Feature request: Route 53 Resolver DNS Firewall

[gazoakley]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Amazon Route 53 Resolver DNS Firewall (DNS Firewall) enables you to defend against DNS-level threats. With DNS Firewall, you can protect against data exfiltration attempts by defining domain name allowlists that allow resources within your Amazon Virtual Private Cloud (VPC) to make outbound DNS requests only for the sites your organization trusts.

New or Affected Resource(s)

• [ ] aws_route53_resolver_firewall_config (#18733)
• [x] aws_route53_resolver_firewall_domain_list (#18558)
• [x] aws_route53_resolver_firewall_rule (#18712 - depends on aws_route53_resolver_firewall_rule_group and aws_route53_resolver_firewall_domain_list)
• [x] aws_route53_resolver_firewall_rule_group (#18554)
• [x] aws_route53_resolver_firewall_rule_group_association (#18731 - depends on aws_route53_resolver_firewall_rule_group)

Potential Terraform Configuration

resource "aws_route53_resolver_firewall_domain_list" "example" {
  name    = "example"
  domains = ["example.com"]
  tags    = {}
}

resource "aws_route53_resolver_firewall_rule_group" "example" {
  name = "example"
  tags = {}
}

resource "aws_route53_resolver_firewall_rule" "example" {
  name                    = "example"
  action                  = "BLOCK"
  block_override_dns_type = "CNAME"
  block_override_domain   = "example.com"
  block_override_ttl      = 1
  block_response          = "OVERRIDE"
  firewall_domain_list_id = aws_route53_resolver_firewall_domain_list.example.id
  firewall_rule_group_id  = aws_route53_resolver_firewall_rule_group.example.id
  priority                = 100
}

resource "aws_route53_resolver_firewall_rule_group_association" "example" {
  name                   = "example"
  firewall_rule_group_id = aws_route53_resolver_firewall_rule_group.example.id
  priority               = 100
  mutation_protection    = "DISABLED"
  tags                   = {}
  vpc_id                 = aws_vpc.example.id
}

resource "aws_route53_resolver_firewall_config" "example" {
  firewall_fail_open = "ENABLED"
  resource_id        = aws_vpc.example.id
}

References

• https://aws.amazon.com/about-aws/whats-new/2021/03/introducing-amazon-route-53-resolver-dns-firewall/
• https://aws.amazon.com/blogs/aws/how-to-get-started-with-amazon-route-53-resolver-dns-firewall-for-amazon-vpc/
• https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall.html

[gazoakley]

This isn't yet available in the current Go SDK - it may well land in v1.38.11

[ewbankkit]

Announcement. Developer Guide, The API Reference has been updated but nothing in the SDK yet.

[ewbankkit]

Requires AWS SDK v1.38.11:

• 18544

[sslavic]

AWS SDK has been updated to v1.38.12 via https://github.com/hashicorp/terraform-provider-aws/pull/18565

[github-actions[bot]]

This functionality has been released in v3.46.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.