfigAssociationCreated waits for a QueryLogConfig to return ACTIVE
@@ -134,3 +142,48 @@ func DnssecConfigDisabled(conn *route53resolver.Route53Resolver, dnssecConfigID
 
 	return nil, err
 }
+
+// FirewallDomainListUpdated waits for a FirewallDomainList to be updated
+func FirewallDomainListUpdated(conn *route53resolver.Route53Resolver, firewallDomainListId string) (*route53resolver.FirewallDomainList, error) {
+	stateConf := &resource.StateChangeConf{
+		Pending: []string{
+			route53resolver.FirewallDomainListStatusUpdating,
+			route53resolver.FirewallDomainListStatusImporting,
+		},
+		Target: []string{
+			route53resolver.FirewallDomainListStatusComplete,
+			route53resolver.FirewallDomainListStatusCompleteImportFailed,
+		},
+		Refresh: FirewallDomainListStatus(conn, firewallDomainListId),
+		Timeout: FirewallDomainListUpdatedTimeout,
+	}
+
+	outputRaw, err := stateConf.WaitForState()
+
+	if v, ok := outputRaw.(*route53resolver.FirewallDomainList); ok {
+		if aws.StringValue(v.Status) != route53resolver.FirewallDomainListStatusComplete {
+			err = fmt.Errorf("error updating Route 53 Resolver DNS Firewall domain list (%s): %s", firewallDomainListId, aws.StringValue(v.StatusMessage))
+		}
+		return v, err
+	}
+
+	return nil, err
+}
+
+// FirewallDomainListDeleted waits for a FirewallDomainList to be deleted
+func FirewallDomainListDeleted(conn *route53resolver.Route53Resolver, firewallDomainListId string) (*route53resolver.FirewallDomainList, error) {
+	stateConf := &resource.StateChangeConf{
+		Pending: []string{route53resolver.FirewallDomainListStatusDeleting},
+		Target:  []string{},
+		Refresh: FirewallDomainListStatus(conn, firewallDomainListId),
+		Timeout: FirewallDomainListDeletedTimeout,
+	}
+
+	outputRaw, err := stateConf.WaitForState()
+
+	if v, ok := outputRaw.(*route53resolver.FirewallDomainList); ok {
+		return v, err
+	}
+
+	return nil, err
+}

aws/provider.go

@@ -918,6 +918,7 @@ func Provider() *schema.Provider {
 			"aws_route53_health_check":                                resourceAwsRoute53HealthCheck(),
 			"aws_route53_resolver_dnssec_config":                      resourceAwsRoute53ResolverDnssecConfig(),
 			"aws_route53_resolver_endpoint":                           resourceAwsRoute53ResolverEndpoint(),
+			"aws_route53_resolver_firewall_domain_list":               resourceAwsRoute53ResolverFirewallDomainList(),
 			"aws_route53_resolver_firewall_rule_group":                resourceAwsRoute53ResolverFirewallRuleGroup(),
 			"aws_route53_resolver_query_log_config":                   resourceAwsRoute53ResolverQueryLogConfig(),
 			"aws_route53_resolver_query_log_config_association":       resourceAwsRoute53ResolverQueryLogConfigAssociation(),

aws/resource_aws_route53_resolver_firewall_domain_list.go

@@ -0,0 +1,189 @@
+package aws
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/route53resolver"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags"
+	"github.com/terraform-providers/terraform-provider-aws/aws/internal/service/route53resolver/finder"
+	"github.com/terraform-providers/terraform-provider-aws/aws/internal/service/route53resolver/waiter"
+)
+
+func resourceAwsRoute53ResolverFirewallDomainList() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsRoute53ResolverFirewallDomainListCreate,
+		Read:   resourceAwsRoute53ResolverFirewallDomainListRead,
+		Update: resourceAwsRoute53ResolverFirewallDomainListUpdate,
+		Delete: resourceAwsRoute53ResolverFirewallDomainListDelete,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"arn": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+
+			"id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+
+			"name": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: validateRoute53ResolverName,
+			},
+
+			"domains": {
+				Type:     schema.TypeSet,
+				Optional: true,
+				MinItems: 0,
+				MaxItems: 255,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+
+			"tags": tagsSchema(),
+		},
+	}
+}
+
+func resourceAwsRoute53ResolverFirewallDomainListCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).route53resolverconn
+
+	input := &route53resolver.CreateFirewallDomainListInput{
+		CreatorRequestId: aws.String(resource.PrefixedUniqueId("tf-r53-resolver-firewall-domain-list-")),
+		Name:             aws.String(d.Get("name").(string)),
+	}
+	if v, ok := d.GetOk("tags"); ok && len(v.(map[string]interface{})) > 0 {
+		input.Tags = keyvaluetags.New(d.Get("tags").(map[string]interface{})).IgnoreAws().Route53resolverTags()
+	}
+
+	log.Printf("[DEBUG] Creating Route 53 Resolver DNS Firewall domain list: %#v", input)
+	output, err := conn.CreateFirewallDomainList(input)
+	if err != nil {
+		return fmt.Errorf("error creating Route 53 Resolver DNS Firewall domain list: %w", err)
+	}
+
+	d.SetId(aws.StringValue(output.FirewallDomainList.Id))
+	d.Set("arn", output.FirewallDomainList.Arn)
+
+	return resourceAwsRoute53ResolverFirewallDomainListUpdate(d, meta)
+}
+
+func resourceAwsRoute53ResolverFirewallDomainListRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).route53resolverconn
+	ignoreTagsConfig := meta.(*AWSClient).IgnoreTagsConfig
+
+	firewallDomainList, err := finder.FirewallDomainListByID(conn, d.Id())
+
+	if isAWSErr(err, route53resolver.ErrCodeResourceNotFoundException, "") {
+		log.Printf("[WARN] Route53 Resolver DNS Firewall domain list (%s) not found, removing from state", d.Id())
+		d.SetId("")
+		return nil
+	}
+
+	if err != nil {
+		return fmt.Errorf("error getting Route 53 Resolver DNS Firewall domain list (%s): %w", d.Id(), err)
+	}
+
+	if firewallDomainList == nil {
+		log.Printf("[WARN] Route 53 Resolver DNS Firewall domain list (%s) not found, removing from state", d.Id())
+		d.SetId("")
+		return nil
+	}
+
+	arn := aws.StringValue(firewallDomainList.Arn)
+	d.Set("arn", arn)
+	d.Set("id", firewallDomainList.Id)
+	d.Set("name", firewallDomainList.Name)
+
+	input := &route53resolver.ListFirewallDomainsInput{
+		FirewallDomainListId: aws.String(d.Id()),
+	}
+
+	domains := []*string{}
+
+	err = conn.ListFirewallDomainsPages(input, func(output *route53resolver.ListFirewallDomainsOutput, lastPage bool) bool {
+		domains = append(domains, output.Domains...)
+		return !lastPage
+	})
+
+	if err != nil {
+		return fmt.Errorf("error listing Route 53 Resolver DNS Firewall domain list (%s) domains: %w", d.Id(), err)
+	}
+
+	d.Set("domains", flattenStringSet(domains))
+
+	tags, err := keyvaluetags.Route53resolverListTags(conn, arn)
+	if err != nil {
+		return fmt.Errorf("error listing tags for Route53 Resolver DNS Firewall domain list (%s): %w", arn, err)
+	}
+
+	if err := d.Set("tags", tags.IgnoreAws().IgnoreConfig(ignoreTagsConfig).Map()); err != nil {
+		return fmt.Errorf("error setting tags: %w", err)
+	}
+
+	return nil
+}
+
+func resourceAwsRoute53ResolverFirewallDomainListUpdate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).route53resolverconn
+
+	if v, ok := d.GetOk("domains"); ok && d.HasChange("domains") {
+		_, err := conn.UpdateFirewallDomains(&route53resolver.UpdateFirewallDomainsInput{
+			FirewallDomainListId: aws.String(d.Id()),
+			Domains:              expandStringSet(v.(*schema.Set)),
+			Operation:            aws.String(route53resolver.FirewallDomainUpdateOperationReplace),
+		})
+
+		if err != nil {
+			return fmt.Errorf("error updating Route 53 Resolver DNS Firewall domain list (%s) domains: %w", d.Id(), err)
+		}
+
+		_, err = waiter.FirewallDomainListUpdated(conn, d.Id())
+
+		if err != nil {
+			return fmt.Errorf("error waiting for Route 53 Resolver DNS Firewall domain list (%s) domains to be updated: %w", d.Id(), err)
+		}
+	}
+
+	if d.HasChange("tags") {
+		o, n := d.GetChange("tags")
+		if err := keyvaluetags.Route53resolverUpdateTags(conn, d.Get("arn").(string), o, n); err != nil {
+			return fmt.Errorf("error updating Route53 Resolver DNS Firewall domain list (%s) tags: %s", d.Get("arn").(string), err)
+		}
+	}
+
+	return resourceAwsRoute53ResolverFirewallDomainListRead(d, meta)
+}
+
+func resourceAwsRoute53ResolverFirewallDomainListDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).route53resolverconn
+
+	_, err := conn.DeleteFirewallDomainList(&route53resolver.DeleteFirewallDomainListInput{
+		FirewallDomainListId: aws.String(d.Id()),
+	})
+
+	if isAWSErr(err, route53resolver.ErrCodeResourceNotFoundException, "") {
+		return nil
+	}
+
+	if err != nil {
+		return fmt.Errorf("error deleting Route 53 Resolver DNS Firewall domain list (%s): %w", d.Id(), err)
+	}
+
+	_, err = waiter.FirewallDomainListDeleted(conn, d.Id())
+
+	if err != nil {
+		return fmt.Errorf("error waiting for Route 53 Resolver DNS Firewall domain list (%s) to be deleted: %w", d.Id(), err)
+	}
+
+	return nil
+}