[Bug]: Terraform errored trying to create a Route53 Resolver Firewall Rule with the same domain list as an existing rule

[chenian]

Terraform Core Version

1.7.1

AWS Provider Version

5.44.0

Affected Resource(s)

aws_route53_resolver_firewall_rule

Expected Behavior

Nothing

Actual Behavior

Terraform is trying to add a resource that is already created by terraform, after manually adding another firewall rule with different query type for the same domain list. The reason for manually creating the new rule is terraform not yet support query type within aws_route53_resolver_firewall_rule. Ref: [Enhancement]: Add support for "Query type" on aws_route53_resolver_firewall_rule #38070

module.use1.aws_route53_resolver_firewall_rule.chm_sandbox_aws_managed_1 will be created
  + resource "aws_route53_resolver_firewall_rule" "chm_sandbox_aws_managed_1" {
      + action                  = "ALERT"
      + firewall_domain_list_id = "rslvr-fdl-2c46f2ecbfec4dcc"
      + firewall_rule_group_id  = "rslvr-frg-f73459e8760545e8"
      + id                      = (known after apply)
      + name                    = "chm_sandbox_block_AWSManagedDomainsMalwareDomainList"
      + priority                = 210
    }

Relevant Error/Panic Output Snippet

After terraform apply: (Even though the resource was already created previously by Terraform)

╷
│ Error: creating Route53 Resolver Firewall Rule (chm_sandbox_block_AWSManagedDomainsMalwareDomainList): ValidationException: [RSLVR-02202] You can’t associate a rule with this DNS Firewall rule group "rslvr-frg-f73459e8760545e8". It already has a rule associated with the domain list "rslvr-fdl-2c46f2ecbfec4dcc". Trace Id: "1-667477b6-62b57e490bfc89b33cdd1ee1"
│ 
│   with module.use1.aws_route53_resolver_firewall_rule.chm_sandbox_aws_managed_1,
│   on region/dns_firewall.tf line 69, in resource "aws_route53_resolver_firewall_rule" "chm_sandbox_aws_managed_1":
│   69: resource "aws_route53_resolver_firewall_rule" "chm_sandbox_aws_managed_1" {
│ 
╵

Terraform Configuration Files

resource "aws_route53_resolver_firewall_config" "sandbox" {
  resource_id = module.vpc.vpc_id

  firewall_fail_open = "ENABLED"
}

resource "aws_route53_resolver_firewall_rule_group" "sandbox" {
  name = "sandbox"
}

resource "aws_route53_resolver_firewall_rule" "chm_sandbox_aws_managed_1" {
  name   = "chm_sandbox_block_AWSManagedDomainsMalwareDomainList"
  action = "ALERT"
  firewall_domain_list_id = "rslvr-fdl-2c46f2ecbfec4dcc"
  firewall_rule_group_id  = aws_route53_resolver_firewall_rule_group.chm_sandbox.id
  priority                = 210
}

resource "aws_route53_resolver_firewall_rule_group_association" "sandbox" {
  name                   = "sandbox"
  firewall_rule_group_id = aws_route53_resolver_firewall_rule_group.sandbox.id
  priority               = 1000
  vpc_id                 = module.vpc.vpc_id
}

Steps to Reproduce

1. apply the terraform config above
2. In AWS Console manually create another rule with same domain list (rslvr-fdl-2c46f2ecbfec4dcc (AWSManagedDomainsMalwareDomainList)) with query type = 'A'
3. terraform plan, terraform trying to add the same resource from step 1.
4. terraform apply, terraform with above listed error output.

Debug Output

No response

Panic Output

No response

Important Factoids

I have confirmed with AWS that DNS firewall do support multiple rules using the same AWS managed domain list.

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @chenian 👋 Thank you for taking the time to raise this! I can't quite tell for certain with the information we have, but I suspect that when you're making the modification in the AWS console, it's causing the rule's ID to change, so Terraform sees it as having "disappeared" and attempts to recreate it. This may be a case where you need to import the resource, but it may also help if you can provide debug logging for the run after your manual modification in the console (redacted as needed).

[justinretzolk]

Hey @chenian 👋 The enhancement request that you linked to has since been merged, which should resolve this altogether. With that and that we haven't heard back in mind, I'm going to close this issue. Please do let us know if you run into any other unexpected behavior!

[github-actions[bot]]

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.