Add pagination to aws_route53_resolver_rule data source

[sheacloud]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

What

Updated the aws_route53_resolver_rule data source to use pagination when looking for matching rules. Currently it only calls ListResolverRules once, and if there are no returned results, it assumes there is no matching rule, even if there is a NextToken returned alongside it.

Why

Recently the route53 API behavior changed when calling ListResolverRules in an account with a large number of rules (100s+) where it sometimes returns 0 results but a pagination NextToken. After discussing this with AWS support, it was concluded that it is expected, valid behavior. The same behavior can be seen with other APIs such as dynamodb or cloudwatch logs when filtering a large number of resources.

Reproducing

The following terraform can be used to create an example environment which can then be used to reproduce the error

provider "aws" {
    region = "us-east-1"
}

resource "aws_vpc" "test" {
    cidr_block = "10.0.0.0/24"
}

resource "aws_subnet" "test1" {
    vpc_id = aws_vpc.test.id
    cidr_block = "10.0.0.0/25"
    availability_zone = "us-east-1a"
}

resource "aws_subnet" "test2" {
    vpc_id = aws_vpc.test.id
    cidr_block = "10.0.0.128/25"
    availability_zone = "us-east-1b"
}

resource "aws_security_group" "test" {
  name        = "test"
  description = "route53 resolver testing"
  vpc_id      = aws_vpc.test.id
}

resource "aws_route53_resolver_endpoint" "test" {
  name      = "test"
  direction = "OUTBOUND"

  security_group_ids = [
    aws_security_group.test.id,
  ]

  ip_address {
    subnet_id = aws_subnet.test1.id
  }

  ip_address {
    subnet_id = aws_subnet.test2.id
  }
}

resource "aws_route53_resolver_rule" "test" {
  count = 250
  domain_name          = "${count.index}-example.com"
  name                 = "test"
  rule_type            = "FORWARD"
  resolver_endpoint_id = aws_route53_resolver_endpoint.test.id

  target_ip {
    ip = "123.45.67.89"
  }
}

The following template attempts to pull some of the rules as data sources, resulting in "no matching rules" errors

provider "aws" {
    region = "us-east-1"
}

data "aws_route53_resolver_rule" "test" {
    domain_name = "120-example.com"
}

data "aws_route53_resolver_rule" "test1" {
    domain_name = "121-example.com"
}

data "aws_route53_resolver_rule" "test2" {
    domain_name = "122-example.com"
}

data "aws_route53_resolver_rule" "test3" {
    domain_name = "123-example.com"
}

data "aws_route53_resolver_rule" "test4" {
    domain_name = "124-example.com"
}

You can also validate this using the AWS CLI with the 1st template deployed by running

$ aws route53resolver list-resolver-rules --filter="Name=DomainName,Values=111-example.com"

a few times, and eventually you should get a result like

{
    "NextToken": "V0001tvtOQSUoVeQKvRvZo7T56N5RBE7hqZsP7Yt59ZR8n984CYjL58T27bzWeDAUOHZ9ZYWxE/KT29A0bBp8TDR/SqqvSuK15h81Eh3VQ2BatSLuQ+mz9ednz14E3SdO8fojufpyAWBPRngEovMGVyG1aCw+ZeDGezMGCh7sSXNJhuRA0qoi2SG2xoVZy6dKMbMVYeEC/DzauOAc4KVPv1cMfpDBnflZLPZD1kOMWBqV3hUJp0/2uEe/4K+kotFQsx312rYOaQvlfX/yLFMR",
    "MaxResults": 30,
    "ResolverRules": []
}

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccXXX'

==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 2 -run=TestAccAWSRoute53ResolverRuleDataSource -timeout 180m
=== RUN   TestAccAWSRoute53ResolverRuleDataSource_basic
=== PAUSE TestAccAWSRoute53ResolverRuleDataSource_basic
=== RUN   TestAccAWSRoute53ResolverRuleDataSource_ResolverEndpointIdWithTags
=== PAUSE TestAccAWSRoute53ResolverRuleDataSource_ResolverEndpointIdWithTags
=== RUN   TestAccAWSRoute53ResolverRuleDataSource_SharedByMe
=== PAUSE TestAccAWSRoute53ResolverRuleDataSource_SharedByMe
=== RUN   TestAccAWSRoute53ResolverRuleDataSource_SharedWithMe
=== PAUSE TestAccAWSRoute53ResolverRuleDataSource_SharedWithMe
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_basic
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_SharedWithMe
--- PASS: TestAccAWSRoute53ResolverRuleDataSource_basic (33.18s)
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_SharedByMe
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_SharedWithMe
    data_source_aws_route53_resolver_rule_test.go:146: Step 1/1 error: Error running apply: exit status 1
        
        Error: no Route53 Resolver rules matched
        
          on terraform_plugin_test.tf line 145, in data "aws_route53_resolver_rule" "by_resolver_endpoint_id":
         145: data "aws_route53_resolver_rule" "by_resolver_endpoint_id" {
        
        
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_SharedByMe
    data_source_aws_route53_resolver_rule_test.go:108: Step 1/1 error: Check failed: Check 9/13 error: data.aws_route53_resolver_rule.by_resolver_endpoint_id: Attribute 'share_status' expected "SHARED_BY_ME", got "NOT_SHARED"
--- FAIL: TestAccAWSRoute53ResolverRuleDataSource_SharedWithMe (240.96s)
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_ResolverEndpointIdWithTags
--- FAIL: TestAccAWSRoute53ResolverRuleDataSource_SharedByMe (237.65s)
--- PASS: TestAccAWSRoute53ResolverRuleDataSource_ResolverEndpointIdWithTags (248.82s)
FAIL
FAIL	github.com/terraform-providers/terraform-provider-aws/aws	491.921s
FAIL
make: *** [testacc] Error 1

I'm having issues running the Shared* tests which interact with RAM in my accounts. I have RAM sharing at the org level enabled, so I'm not sure what is wrong, but I get the same errors when I run the tests against the code prior to my changes (i.e. checked out on the commit before my changes)

[github-actions]

Welcome @sheacloud 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTING guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.

Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.

Thanks again, and welcome to the community! 😃

[ewbankkit]

LGTM 🚀.

% make testacc TESTARGS='-run=TestAccAWSRoute53ResolverRuleDataSource_'           
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSRoute53ResolverRuleDataSource_ -timeout 180m
=== RUN   TestAccAWSRoute53ResolverRuleDataSource_basic
=== PAUSE TestAccAWSRoute53ResolverRuleDataSource_basic
=== RUN   TestAccAWSRoute53ResolverRuleDataSource_ResolverEndpointIdWithTags
=== PAUSE TestAccAWSRoute53ResolverRuleDataSource_ResolverEndpointIdWithTags
=== RUN   TestAccAWSRoute53ResolverRuleDataSource_SharedByMe
=== PAUSE TestAccAWSRoute53ResolverRuleDataSource_SharedByMe
=== RUN   TestAccAWSRoute53ResolverRuleDataSource_SharedWithMe
=== PAUSE TestAccAWSRoute53ResolverRuleDataSource_SharedWithMe
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_basic
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_SharedWithMe
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_SharedByMe
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_ResolverEndpointIdWithTags
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_SharedByMe
    provider_test.go:715: skipping test because at least one environment variable of [AWS_ALTERNATE_PROFILE AWS_ALTERNATE_ACCESS_KEY_ID] must be set. Usage: credentials for running acceptance testing in alternate AWS account.
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_SharedWithMe
    provider_test.go:715: skipping test because at least one environment variable of [AWS_ALTERNATE_PROFILE AWS_ALTERNATE_ACCESS_KEY_ID] must be set. Usage: credentials for running acceptance testing in alternate AWS account.
--- SKIP: TestAccAWSRoute53ResolverRuleDataSource_SharedByMe (0.81s)
--- SKIP: TestAccAWSRoute53ResolverRuleDataSource_SharedWithMe (0.82s)
--- PASS: TestAccAWSRoute53ResolverRuleDataSource_basic (38.68s)
--- PASS: TestAccAWSRoute53ResolverRuleDataSource_ResolverEndpointIdWithTags (267.64s)
PASS
ok      github.com/terraform-providers/terraform-provider-aws/aws       274.453s

[ewbankkit]

@sheacloud Thanks for the contribution 🎉 👏.

[github-actions]

This functionality has been released in v3.56.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.