Skip to content

Commit

Permalink
Merge pull request #37242 from nikhil-goenka/f-aws_route53_resolver_f…
Browse files Browse the repository at this point in the history
…irewall_rule

aws_route53_resolver_firewall_rule
  • Loading branch information
ewbankkit authored Jun 24, 2024
2 parents e38d04a + ab3beea commit 8926740
Show file tree
Hide file tree
Showing 4 changed files with 81 additions and 6 deletions.
3 changes: 3 additions & 0 deletions .changelog/37242.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
resource/aws_route53_resolver_firewall_rule: Add `firewall_domain_redirection_action` argument
```
24 changes: 18 additions & 6 deletions internal/service/route53resolver/firewall_rule.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,12 @@ func ResourceFirewallRule() *schema.Resource {
Required: true,
ValidateFunc: validation.StringLenBetween(1, 64),
},
"firewall_domain_redirection_action": {
Type: schema.TypeString,
Optional: true,
Default: route53resolver.FirewallDomainRedirectionActionInspectRedirectionDomain,
ValidateFunc: validation.StringInSlice(route53resolver.FirewallDomainRedirectionAction_Values(), false),
},
"firewall_rule_group_id": {
Type: schema.TypeString,
ForceNew: true,
Expand Down Expand Up @@ -95,12 +101,13 @@ func resourceFirewallRuleCreate(ctx context.Context, d *schema.ResourceData, met
ruleID := FirewallRuleCreateResourceID(firewallRuleGroupID, firewallDomainListID)
name := d.Get(names.AttrName).(string)
input := &route53resolver.CreateFirewallRuleInput{
Action: aws.String(d.Get(names.AttrAction).(string)),
CreatorRequestId: aws.String(id.PrefixedUniqueId("tf-r53-resolver-firewall-rule-")),
FirewallRuleGroupId: aws.String(firewallRuleGroupID),
FirewallDomainListId: aws.String(firewallDomainListID),
Name: aws.String(name),
Priority: aws.Int64(int64(d.Get(names.AttrPriority).(int))),
Action: aws.String(d.Get(names.AttrAction).(string)),
CreatorRequestId: aws.String(id.PrefixedUniqueId("tf-r53-resolver-firewall-rule-")),
FirewallRuleGroupId: aws.String(firewallRuleGroupID),
FirewallDomainListId: aws.String(firewallDomainListID),
FirewallDomainRedirectionAction: aws.String(d.Get("firewall_domain_redirection_action").(string)),
Name: aws.String(name),
Priority: aws.Int64(int64(d.Get(names.AttrPriority).(int))),
}

if v, ok := d.GetOk("block_override_dns_type"); ok {
Expand Down Expand Up @@ -159,6 +166,7 @@ func resourceFirewallRuleRead(ctx context.Context, d *schema.ResourceData, meta
d.Set("block_response", firewallRule.BlockResponse)
d.Set("firewall_rule_group_id", firewallRule.FirewallRuleGroupId)
d.Set("firewall_domain_list_id", firewallRule.FirewallDomainListId)
d.Set("firewall_domain_redirection_action", firewallRule.FirewallDomainRedirectionAction)
d.Set(names.AttrName, firewallRule.Name)
d.Set(names.AttrPriority, firewallRule.Priority)

Expand Down Expand Up @@ -199,6 +207,10 @@ func resourceFirewallRuleUpdate(ctx context.Context, d *schema.ResourceData, met
input.BlockResponse = aws.String(v.(string))
}

if v, ok := d.GetOk("firewall_domain_redirection_action"); ok {
input.FirewallDomainRedirectionAction = aws.String(v.(string))
}

_, err = conn.UpdateFirewallRuleWithContext(ctx, input)

if err != nil {
Expand Down
59 changes: 59 additions & 0 deletions internal/service/route53resolver/firewall_rule_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ func TestAccRoute53ResolverFirewallRule_basic(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, names.AttrAction, "ALLOW"),
resource.TestCheckResourceAttrPair(resourceName, "firewall_rule_group_id", "aws_route53_resolver_firewall_rule_group.test", names.AttrID),
resource.TestCheckResourceAttrPair(resourceName, "firewall_domain_list_id", "aws_route53_resolver_firewall_domain_list.test", names.AttrID),
resource.TestCheckResourceAttr(resourceName, "firewall_domain_redirection_action", "INSPECT_REDIRECTION_DOMAIN"),
resource.TestCheckResourceAttr(resourceName, names.AttrPriority, "100"),
),
},
Expand All @@ -51,6 +52,43 @@ func TestAccRoute53ResolverFirewallRule_basic(t *testing.T) {
})
}

func TestAccRoute53ResolverFirewallRule_update_firewallDomainRedirectionAction(t *testing.T) {
ctx := acctest.Context(t)
var v route53resolver.FirewallRule
rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
resourceName := "aws_route53_resolver_firewall_rule.test"

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { acctest.PreCheck(ctx, t); testAccPreCheck(ctx, t) },
ErrorCheck: acctest.ErrorCheck(t, names.Route53ResolverServiceID),
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
CheckDestroy: testAccCheckFirewallRuleDestroy(ctx),
Steps: []resource.TestStep{
{
Config: testAccFirewallRuleConfig_basic(rName),
Check: resource.ComposeTestCheckFunc(
testAccCheckFirewallRuleExists(ctx, resourceName, &v),
resource.TestCheckResourceAttr(resourceName, names.AttrName, rName),
resource.TestCheckResourceAttr(resourceName, "firewall_domain_redirection_action", "INSPECT_REDIRECTION_DOMAIN"),
),
},
{
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
},
{
Config: testAccFirewallRuleConfig_firewallDomainRedirectionAction(rName),
Check: resource.ComposeTestCheckFunc(
testAccCheckFirewallRuleExists(ctx, resourceName, &v),
resource.TestCheckResourceAttr(resourceName, names.AttrName, rName),
resource.TestCheckResourceAttr(resourceName, "firewall_domain_redirection_action", "TRUST_REDIRECTION_DOMAIN"),
),
},
},
})
}

func TestAccRoute53ResolverFirewallRule_block(t *testing.T) {
ctx := acctest.Context(t)
var v route53resolver.FirewallRule
Expand Down Expand Up @@ -221,6 +259,27 @@ resource "aws_route53_resolver_firewall_rule" "test" {
`, rName)
}

func testAccFirewallRuleConfig_firewallDomainRedirectionAction(rName string) string {
return fmt.Sprintf(`
resource "aws_route53_resolver_firewall_rule_group" "test" {
name = %[1]q
}
resource "aws_route53_resolver_firewall_domain_list" "test" {
name = %[1]q
}
resource "aws_route53_resolver_firewall_rule" "test" {
name = %[1]q
action = "ALLOW"
firewall_rule_group_id = aws_route53_resolver_firewall_rule_group.test.id
firewall_domain_list_id = aws_route53_resolver_firewall_domain_list.test.id
firewall_domain_redirection_action = "TRUST_REDIRECTION_DOMAIN"
priority = 100
}
`, rName)
}

func testAccFirewallRuleConfig_block(rName, blockResponse string) string {
return fmt.Sprintf(`
resource "aws_route53_resolver_firewall_rule_group" "test" {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ This resource supports the following arguments:
* `block_override_ttl` - (Required if `block_response` is `OVERRIDE`) The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Minimum value of 0. Maximum value of 604800.
* `block_response` - (Required if `action` is `BLOCK`) The way that you want DNS Firewall to block the request. Valid values: `NODATA`, `NXDOMAIN`, `OVERRIDE`.
* `firewall_domain_list_id` - (Required) The ID of the domain list that you want to use in the rule.
* `firewall_domain_redirection_action` - (Optional) Evaluate DNS redirection in the DNS redirection chain, such as CNAME, DNAME, ot ALIAS. Valid values are `INSPECT_REDIRECTION_DOMAIN` and `TRUST_REDIRECTION_DOMAIN`. Default value is `INSPECT_REDIRECTION_DOMAIN`.
* `firewall_rule_group_id` - (Required) The unique identifier of the firewall rule group where you want to create the rule.
* `priority` - (Required) The setting that determines the processing order of the rule in the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.

Expand Down

0 comments on commit 8926740

Please sign in to comment.