Add data source aws_route53_resolver_firewall_domain_list

[dthvt]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS provides two managed domain lists that can be incorporated in Route 53 DNS Firewall rules. They have well known names, but the aws_route53_resolver_firewall_rule requires a domain list ID, not a well known name. This issue requests adding a data source for resolving these well known names to domain list IDs.

New or Affected Resource(s)

• data.aws_route53_resolver_firewall_domain_list

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.
data "aws_route53_resolver_firewall_domain_list" "malware" {
    name = "AWSManagedDomainsMalwareDomainList"
}

resource "aws_route53_resolver_firewall_rule" "managed_malware" {
  name = "aws-malware-list"
  action = "BLOCK"
  block_response = "NODATA"
  firewall_domain_list_id = data.aws_route53_resolver_firewall_domain_list.malware.id
  firewall_rule_group_id = aws_route53_resolver_firewall_rule_group.main.id
  priority = 100
}

References

• https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-managed-domain-lists.html

[posquit0]

Is there any discussion for this feature?

[autarchprinceps]

This is important, because the IDs aren't globally the same either. They can change depending on your region

[bodgit]

Looks like 4.39.0 has #25509 merged however that's not really much use; you can get the ID of a domain list if you know the ID already. It would be more useful to use the name.

I'll have a look to see if the name can be used instead of/as well as the ID when querying.

[bodgit]

Looking through the AWS SDK, it looks like you can currently only retrieve domain lists by ID: https://docs.aws.amazon.com/sdk-for-go/api/service/route53resolver/#GetFirewallDomainListInput

So it will need the AWS SDK to be updated before this can be fixed.

[dthvt]

The https://docs.aws.amazon.com/sdk-for-go/api/service/route53resolver/#Route53Resolver.ListFirewallDomainLists endpoint returns the AWS managed lists as well as any custom lists. So it would be possible to search the returned list for the name.

$ aws route53resolver list-firewall-domain-lists | jq '.FirewallDomainLists[] | select(.Name == "AWSManagedDomainsMalwareDomainList")'
{
  "Id": "rslvr-fdl-xxxx",
  "Arn": "arn:aws:route53resolver:us-east-1:xxxx:firewall-domain-list/rslvr-fdl-xxxx",
  "Name": "AWSManagedDomainsMalwareDomainList",
  "CreatorRequestId": "AWSManagedDomainsMalwareDomainList",
  "ManagedOwnerName": "Route 53 Resolver DNS Firewall"
}

[elduds]

Looks like IDs are common across AWS accounts but unique within a region. So can be statically defined per region as locals, or in a module.

I've given it a dirty hack shot here: https://registry.terraform.io/modules/elduds/route53resolver-firewall-domainlists/aws/latest

Allowing you to define your domain lists by name, eg:

resource "aws_route53_resolver_firewall_rule" "block_malware_domains" {
  action                  = "BLOCK"
  block_response          = "NODATA"
  firewall_domain_list_id = module.route53resolver-firewall-domainlists.all_domain_lists[data.aws_region.current.name].AWSManagedDomainsMalwareDomainList
  firewall_rule_group_id  = aws_route53_resolver_firewall_rule_group.managed_domain_lists.id
  name                    = "block-AWSManagedDomainsMalwareDomainList"
  priority                = 300
}

Will just need new versions as new AWS regions come online.