Add tags to WAF WebACL, Rule & Rule Group Resources (#10408)

Output from acceptance testing:

```
--- PASS: TestAccAWSWafRuleGroup_noActivatedRules (15.91s)
--- PASS: TestAccAWSWafRuleGroup_Tags (39.80s)
--- PASS: TestAccAWSWafRule_Tags (70.48s)
--- PASS: TestAccAWSWafRule_changeNameForceNew (74.99s)
--- PASS: TestAccAWSWafRule_noPredicates (76.48s)
--- PASS: TestAccAWSWafWebAcl_DefaultAction (91.12s)
--- PASS: TestAccAWSWafWebAcl_Tags (93.10s)
--- PASS: TestAccAWSWafRuleGroup_basic (108.74s)
--- PASS: TestAccAWSWafWebAcl_disappears (109.73s)
--- PASS: TestAccAWSWafWebAcl_LoggingConfiguration (127.80s)
--- PASS: TestAccAWSWafWebAcl_basic (129.29s)
--- PASS: TestAccAWSWafRule_basic (141.68s)
--- PASS: TestAccAWSWafRule_geoMatchSetPredicate (142.90s)
--- PASS: TestAccAWSWafRuleGroup_changeActivatedRules (151.86s)
--- PASS: TestAccAWSWafRule_changePredicates (161.65s)
--- PASS: TestAccAWSWafWebAcl_changeNameForceNew (174.97s)
--- PASS: TestAccAWSWafRuleGroup_changeNameForceNew (181.00s)
--- PASS: TestAccAWSWafRule_disappears (192.69s)
--- PASS: TestAccAWSWafRuleGroup_disappears (205.69s)
```

aws/resource_aws_waf_rule.go

@@ -5,10 +5,12 @@ import (
 	"log"
 
 	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/arn"
 	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/service/waf"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
+	"github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags"
 )
 
 func resourceAwsWafRule() *schema.Resource {
@@ -55,12 +57,14 @@ func resourceAwsWafRule() *schema.Resource {
 					},
 				},
 			},
+			"tags": tagsSchema(),
 		},
 	}
 }
 
 func resourceAwsWafRuleCreate(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*AWSClient).wafconn
+	tags := keyvaluetags.New(d.Get("tags").(map[string]interface{})).IgnoreAws().WafTags()
 
 	wr := newWafRetryer(conn)
 	out, err := wr.RetryWithToken(func(token *string) (interface{}, error) {
@@ -70,6 +74,10 @@ func resourceAwsWafRuleCreate(d *schema.ResourceData, meta interface{}) error {
 			Name:        aws.String(d.Get("name").(string)),
 		}
 
+		if len(tags) > 0 {
+			params.Tags = tags
+		}
+
 		return conn.CreateRule(params)
 	})
 	if err != nil {
@@ -109,6 +117,23 @@ func resourceAwsWafRuleRead(d *schema.ResourceData, meta interface{}) error {
 		predicates = append(predicates, predicate)
 	}
 
+	arn := arn.ARN{
+		Partition: meta.(*AWSClient).partition,
+		Service:   "waf",
+		AccountID: meta.(*AWSClient).accountid,
+		Resource:  fmt.Sprintf("rule/%s", d.Id()),
+	}.String()
+
+	tagList, err := conn.ListTagsForResource(&waf.ListTagsForResourceInput{
+		ResourceARN: aws.String(arn),
+	})
+	if err != nil {
+		return fmt.Errorf("Failed to get WAF Rule parameter tags for %s: %s", d.Get("name"), err)
+	}
+	if err := d.Set("tags", keyvaluetags.WafKeyValueTags(tagList.TagInfoForResource.TagList).IgnoreAws().Map()); err != nil {
+		return fmt.Errorf("error setting tags: %s", err)
+	}
+
 	d.Set("predicates", predicates)
 	d.Set("name", resp.Rule.Name)
 	d.Set("metric_name", resp.Rule.MetricName)
@@ -129,6 +154,21 @@ func resourceAwsWafRuleUpdate(d *schema.ResourceData, meta interface{}) error {
 		}
 	}
 
+	if d.HasChange("tags") {
+		o, n := d.GetChange("tags")
+
+		arn := arn.ARN{
+			Partition: meta.(*AWSClient).partition,
+			Service:   "waf",
+			AccountID: meta.(*AWSClient).accountid,
+			Resource:  fmt.Sprintf("rule/%s", d.Id()),
+		}.String()
+
+		if err := keyvaluetags.WafUpdateTags(conn, arn, o, n); err != nil {
+			return fmt.Errorf("error updating tags: %s", err)
+		}
+	}
+
 	return resourceAwsWafRuleRead(d, meta)
 }
 

aws/resource_aws_waf_rule_group.go

@@ -5,8 +5,10 @@ import (
 	"log"
 
 	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/arn"
 	"github.com/aws/aws-sdk-go/service/waf"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags"
 )
 
 func resourceAwsWafRuleGroup() *schema.Resource {
@@ -65,12 +67,14 @@ func resourceAwsWafRuleGroup() *schema.Resource {
 					},
 				},
 			},
+			"tags": tagsSchema(),
 		},
 	}
 }
 
 func resourceAwsWafRuleGroupCreate(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*AWSClient).wafconn
+	tags := keyvaluetags.New(d.Get("tags").(map[string]interface{})).IgnoreAws().WafTags()
 
 	wr := newWafRetryer(conn)
 	out, err := wr.RetryWithToken(func(token *string) (interface{}, error) {
@@ -80,6 +84,10 @@ func resourceAwsWafRuleGroupCreate(d *schema.ResourceData, meta interface{}) err
 			Name:        aws.String(d.Get("name").(string)),
 		}
 
+		if len(tags) > 0 {
+			params.Tags = tags
+		}
+
 		return conn.CreateRuleGroup(params)
 	})
 	if err != nil {
@@ -115,6 +123,23 @@ func resourceAwsWafRuleGroupRead(d *schema.ResourceData, meta interface{}) error
 		return fmt.Errorf("error listing activated rules in WAF Rule Group (%s): %s", d.Id(), err)
 	}
 
+	arn := arn.ARN{
+		Partition: meta.(*AWSClient).partition,
+		Service:   "waf",
+		AccountID: meta.(*AWSClient).accountid,
+		Resource:  fmt.Sprintf("rulegroup/%s", d.Id()),
+	}.String()
+
+	tagList, err := conn.ListTagsForResource(&waf.ListTagsForResourceInput{
+		ResourceARN: aws.String(arn),
+	})
+	if err != nil {
+		return fmt.Errorf("Failed to get WAF Rule Group parameter tags for %s: %s", d.Get("name"), err)
+	}
+	if err := d.Set("tags", keyvaluetags.WafKeyValueTags(tagList.TagInfoForResource.TagList).IgnoreAws().Map()); err != nil {
+		return fmt.Errorf("error setting tags: %s", err)
+	}
+
 	d.Set("activated_rule", flattenWafActivatedRules(rResp.ActivatedRules))
 	d.Set("name", resp.RuleGroup.Name)
 	d.Set("metric_name", resp.RuleGroup.MetricName)
@@ -135,6 +160,21 @@ func resourceAwsWafRuleGroupUpdate(d *schema.ResourceData, meta interface{}) err
 		}
 	}
 
+	if d.HasChange("tags") {
+		o, n := d.GetChange("tags")
+
+		arn := arn.ARN{
+			Partition: meta.(*AWSClient).partition,
+			Service:   "waf",
+			AccountID: meta.(*AWSClient).accountid,
+			Resource:  fmt.Sprintf("rulegroup/%s", d.Id()),
+		}.String()
+
+		if err := keyvaluetags.WafUpdateTags(conn, arn, o, n); err != nil {
+			return fmt.Errorf("error updating tags: %s", err)
+		}
+	}
+
 	return resourceAwsWafRuleGroupRead(d, meta)
 }
 

aws/resource_aws_waf_rule_group_test.go

@@ -250,6 +250,56 @@ func computeWafActivatedRuleWithRuleId(rule *waf.Rule, actionType string, priori
 	}
 }
 
+func TestAccAWSWafRuleGroup_Tags(t *testing.T) {
+	var group waf.RuleGroup
+	groupName := fmt.Sprintf("test%s", acctest.RandString(5))
+	resourceName := "aws_waf_rule_group.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t); testAccPreCheckAWSWaf(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSWafWebAclDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSWafRuleGroupConfigTags1(groupName, "key1", "value1"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSWafRuleGroupExists(resourceName, &group),
+					resource.TestCheckResourceAttr(resourceName, "name", groupName),
+					resource.TestCheckResourceAttr(resourceName, "activated_rule.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "tags.%", "1"),
+					resource.TestCheckResourceAttr(resourceName, "tags.key1", "value1"),
+				),
+			},
+			{
+				Config: testAccAWSWafRuleGroupConfigTags2(groupName, "key1", "value1updated", "key2", "value2"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSWafRuleGroupExists(resourceName, &group),
+					resource.TestCheckResourceAttr(resourceName, "name", groupName),
+					resource.TestCheckResourceAttr(resourceName, "activated_rule.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "tags.%", "2"),
+					resource.TestCheckResourceAttr(resourceName, "tags.key1", "value1updated"),
+					resource.TestCheckResourceAttr(resourceName, "tags.key2", "value2"),
+				),
+			},
+			{
+				Config: testAccAWSWafRuleGroupConfigTags1(groupName, "key2", "value2"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSWafRuleGroupExists(resourceName, &group),
+					resource.TestCheckResourceAttr(resourceName, "name", groupName),
+					resource.TestCheckResourceAttr(resourceName, "activated_rule.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "tags.%", "1"),
+					resource.TestCheckResourceAttr(resourceName, "tags.key2", "value2"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func TestAccAWSWafRuleGroup_noActivatedRules(t *testing.T) {
 	var group waf.RuleGroup
 	groupName := fmt.Sprintf("test%s", acctest.RandString(5))
@@ -264,10 +314,8 @@ func TestAccAWSWafRuleGroup_noActivatedRules(t *testing.T) {
 				Config: testAccAWSWafRuleGroupConfig_noActivatedRules(groupName),
 				Check: resource.ComposeAggregateTestCheckFunc(
 					testAccCheckAWSWafRuleGroupExists(resourceName, &group),
-					resource.TestCheckResourceAttr(
-						resourceName, "name", groupName),
-					resource.TestCheckResourceAttr(
-						resourceName, "activated_rule.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "name", groupName),
+					resource.TestCheckResourceAttr(resourceName, "activated_rule.#", "0"),
 				),
 			},
 		},
@@ -458,3 +506,30 @@ resource "aws_waf_rule_group" "test" {
 }
 `, groupName)
 }
+
+func testAccAWSWafRuleGroupConfigTags1(gName, tag1Key, tag1Value string) string {
+	return fmt.Sprintf(`
+resource "aws_waf_rule_group" "test" {
+  name        = "%[1]s"
+  metric_name = "%[1]s"
+
+  tags = {
+	%q = %q
+  }
+}
+`, gName, tag1Key, tag1Value)
+}
+
+func testAccAWSWafRuleGroupConfigTags2(gName, tag1Key, tag1Value, tag2Key, tag2Value string) string {
+	return fmt.Sprintf(`
+resource "aws_waf_rule_group" "test" {
+  name        = "%[1]s"
+  metric_name = "%[1]s"
+
+  tags = {
+	%q = %q
+	%q = %q
+  }
+}
+`, gName, tag1Key, tag1Value, tag2Key, tag2Value)
+}