From c26d46d7de4fe3c3401ec17f6ed7bd6f95e64638 Mon Sep 17 00:00:00 2001 From: Gareth Oakley Date: Tue, 6 Apr 2021 18:13:09 +0100 Subject: [PATCH 1/5] resource/aws_route53_resolver_firewall_config: Add new resource --- .../service/route53resolver/finder/finder.go | 29 +++ aws/provider.go | 1 + ...ce_aws_route53_resolver_firewall_config.go | 129 +++++++++++++ ...s_route53_resolver_firewall_config_test.go | 174 ++++++++++++++++++ .../route53_resolver_firewall_config.markdown | 48 +++++ 5 files changed, 381 insertions(+) create mode 100644 aws/resource_aws_route53_resolver_firewall_config.go create mode 100644 aws/resource_aws_route53_resolver_firewall_config_test.go create mode 100644 website/docs/r/route53_resolver_firewall_config.markdown diff --git a/aws/internal/service/route53resolver/finder/finder.go b/aws/internal/service/route53resolver/finder/finder.go index 59286ec207d..50165183796 100644 --- a/aws/internal/service/route53resolver/finder/finder.go +++ b/aws/internal/service/route53resolver/finder/finder.go @@ -116,6 +116,35 @@ func FirewallDomainListByID(conn *route53resolver.Route53Resolver, firewallDomai return output.FirewallDomainList, nil } +// FirewallConfigByID returns the dnssec configuration corresponding to the specified ID. +// Returns nil if no configuration is found. +func FirewallConfigByID(conn *route53resolver.Route53Resolver, firewallConfigID string) (*route53resolver.FirewallConfig, error) { + input := &route53resolver.ListFirewallConfigsInput{} + + var config *route53resolver.FirewallConfig + // GetFirewallConfigs does not support query with id + err := conn.ListFirewallConfigsPages(input, func(page *route53resolver.ListFirewallConfigsOutput, lastPage bool) bool { + if page == nil { + return !lastPage + } + + for _, c := range page.FirewallConfigs { + if aws.StringValue(c.Id) == firewallConfigID { + config = c + return false + } + } + + return !lastPage + }) + + if err != nil { + return nil, err + } + + return config, nil +} + // FirewallRuleByID returns the DNS Firewall rule corresponding to the specified rule group and domain list IDs. // Returns nil if no DNS Firewall rule is found. func FirewallRuleByID(conn *route53resolver.Route53Resolver, firewallRuleId string) (*route53resolver.FirewallRule, error) { diff --git a/aws/provider.go b/aws/provider.go index 55715b6f977..09bb2c0de5d 100644 --- a/aws/provider.go +++ b/aws/provider.go @@ -963,6 +963,7 @@ func Provider() *schema.Provider { "aws_route53_health_check": resourceAwsRoute53HealthCheck(), "aws_route53_resolver_dnssec_config": resourceAwsRoute53ResolverDnssecConfig(), "aws_route53_resolver_endpoint": resourceAwsRoute53ResolverEndpoint(), + "aws_route53_resolver_firewall_config": resourceAwsRoute53ResolverFirewallConfig(), "aws_route53_resolver_firewall_domain_list": resourceAwsRoute53ResolverFirewallDomainList(), "aws_route53_resolver_firewall_rule": resourceAwsRoute53ResolverFirewallRule(), "aws_route53_resolver_firewall_rule_group": resourceAwsRoute53ResolverFirewallRuleGroup(), diff --git a/aws/resource_aws_route53_resolver_firewall_config.go b/aws/resource_aws_route53_resolver_firewall_config.go new file mode 100644 index 00000000000..d05d3b3ff78 --- /dev/null +++ b/aws/resource_aws_route53_resolver_firewall_config.go @@ -0,0 +1,129 @@ +package aws + +import ( + "fmt" + "log" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/route53resolver" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" + "github.com/terraform-providers/terraform-provider-aws/aws/internal/service/route53resolver/finder" +) + +func resourceAwsRoute53ResolverFirewallConfig() *schema.Resource { + return &schema.Resource{ + Create: resourceAwsRoute53ResolverFirewallConfigCreate, + Read: resourceAwsRoute53ResolverFirewallConfigRead, + Delete: resourceAwsRoute53ResolverFirewallConfigDelete, + Importer: &schema.ResourceImporter{ + State: schema.ImportStatePassthrough, + }, + + Schema: map[string]*schema.Schema{ + "id": { + Type: schema.TypeString, + Computed: true, + }, + + "owner_id": { + Type: schema.TypeString, + Computed: true, + }, + + "resource_id": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + }, + + "firewall_fail_open": { + Type: schema.TypeString, + Optional: true, + Computed: true, + ValidateFunc: validation.StringInSlice(route53resolver.FirewallFailOpenStatus_Values(), false), + }, + }, + } +} + +func resourceAwsRoute53ResolverFirewallConfigCreate(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).route53resolverconn + + input := &route53resolver.UpdateFirewallConfigInput{ + ResourceId: aws.String(d.Get("resource_id").(string)), + } + + if v, ok := d.GetOk("firewall_fail_open"); ok { + input.FirewallFailOpen = aws.String(v.(string)) + } + + log.Printf("[DEBUG] Creating Route 53 Resolver DNS Firewall config: %#v", input) + output, err := conn.UpdateFirewallConfig(input) + if err != nil { + return fmt.Errorf("error creating Route 53 Resolver DNS Firewall config: %w", err) + } + + d.SetId(aws.StringValue(output.FirewallConfig.Id)) + + return resourceAwsRoute53ResolverFirewallConfigRead(d, meta) +} + +func resourceAwsRoute53ResolverFirewallConfigRead(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).route53resolverconn + + config, err := finder.FirewallConfigByID(conn, d.Id()) + + if err != nil { + return fmt.Errorf("error getting Route 53 Resolver DNS Firewall config (%s): %w", d.Id(), err) + } + + if config == nil { + log.Printf("[WARN] Route 53 Resolver DNS Firewall config (%s) not found, removing from state", d.Id()) + d.SetId("") + return nil + } + + d.Set("id", config.Id) + d.Set("owner_id", config.OwnerId) + d.Set("resource_id", config.ResourceId) + d.Set("firewall_fail_open", config.FirewallFailOpen) + + return nil +} + +func resourceAwsRoute53ResolverFirewallConfigUpdate(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).route53resolverconn + + input := &route53resolver.UpdateFirewallConfigInput{ + ResourceId: aws.String(d.Get("resource_id").(string)), + } + + if v, ok := d.GetOk("firewall_fail_open"); ok { + input.FirewallFailOpen = aws.String(v.(string)) + } + + log.Printf("[DEBUG] Updating Route 53 Resolver DNS Firewall config: %#v", input) + _, err := conn.UpdateFirewallConfig(input) + if err != nil { + return fmt.Errorf("error creating Route 53 Resolver DNS Firewall config: %w", err) + } + + return resourceAwsRoute53ResolverFirewallConfigRead(d, meta) +} + +func resourceAwsRoute53ResolverFirewallConfigDelete(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).route53resolverconn + + log.Printf("[DEBUG] Deleting Route 53 Resolver DNS Firewall config") + _, err := conn.UpdateFirewallConfig(&route53resolver.UpdateFirewallConfigInput{ + ResourceId: aws.String(d.Get("resource_id").(string)), + FirewallFailOpen: aws.String(route53resolver.FirewallFailOpenStatusDisabled), + }) + + if err != nil { + return fmt.Errorf("error deleting Route 53 Resolver DNS Firewall config (%s): %w", d.Id(), err) + } + + return nil +} diff --git a/aws/resource_aws_route53_resolver_firewall_config_test.go b/aws/resource_aws_route53_resolver_firewall_config_test.go new file mode 100644 index 00000000000..68bb9e6a79c --- /dev/null +++ b/aws/resource_aws_route53_resolver_firewall_config_test.go @@ -0,0 +1,174 @@ +package aws + +import ( + "fmt" + "log" + "testing" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/route53resolver" + "github.com/hashicorp/go-multierror" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" + "github.com/terraform-providers/terraform-provider-aws/aws/internal/service/route53resolver/finder" +) + +func init() { + resource.AddTestSweepers("aws_route53_resolver_firewall_config", &resource.Sweeper{ + Name: "aws_route53_resolver_firewall_config", + F: testSweepRoute53ResolverFirewallConfigs, + Dependencies: []string{ + "aws_route53_resolver_firewall_config_association", + }, + }) +} + +func testSweepRoute53ResolverFirewallConfigs(region string) error { + client, err := sharedClientForRegion(region) + if err != nil { + return fmt.Errorf("error getting client: %s", err) + } + conn := client.(*AWSClient).route53resolverconn + var sweeperErrs *multierror.Error + + err = conn.ListFirewallConfigsPages(&route53resolver.ListFirewallConfigsInput{}, func(page *route53resolver.ListFirewallConfigsOutput, isLast bool) bool { + if page == nil { + return !isLast + } + + for _, firewallRuleGroup := range page.FirewallConfigs { + id := aws.StringValue(firewallRuleGroup.Id) + + log.Printf("[INFO] Deleting Route53 Resolver DNS Firewall config: %s", id) + r := resourceAwsRoute53ResolverFirewallConfig() + d := r.Data(nil) + d.SetId(id) + err := r.Delete(d, client) + + if err != nil { + log.Printf("[ERROR] %s", err) + sweeperErrs = multierror.Append(sweeperErrs, err) + continue + } + } + + return !isLast + }) + if testSweepSkipSweepError(err) { + log.Printf("[WARN] Skipping Route53 Resolver DNS Firewall configs sweep for %s: %s", region, err) + return sweeperErrs.ErrorOrNil() // In case we have completed some pages, but had errors + } + if err != nil { + sweeperErrs = multierror.Append(sweeperErrs, fmt.Errorf("error retrieving Route53 Resolver DNS Firewall configs: %w", err)) + } + + return sweeperErrs.ErrorOrNil() +} + +func TestAccAWSRoute53ResolverFirewallConfig_basic(t *testing.T) { + var v route53resolver.FirewallConfig + resourceName := "aws_route53_resolver_firewall_config.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t); testAccPreCheckAWSRoute53Resolver(t) }, + ErrorCheck: testAccErrorCheck(t, route53resolver.EndpointsID), + Providers: testAccProviders, + CheckDestroy: testAccCheckRoute53ResolverFirewallConfigDestroy, + Steps: []resource.TestStep{ + { + Config: testAccRoute53ResolverFirewallConfigConfig(), + Check: resource.ComposeTestCheckFunc( + testAccCheckRoute53ResolverFirewallConfigExists(resourceName, &v), + resource.TestCheckResourceAttr(resourceName, "firewall_fail_open", "ENABLED"), + testAccCheckResourceAttrAccountID(resourceName, "owner_id"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccAWSRoute53ResolverFirewallConfig_disappears(t *testing.T) { + var v route53resolver.FirewallConfig + resourceName := "aws_route53_resolver_firewall_config.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t); testAccPreCheckAWSRoute53Resolver(t) }, + ErrorCheck: testAccErrorCheck(t, route53resolver.EndpointsID), + Providers: testAccProviders, + CheckDestroy: testAccCheckRoute53ResolverFirewallConfigDestroy, + Steps: []resource.TestStep{ + { + Config: testAccRoute53ResolverFirewallConfigConfig(), + Check: resource.ComposeTestCheckFunc( + testAccCheckRoute53ResolverFirewallConfigExists(resourceName, &v), + testAccCheckResourceDisappears(testAccProvider, resourceAwsRoute53ResolverFirewallConfig(), resourceName), + ), + ExpectNonEmptyPlan: true, + }, + }, + }) +} + +func testAccCheckRoute53ResolverFirewallConfigDestroy(s *terraform.State) error { + conn := testAccProvider.Meta().(*AWSClient).route53resolverconn + + for _, rs := range s.RootModule().Resources { + if rs.Type != "aws_route53_resolver_firewall_config" { + continue + } + + // Try to find the resource + _, err := finder.FirewallConfigByID(conn, rs.Primary.ID) + // Verify the error is what we want + if isAWSErr(err, route53resolver.ErrCodeResourceNotFoundException, "") { + continue + } + if err != nil { + return err + } + return fmt.Errorf("Route 53 Resolver DNS Firewall config still exists: %s", rs.Primary.ID) + } + + return nil +} + +func testAccCheckRoute53ResolverFirewallConfigExists(n string, v *route53resolver.FirewallConfig) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[n] + if !ok { + return fmt.Errorf("Not found: %s", n) + } + + if rs.Primary.ID == "" { + return fmt.Errorf("No Route 53 Resolver DNS Firewall config ID is set") + } + + conn := testAccProvider.Meta().(*AWSClient).route53resolverconn + out, err := finder.FirewallConfigByID(conn, rs.Primary.ID) + if err != nil { + return err + } + + *v = *out + + return nil + } +} + +func testAccRoute53ResolverFirewallConfigConfig() string { + return fmt.Sprintf(` +resource "aws_vpc" "test" { + cidr_block = "10.0.0.0/16" +} + +resource "aws_route53_resolver_firewall_config" "test" { + resource_id = aws_vpc.test.id + firewall_fail_open = "ENABLED" +} +`) +} diff --git a/website/docs/r/route53_resolver_firewall_config.markdown b/website/docs/r/route53_resolver_firewall_config.markdown new file mode 100644 index 00000000000..fb152728daa --- /dev/null +++ b/website/docs/r/route53_resolver_firewall_config.markdown @@ -0,0 +1,48 @@ +--- +subcategory: "Route53 Resolver" +layout: "aws" +page_title: "AWS: aws_route53_resolver_firewall_config" +description: |- + Provides a Route 53 Resolver DNS Firewall config resource. +--- + +# Resource: aws_route53_resolver_firewall_config + +Provides a Route 53 Resolver DNS Firewall config resource. + +## Example Usage + +```terraform +resource "aws_vpc" "example" { + cidr_block = "10.0.0.0/16" + enable_dns_support = true + enable_dns_hostnames = true +} + +resource "aws_route53_resolver_firewall_config" "example" { + resource_id = aws_vpc.example.id + firewall_fail_open = "ENABLED" +} +``` + +## Argument Reference + +The following argument is supported: + +* `resource_id` - (Required) The ID of the VPC that the configuration is for. +* `firewall_fail_open` - (Required) Determines how Route 53 Resolver handles queries during failures, for example when all traffic that is sent to DNS Firewall fails to receive a reply. By default, fail open is disabled, which means the failure mode is closed. This approach favors security over availability. DNS Firewall blocks queries that it is unable to evaluate properly. If you enable this option, the failure mode is open. This approach favors availability over security. DNS Firewall allows queries to proceed if it is unable to properly evaluate them. Valid values: `ENABLED`, `DISABLED`. + +## Attributes Reference + +In addition to all arguments above, the following attributes are exported: + +* `id` - The ID of the firewall configuration. +* `owner_id` - The AWS account ID of the owner of the VPC that this firewall configuration applies to. + +## Import + +Route 53 Resolver DNS Firewall configs can be imported using the Route 53 Resolver DNS Firewall config ID, e.g. + +``` +$ terraform import aws_route53_resolver_firewall_config.example rdsc-be1866ecc1683e95 +``` From 05a8bcb99da087660cdca9c00564533dc160c04d Mon Sep 17 00:00:00 2001 From: Gareth Oakley Date: Wed, 21 Apr 2021 20:37:59 +0100 Subject: [PATCH 2/5] resource/aws_route53_resolver_firewall_config: Address review comments --- .changelog/18733.txt | 3 +++ aws/resource_aws_route53_resolver_firewall_config.go | 6 ------ aws/resource_aws_route53_resolver_firewall_config_test.go | 4 ++-- 3 files changed, 5 insertions(+), 8 deletions(-) create mode 100644 .changelog/18733.txt diff --git a/.changelog/18733.txt b/.changelog/18733.txt new file mode 100644 index 00000000000..d75f326a0c9 --- /dev/null +++ b/.changelog/18733.txt @@ -0,0 +1,3 @@ +```release-note:new-resource +aws_route53_resolver_firewall_config +``` \ No newline at end of file diff --git a/aws/resource_aws_route53_resolver_firewall_config.go b/aws/resource_aws_route53_resolver_firewall_config.go index d05d3b3ff78..8e2183af4f0 100644 --- a/aws/resource_aws_route53_resolver_firewall_config.go +++ b/aws/resource_aws_route53_resolver_firewall_config.go @@ -21,11 +21,6 @@ func resourceAwsRoute53ResolverFirewallConfig() *schema.Resource { }, Schema: map[string]*schema.Schema{ - "id": { - Type: schema.TypeString, - Computed: true, - }, - "owner_id": { Type: schema.TypeString, Computed: true, @@ -84,7 +79,6 @@ func resourceAwsRoute53ResolverFirewallConfigRead(d *schema.ResourceData, meta i return nil } - d.Set("id", config.Id) d.Set("owner_id", config.OwnerId) d.Set("resource_id", config.ResourceId) d.Set("firewall_fail_open", config.FirewallFailOpen) diff --git a/aws/resource_aws_route53_resolver_firewall_config_test.go b/aws/resource_aws_route53_resolver_firewall_config_test.go index 68bb9e6a79c..f82e90c7f1d 100644 --- a/aws/resource_aws_route53_resolver_firewall_config_test.go +++ b/aws/resource_aws_route53_resolver_firewall_config_test.go @@ -31,9 +31,9 @@ func testSweepRoute53ResolverFirewallConfigs(region string) error { conn := client.(*AWSClient).route53resolverconn var sweeperErrs *multierror.Error - err = conn.ListFirewallConfigsPages(&route53resolver.ListFirewallConfigsInput{}, func(page *route53resolver.ListFirewallConfigsOutput, isLast bool) bool { + err = conn.ListFirewallConfigsPages(&route53resolver.ListFirewallConfigsInput{}, func(page *route53resolver.ListFirewallConfigsOutput, lastPage bool) bool { if page == nil { - return !isLast + return !lastPage } for _, firewallRuleGroup := range page.FirewallConfigs { From 60a450d9237a4863d538029271fe82112d9bd6e2 Mon Sep 17 00:00:00 2001 From: Gareth Oakley Date: Tue, 27 Apr 2021 19:56:29 +0100 Subject: [PATCH 3/5] resource/aws_route53_resolver_firewall_config: Address review comments II --- aws/resource_aws_route53_resolver_firewall_config_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/resource_aws_route53_resolver_firewall_config_test.go b/aws/resource_aws_route53_resolver_firewall_config_test.go index f82e90c7f1d..bb849eb6b0d 100644 --- a/aws/resource_aws_route53_resolver_firewall_config_test.go +++ b/aws/resource_aws_route53_resolver_firewall_config_test.go @@ -52,7 +52,7 @@ func testSweepRoute53ResolverFirewallConfigs(region string) error { } } - return !isLast + return !lastPage }) if testSweepSkipSweepError(err) { log.Printf("[WARN] Skipping Route53 Resolver DNS Firewall configs sweep for %s: %s", region, err) From 7c56752b204a763b8109ebb25fd45fc94400ef20 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 15 Jun 2021 17:03:49 -0400 Subject: [PATCH 4/5] r/aws_route53_resolver_firewall_config: Reference 'resourceAwsRoute53ResolverFirewallConfigUpdate'. --- aws/resource_aws_route53_resolver_firewall_config.go | 1 + 1 file changed, 1 insertion(+) diff --git a/aws/resource_aws_route53_resolver_firewall_config.go b/aws/resource_aws_route53_resolver_firewall_config.go index 8e2183af4f0..88c3a133aee 100644 --- a/aws/resource_aws_route53_resolver_firewall_config.go +++ b/aws/resource_aws_route53_resolver_firewall_config.go @@ -15,6 +15,7 @@ func resourceAwsRoute53ResolverFirewallConfig() *schema.Resource { return &schema.Resource{ Create: resourceAwsRoute53ResolverFirewallConfigCreate, Read: resourceAwsRoute53ResolverFirewallConfigRead, + Update: resourceAwsRoute53ResolverFirewallConfigUpdate, Delete: resourceAwsRoute53ResolverFirewallConfigDelete, Importer: &schema.ResourceImporter{ State: schema.ImportStatePassthrough, From a45c360a5da92c24e5a42b217778db7c003ef7c2 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Wed, 16 Jun 2021 09:38:28 -0400 Subject: [PATCH 5/5] r/aws_route53_resolver_firewall_config: Tweak 'testAccCheckRoute53ResolverFirewallConfigDestroy'. --- .../service/route53resolver/finder/finder.go | 7 ++++- ...ce_aws_route53_resolver_firewall_config.go | 11 ++++--- ...s_route53_resolver_firewall_config_test.go | 31 ++++++++++++++----- 3 files changed, 35 insertions(+), 14 deletions(-) diff --git a/aws/internal/service/route53resolver/finder/finder.go b/aws/internal/service/route53resolver/finder/finder.go index 50165183796..63e030eaeca 100644 --- a/aws/internal/service/route53resolver/finder/finder.go +++ b/aws/internal/service/route53resolver/finder/finder.go @@ -3,6 +3,7 @@ package finder import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/route53resolver" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" tfroute53resolver "github.com/terraform-providers/terraform-provider-aws/aws/internal/service/route53resolver" ) @@ -117,7 +118,7 @@ func FirewallDomainListByID(conn *route53resolver.Route53Resolver, firewallDomai } // FirewallConfigByID returns the dnssec configuration corresponding to the specified ID. -// Returns nil if no configuration is found. +// Returns NotFoundError if no configuration is found. func FirewallConfigByID(conn *route53resolver.Route53Resolver, firewallConfigID string) (*route53resolver.FirewallConfig, error) { input := &route53resolver.ListFirewallConfigsInput{} @@ -142,6 +143,10 @@ func FirewallConfigByID(conn *route53resolver.Route53Resolver, firewallConfigID return nil, err } + if config == nil { + return nil, &resource.NotFoundError{} + } + return config, nil } diff --git a/aws/resource_aws_route53_resolver_firewall_config.go b/aws/resource_aws_route53_resolver_firewall_config.go index 88c3a133aee..0b51b59d49b 100644 --- a/aws/resource_aws_route53_resolver_firewall_config.go +++ b/aws/resource_aws_route53_resolver_firewall_config.go @@ -9,6 +9,7 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" "github.com/terraform-providers/terraform-provider-aws/aws/internal/service/route53resolver/finder" + "github.com/terraform-providers/terraform-provider-aws/aws/internal/tfresource" ) func resourceAwsRoute53ResolverFirewallConfig() *schema.Resource { @@ -70,16 +71,16 @@ func resourceAwsRoute53ResolverFirewallConfigRead(d *schema.ResourceData, meta i config, err := finder.FirewallConfigByID(conn, d.Id()) - if err != nil { - return fmt.Errorf("error getting Route 53 Resolver DNS Firewall config (%s): %w", d.Id(), err) - } - - if config == nil { + if !d.IsNewResource() && tfresource.NotFound(err) { log.Printf("[WARN] Route 53 Resolver DNS Firewall config (%s) not found, removing from state", d.Id()) d.SetId("") return nil } + if err != nil { + return fmt.Errorf("error getting Route 53 Resolver DNS Firewall config (%s): %w", d.Id(), err) + } + d.Set("owner_id", config.OwnerId) d.Set("resource_id", config.ResourceId) d.Set("firewall_fail_open", config.FirewallFailOpen) diff --git a/aws/resource_aws_route53_resolver_firewall_config_test.go b/aws/resource_aws_route53_resolver_firewall_config_test.go index bb849eb6b0d..3e84162227b 100644 --- a/aws/resource_aws_route53_resolver_firewall_config_test.go +++ b/aws/resource_aws_route53_resolver_firewall_config_test.go @@ -8,9 +8,11 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/route53resolver" "github.com/hashicorp/go-multierror" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/terraform-providers/terraform-provider-aws/aws/internal/service/route53resolver/finder" + "github.com/terraform-providers/terraform-provider-aws/aws/internal/tfresource" ) func init() { @@ -68,6 +70,7 @@ func testSweepRoute53ResolverFirewallConfigs(region string) error { func TestAccAWSRoute53ResolverFirewallConfig_basic(t *testing.T) { var v route53resolver.FirewallConfig resourceName := "aws_route53_resolver_firewall_config.test" + rName := acctest.RandomWithPrefix("tf-acc-test") resource.ParallelTest(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t); testAccPreCheckAWSRoute53Resolver(t) }, @@ -76,7 +79,7 @@ func TestAccAWSRoute53ResolverFirewallConfig_basic(t *testing.T) { CheckDestroy: testAccCheckRoute53ResolverFirewallConfigDestroy, Steps: []resource.TestStep{ { - Config: testAccRoute53ResolverFirewallConfigConfig(), + Config: testAccRoute53ResolverFirewallConfigConfig(rName), Check: resource.ComposeTestCheckFunc( testAccCheckRoute53ResolverFirewallConfigExists(resourceName, &v), resource.TestCheckResourceAttr(resourceName, "firewall_fail_open", "ENABLED"), @@ -95,6 +98,7 @@ func TestAccAWSRoute53ResolverFirewallConfig_basic(t *testing.T) { func TestAccAWSRoute53ResolverFirewallConfig_disappears(t *testing.T) { var v route53resolver.FirewallConfig resourceName := "aws_route53_resolver_firewall_config.test" + rName := acctest.RandomWithPrefix("tf-acc-test") resource.ParallelTest(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t); testAccPreCheckAWSRoute53Resolver(t) }, @@ -103,7 +107,7 @@ func TestAccAWSRoute53ResolverFirewallConfig_disappears(t *testing.T) { CheckDestroy: testAccCheckRoute53ResolverFirewallConfigDestroy, Steps: []resource.TestStep{ { - Config: testAccRoute53ResolverFirewallConfigConfig(), + Config: testAccRoute53ResolverFirewallConfigConfig(rName), Check: resource.ComposeTestCheckFunc( testAccCheckRoute53ResolverFirewallConfigExists(resourceName, &v), testAccCheckResourceDisappears(testAccProvider, resourceAwsRoute53ResolverFirewallConfig(), resourceName), @@ -122,15 +126,20 @@ func testAccCheckRoute53ResolverFirewallConfigDestroy(s *terraform.State) error continue } - // Try to find the resource - _, err := finder.FirewallConfigByID(conn, rs.Primary.ID) - // Verify the error is what we want - if isAWSErr(err, route53resolver.ErrCodeResourceNotFoundException, "") { + config, err := finder.FirewallConfigByID(conn, rs.Primary.ID) + + if tfresource.NotFound(err) { continue } + if err != nil { return err } + + if aws.StringValue(config.FirewallFailOpen) == route53resolver.FirewallFailOpenStatusDisabled { + return nil + } + return fmt.Errorf("Route 53 Resolver DNS Firewall config still exists: %s", rs.Primary.ID) } @@ -149,7 +158,9 @@ func testAccCheckRoute53ResolverFirewallConfigExists(n string, v *route53resolve } conn := testAccProvider.Meta().(*AWSClient).route53resolverconn + out, err := finder.FirewallConfigByID(conn, rs.Primary.ID) + if err != nil { return err } @@ -160,15 +171,19 @@ func testAccCheckRoute53ResolverFirewallConfigExists(n string, v *route53resolve } } -func testAccRoute53ResolverFirewallConfigConfig() string { +func testAccRoute53ResolverFirewallConfigConfig(rName string) string { return fmt.Sprintf(` resource "aws_vpc" "test" { cidr_block = "10.0.0.0/16" + + tags = { + Name = %[1]q + } } resource "aws_route53_resolver_firewall_config" "test" { resource_id = aws_vpc.test.id firewall_fail_open = "ENABLED" } -`) +`, rName) }