AWS Route 53 Resolver Firewall Rule
This page shows how to write Terraform and CloudFormation for Route 53 Resolver Firewall Rule and write them securely.
aws_route53_resolver_firewall_rule (Terraform)
The Firewall Rule in Route 53 Resolver can be configured in Terraform with the resource name aws_route53_resolver_firewall_rule
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
The following argument is supported:
name
- (Required) A name that lets you identify the rule, to manage and use it.action
- (Required) The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list. Valid values:ALLOW
,BLOCK
,ALERT
.block_override_dns_type
- (Required ifblock_response
isOVERRIDE
) The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Value values:CNAME
.block_override_domain
- (Required ifblock_response
isOVERRIDE
) The custom DNS record to send back in response to the query.block_override_ttl
- (Required ifblock_response
isOVERRIDE
) The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Minimum value of 0. Maximum value of 604800.block_response
- (Required ifaction
isBLOCK
) The way that you want DNS Firewall to block the request. Valid values:NODATA
,NXDOMAIN
,OVERRIDE
.firewall_domain_list_id
- (Required) The ID of the domain list that you want to use in the rule.firewall_rule_group_id
- (Required) The unique identifier of the firewall rule group where you want to create the rule.priority
- (Required) The setting that determines the processing order of the rule in the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.
In addition to all arguments above, the following attributes are exported:
id
- The ID of the rule.
Explanation in Terraform Registry
Provides a Route 53 Resolver DNS Firewall rule resource.
AWS::Route53Resolver::FirewallRuleGroup FirewallRule (CloudFormation)
The FirewallRuleGroup FirewallRule in Route53Resolver can be configured in CloudFormation with the resource name AWS::Route53Resolver::FirewallRuleGroup FirewallRule
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
Action
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:
ALLOW
- Permit the request to go through.ALERT
- Permit the request to go through but send an alert to the logs.BLOCK
- Disallow the request. If this is specified,thenBlockResponse
must also be specified.
if BlockResponse
is OVERRIDE
, then all of the following OVERRIDE
attributes must be specified:
BlockOverrideDnsType
BlockOverrideDomain
BlockOverrideTtl
Required: Yes
Type: String
Allowed values:ALERT | ALLOW | BLOCK
Update requires: No interruption
BlockOverrideDnsType
The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain
. Used for the rule action BLOCK
with a BlockResponse
setting of OVERRIDE
.
Required: No
Type: String
Allowed values: CNAME
Update requires: No interruption
BlockOverrideDomain
The custom DNS record to send back in response to the query. Used for the rule action BLOCK
with a BlockResponse
setting of OVERRIDE
.
Required: No
Type: String
Minimum: 1
Maximum: 255
Update requires: No interruption
BlockOverrideTtl
The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action BLOCK
with a BlockResponse
setting of OVERRIDE
.
Required: No
Type: Integer
Update requires: No interruption
BlockResponse
The way that you want DNS Firewall to block the request. Used for the rule action setting BLOCK
.
NODATA
- Respond indicating that the query was successful, but no response is available for it.NXDOMAIN
- Respond indicating that the domain name that's in the query doesn't exist.OVERRIDE
- Provide a custom override in the response. This option requires custom handling details in the rule'sBlockOverride*
settings.Required: No
Type: String
Allowed values:NODATA | NXDOMAIN | OVERRIDE
Update requires: No interruption
FirewallDomainListId
The ID of the domain list that's used in the rule.
Required: Yes
Type: String
Minimum: 1
Maximum: 64
Update requires: No interruption
Priority
The priority of the rule in the rule group. This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.
Required: Yes
Type: Integer
Update requires: No interruption
Explanation in CloudFormation Registry
A single firewall rule in a rule group.