hashicorp · ewbankkit · Jun 24, 2024 · Jun 21, 2024 · Jun 21, 2024 · Jun 21, 2024
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_route53_resolver_firewall_rule: Add `q_type` argument
+```
@@ -439,7 +439,7 @@ func findSecurityGroupByDescriptionAndVPCID(ctx context.Context, conn *ec2.EC2,
 	input := &ec2.DescribeSecurityGroupsInput{
 		Filters: newAttributeFilterList(
 			map[string]string{
-				names.AttrDescription: description,
+				"description": description, // nosemgrep:ci.literal-description-string-constant
 				"vpc-id":      vpcID,
 			},
 		),

@@ -88,6 +88,10 @@ func ResourceFirewallRule() *schema.Resource {
 				Type:     schema.TypeInt,
 				Required: true,
 			},
+			"q_type": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
 		},
 	}
 }
@@ -126,6 +130,10 @@ func resourceFirewallRuleCreate(ctx context.Context, d *schema.ResourceData, met
 		input.BlockResponse = aws.String(v.(string))
 	}
 
+	if v, ok := d.GetOk("q_type"); ok {
+		input.Qtype = aws.String(v.(string))
+	}
+
 	_, err := conn.CreateFirewallRuleWithContext(ctx, input)
 
 	if err != nil {
@@ -169,6 +177,7 @@ func resourceFirewallRuleRead(ctx context.Context, d *schema.ResourceData, meta
 	d.Set("firewall_domain_redirection_action", firewallRule.FirewallDomainRedirectionAction)
 	d.Set(names.AttrName, firewallRule.Name)
 	d.Set(names.AttrPriority, firewallRule.Priority)
+	d.Set("q_type", firewallRule.Qtype)
 
 	return diags
 }
@@ -211,6 +220,10 @@ func resourceFirewallRuleUpdate(ctx context.Context, d *schema.ResourceData, met
 		input.FirewallDomainRedirectionAction = aws.String(v.(string))
 	}
 
+	if v, ok := d.GetOk("q_type"); ok {
+		input.Qtype = aws.String(v.(string))
+	}
+
 	_, err = conn.UpdateFirewallRuleWithContext(ctx, input)
 
 	if err != nil {
@@ -230,11 +243,17 @@ func resourceFirewallRuleDelete(ctx context.Context, d *schema.ResourceData, met
 		return sdkdiag.AppendFromErr(diags, err)
 	}
 
-	log.Printf("[DEBUG] Deleting Route53 Resolver Firewall Rule: %s", d.Id())
-	_, err = conn.DeleteFirewallRuleWithContext(ctx, &route53resolver.DeleteFirewallRuleInput{
+	input := &route53resolver.DeleteFirewallRuleInput{
 		FirewallDomainListId: aws.String(firewallDomainListID),
 		FirewallRuleGroupId:  aws.String(firewallRuleGroupID),
-	})
+	}
+
+	if v, ok := d.GetOk("q_type"); ok {
+		input.Qtype = aws.String(v.(string))
+	}
+
+	log.Printf("[DEBUG] Deleting Route53 Resolver Firewall Rule: %s", d.Id())
+	_, err = conn.DeleteFirewallRuleWithContext(ctx, input)
 
 	if tfawserr.ErrCodeEquals(err, route53resolver.ErrCodeResourceNotFoundException) {
 		return diags

@@ -152,6 +152,39 @@ func TestAccRoute53ResolverFirewallRule_blockOverride(t *testing.T) {
 	})
 }
 
+func TestAccRoute53ResolverFirewallRule_qType(t *testing.T) {
+	ctx := acctest.Context(t)
+	var v route53resolver.FirewallRule
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_route53_resolver_firewall_rule.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t); testAccPreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.Route53ResolverServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckFirewallRuleDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccFirewallRuleConfig_qType(rName, "A"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckFirewallRuleExists(ctx, resourceName, &v),
+					resource.TestCheckResourceAttr(resourceName, names.AttrName, rName),
+					resource.TestCheckResourceAttr(resourceName, names.AttrAction, "ALLOW"),
+					resource.TestCheckResourceAttrPair(resourceName, "firewall_rule_group_id", "aws_route53_resolver_firewall_rule_group.test", names.AttrID),
+					resource.TestCheckResourceAttrPair(resourceName, "firewall_domain_list_id", "aws_route53_resolver_firewall_domain_list.test", names.AttrID),
+					resource.TestCheckResourceAttr(resourceName, names.AttrPriority, "100"),
+					resource.TestCheckResourceAttr(resourceName, "q_type", "A"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func TestAccRoute53ResolverFirewallRule_disappears(t *testing.T) {
 	ctx := acctest.Context(t)
 	var v route53resolver.FirewallRule
@@ -324,3 +357,24 @@ resource "aws_route53_resolver_firewall_rule" "test" {
 }
 `, rName)
 }
+
+func testAccFirewallRuleConfig_qType(rName, qType string) string {
+	return fmt.Sprintf(`
+resource "aws_route53_resolver_firewall_rule_group" "test" {
+  name = %[1]q
+}
+
+resource "aws_route53_resolver_firewall_domain_list" "test" {
+  name = %[1]q
+}
+
+resource "aws_route53_resolver_firewall_rule" "test" {
+  name                    = %[1]q
+  action                  = "ALLOW"
+  firewall_rule_group_id  = aws_route53_resolver_firewall_rule_group.test.id
+  firewall_domain_list_id = aws_route53_resolver_firewall_domain_list.test.id
+  priority                = 100
+  q_type                  = %[2]q
+}
+`, rName, qType)
+}
@@ -51,6 +51,7 @@ This resource supports the following arguments:
 * `firewall_domain_redirection_action` - (Optional) Evaluate DNS redirection in the DNS redirection chain, such as CNAME, DNAME, ot ALIAS. Valid values are `INSPECT_REDIRECTION_DOMAIN` and `TRUST_REDIRECTION_DOMAIN`. Default value is `INSPECT_REDIRECTION_DOMAIN`.
 * `firewall_rule_group_id` - (Required) The unique identifier of the firewall rule group where you want to create the rule.
 * `priority` - (Required) The setting that determines the processing order of the rule in the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.
+* `q_type` - (Optional) The query type you want the rule to evaluate. Additional details can be found [here](https://en.wikipedia.org/wiki/List_of_DNS_record_types)
 
 ## Attribute Reference