From 7a958b43aff63d0d925b70d87be1f4463d1988ea Mon Sep 17 00:00:00 2001 From: nikhil Date: Thu, 2 May 2024 23:01:44 +0100 Subject: [PATCH 1/6] aws_route53_resolver_firewall_rule --- .../service/route53resolver/firewall_rule.go | 25 ++++++-- .../route53resolver/firewall_rule_test.go | 59 +++++++++++++++++++ 2 files changed, 78 insertions(+), 6 deletions(-) diff --git a/internal/service/route53resolver/firewall_rule.go b/internal/service/route53resolver/firewall_rule.go index c7796cb93d0..9f0f10b5f3a 100644 --- a/internal/service/route53resolver/firewall_rule.go +++ b/internal/service/route53resolver/firewall_rule.go @@ -65,6 +65,12 @@ func ResourceFirewallRule() *schema.Resource { Required: true, ValidateFunc: validation.StringLenBetween(1, 64), }, + "firewall_domain_redirection_action": { + Type: schema.TypeString, + Required: true, + Default: route53resolver.FirewallDomainRedirectionActionInspectRedirectionDomain, + ValidateFunc: validation.StringInSlice(route53resolver.FirewallDomainRedirectionAction_Values(), false), + }, "firewall_rule_group_id": { Type: schema.TypeString, ForceNew: true, @@ -89,15 +95,17 @@ func resourceFirewallRuleCreate(ctx context.Context, d *schema.ResourceData, met firewallDomainListID := d.Get("firewall_domain_list_id").(string) firewallRuleGroupID := d.Get("firewall_rule_group_id").(string) + FirewallDomainRedirectionAction := d.Get("firewall_domain_redirection_action").(string) ruleID := FirewallRuleCreateResourceID(firewallRuleGroupID, firewallDomainListID) name := d.Get("name").(string) input := &route53resolver.CreateFirewallRuleInput{ - Action: aws.String(d.Get("action").(string)), - CreatorRequestId: aws.String(id.PrefixedUniqueId("tf-r53-resolver-firewall-rule-")), - FirewallRuleGroupId: aws.String(firewallRuleGroupID), - FirewallDomainListId: aws.String(firewallDomainListID), - Name: aws.String(name), - Priority: aws.Int64(int64(d.Get("priority").(int))), + Action: aws.String(d.Get("action").(string)), + CreatorRequestId: aws.String(id.PrefixedUniqueId("tf-r53-resolver-firewall-rule-")), + FirewallRuleGroupId: aws.String(firewallRuleGroupID), + FirewallDomainListId: aws.String(firewallDomainListID), + FirewallDomainRedirectionAction: aws.String(FirewallDomainRedirectionAction), + Name: aws.String(name), + Priority: aws.Int64(int64(d.Get("priority").(int))), } if v, ok := d.GetOk("block_override_dns_type"); ok { @@ -155,6 +163,7 @@ func resourceFirewallRuleRead(ctx context.Context, d *schema.ResourceData, meta d.Set("block_response", firewallRule.BlockResponse) d.Set("firewall_rule_group_id", firewallRule.FirewallRuleGroupId) d.Set("firewall_domain_list_id", firewallRule.FirewallDomainListId) + d.Set("firewall_domain_redirection_action", firewallRule.FirewallDomainRedirectionAction) d.Set("name", firewallRule.Name) d.Set("priority", firewallRule.Priority) @@ -194,6 +203,10 @@ func resourceFirewallRuleUpdate(ctx context.Context, d *schema.ResourceData, met input.BlockResponse = aws.String(v.(string)) } + if v, ok := d.GetOk("firewall_domain_redirection_action"); ok { + input.FirewallDomainRedirectionAction = aws.String(v.(string)) + } + _, err = conn.UpdateFirewallRuleWithContext(ctx, input) if err != nil { diff --git a/internal/service/route53resolver/firewall_rule_test.go b/internal/service/route53resolver/firewall_rule_test.go index fbfeb84a325..cf519ee9584 100644 --- a/internal/service/route53resolver/firewall_rule_test.go +++ b/internal/service/route53resolver/firewall_rule_test.go @@ -39,6 +39,7 @@ func TestAccRoute53ResolverFirewallRule_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "action", "ALLOW"), resource.TestCheckResourceAttrPair(resourceName, "firewall_rule_group_id", "aws_route53_resolver_firewall_rule_group.test", "id"), resource.TestCheckResourceAttrPair(resourceName, "firewall_domain_list_id", "aws_route53_resolver_firewall_domain_list.test", "id"), + resource.TestCheckResourceAttr(resourceName, "firewall_domain_redirection_action", "INSPECT_REDIRECTION_DOMAIN"), resource.TestCheckResourceAttr(resourceName, "priority", "100"), ), }, @@ -51,6 +52,43 @@ func TestAccRoute53ResolverFirewallRule_basic(t *testing.T) { }) } +func TestAccRoute53ResolverFirewallRule_update_firewallDomainRedirectionAction(t *testing.T) { + ctx := acctest.Context(t) + var v route53resolver.FirewallRule + rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) + resourceName := "aws_route53_resolver_firewall_rule.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acctest.PreCheck(ctx, t); testAccPreCheck(ctx, t) }, + ErrorCheck: acctest.ErrorCheck(t, names.Route53ResolverServiceID), + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, + CheckDestroy: testAccCheckFirewallRuleDestroy(ctx), + Steps: []resource.TestStep{ + { + Config: testAccFirewallRuleConfig_basic(rName), + Check: resource.ComposeTestCheckFunc( + testAccCheckFirewallRuleExists(ctx, resourceName, &v), + resource.TestCheckResourceAttr(resourceName, "name", rName), + resource.TestCheckResourceAttr(resourceName, "firewall_domain_redirection_action", "INSPECT_REDIRECTION_DOMAIN"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccFirewallRuleConfig_firewallDomainRedirectionAction(rName), + Check: resource.ComposeTestCheckFunc( + testAccCheckFirewallRuleExists(ctx, resourceName, &v), + resource.TestCheckResourceAttr(resourceName, "name", rName), + resource.TestCheckResourceAttr(resourceName, "firewall_domain_redirection_action", "TRUST_REDIRECTION_DOMAIN"), + ), + }, + }, + }) +} + func TestAccRoute53ResolverFirewallRule_block(t *testing.T) { ctx := acctest.Context(t) var v route53resolver.FirewallRule @@ -221,6 +259,27 @@ resource "aws_route53_resolver_firewall_rule" "test" { `, rName) } +func testAccFirewallRuleConfig_firewallDomainRedirectionAction(rName string) string { + return fmt.Sprintf(` +resource "aws_route53_resolver_firewall_rule_group" "test" { + name = %[1]q +} + +resource "aws_route53_resolver_firewall_domain_list" "test" { + name = %[1]q +} + +resource "aws_route53_resolver_firewall_rule" "test" { + name = %[1]q + action = "ALLOW" + firewall_rule_group_id = aws_route53_resolver_firewall_rule_group.test.id + firewall_domain_list_id = aws_route53_resolver_firewall_domain_list.test.id + firewall_domain_redirection_action = "TRUST_REDIRECTION_DOMAIN" + priority = 100 +} +`, rName) +} + func testAccFirewallRuleConfig_block(rName, blockResponse string) string { return fmt.Sprintf(` resource "aws_route53_resolver_firewall_rule_group" "test" { From 9c8e9f6a79c4544a4fafef3abab0fc3e47136711 Mon Sep 17 00:00:00 2001 From: nikhil Date: Fri, 3 May 2024 18:31:57 +0100 Subject: [PATCH 2/6] aws_route53_resolver_firewall_rule --- .changelog/37242.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/37242.txt diff --git a/.changelog/37242.txt b/.changelog/37242.txt new file mode 100644 index 00000000000..5d845c364e7 --- /dev/null +++ b/.changelog/37242.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +resource/aws_route53_resolver_firewall_rule: Add `firewall_domain_redirection_action` argument +``` \ No newline at end of file From e4a5ba576e5c204884f4ec79beff8df3c4dac091 Mon Sep 17 00:00:00 2001 From: nikhil Date: Fri, 3 May 2024 18:35:53 +0100 Subject: [PATCH 3/6] aws_route53_resolver_firewall_rule --- website/docs/r/route53_resolver_firewall_rule.html.markdown | 1 + 1 file changed, 1 insertion(+) diff --git a/website/docs/r/route53_resolver_firewall_rule.html.markdown b/website/docs/r/route53_resolver_firewall_rule.html.markdown index cb1c128b7e2..7f9cd98117c 100644 --- a/website/docs/r/route53_resolver_firewall_rule.html.markdown +++ b/website/docs/r/route53_resolver_firewall_rule.html.markdown @@ -48,6 +48,7 @@ This resource supports the following arguments: * `block_override_ttl` - (Required if `block_response` is `OVERRIDE`) The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Minimum value of 0. Maximum value of 604800. * `block_response` - (Required if `action` is `BLOCK`) The way that you want DNS Firewall to block the request. Valid values: `NODATA`, `NXDOMAIN`, `OVERRIDE`. * `firewall_domain_list_id` - (Required) The ID of the domain list that you want to use in the rule. +* `firewall_domain_redirection_action` - (Optional) Evaluate DNS redirection in the DNS redirection chain, such as CNAME, DNAME, ot ALIAS. Valid values are `INSPECT_REDIRECTION_DOMAIN` and `TRUST_REDIRECTION_DOMAIN`. Default value is `INSPECT_REDIRECTION_DOMAIN`. * `firewall_rule_group_id` - (Required) The unique identifier of the firewall rule group where you want to create the rule. * `priority` - (Required) The setting that determines the processing order of the rule in the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting. From d964b3e5ed06361a9a4b5791a7b93b68ad01de02 Mon Sep 17 00:00:00 2001 From: nikhil Date: Fri, 3 May 2024 18:45:26 +0100 Subject: [PATCH 4/6] firewall_domain_redirection_action --- internal/service/route53resolver/firewall_rule.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/service/route53resolver/firewall_rule.go b/internal/service/route53resolver/firewall_rule.go index 9f0f10b5f3a..3117abe3aed 100644 --- a/internal/service/route53resolver/firewall_rule.go +++ b/internal/service/route53resolver/firewall_rule.go @@ -67,7 +67,7 @@ func ResourceFirewallRule() *schema.Resource { }, "firewall_domain_redirection_action": { Type: schema.TypeString, - Required: true, + Optional: true, Default: route53resolver.FirewallDomainRedirectionActionInspectRedirectionDomain, ValidateFunc: validation.StringInSlice(route53resolver.FirewallDomainRedirectionAction_Values(), false), }, From 257b7eaa4f78308c705cf550d915a1d1def56060 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Mon, 24 Jun 2024 08:34:05 -0400 Subject: [PATCH 5/6] Cosmetics. --- internal/service/route53resolver/firewall_rule.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/internal/service/route53resolver/firewall_rule.go b/internal/service/route53resolver/firewall_rule.go index 8817ef87d52..4a430020c5d 100644 --- a/internal/service/route53resolver/firewall_rule.go +++ b/internal/service/route53resolver/firewall_rule.go @@ -98,7 +98,6 @@ func resourceFirewallRuleCreate(ctx context.Context, d *schema.ResourceData, met firewallDomainListID := d.Get("firewall_domain_list_id").(string) firewallRuleGroupID := d.Get("firewall_rule_group_id").(string) - FirewallDomainRedirectionAction := d.Get("firewall_domain_redirection_action").(string) ruleID := FirewallRuleCreateResourceID(firewallRuleGroupID, firewallDomainListID) name := d.Get(names.AttrName).(string) input := &route53resolver.CreateFirewallRuleInput{ @@ -106,7 +105,7 @@ func resourceFirewallRuleCreate(ctx context.Context, d *schema.ResourceData, met CreatorRequestId: aws.String(id.PrefixedUniqueId("tf-r53-resolver-firewall-rule-")), FirewallRuleGroupId: aws.String(firewallRuleGroupID), FirewallDomainListId: aws.String(firewallDomainListID), - FirewallDomainRedirectionAction: aws.String(FirewallDomainRedirectionAction), + FirewallDomainRedirectionAction: aws.String(d.Get("firewall_domain_redirection_action").(string)), Name: aws.String(name), } From ab3beead7bc9e0d3161b2fa32f6efd0c5de726e9 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Mon, 24 Jun 2024 08:39:31 -0400 Subject: [PATCH 6/6] Fix merge conflict typo. --- internal/service/route53resolver/firewall_rule.go | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/service/route53resolver/firewall_rule.go b/internal/service/route53resolver/firewall_rule.go index 4a430020c5d..381d1503000 100644 --- a/internal/service/route53resolver/firewall_rule.go +++ b/internal/service/route53resolver/firewall_rule.go @@ -107,6 +107,7 @@ func resourceFirewallRuleCreate(ctx context.Context, d *schema.ResourceData, met FirewallDomainListId: aws.String(firewallDomainListID), FirewallDomainRedirectionAction: aws.String(d.Get("firewall_domain_redirection_action").(string)), Name: aws.String(name), + Priority: aws.Int64(int64(d.Get(names.AttrPriority).(int))), } if v, ok := d.GetOk("block_override_dns_type"); ok {