aws-sdk-route53resolver 1.24.0 → 1.25.0

data/lib/aws-sdk-route53resolver/errors.rb

@@ -28,6 +28,7 @@ module Aws::Route53Resolver
   #
   # ## Error Classes
   # * {AccessDeniedException}
+  # * {ConflictException}
   # * {InternalServiceErrorException}
   # * {InvalidNextTokenException}
   # * {InvalidParameterException}
@@ -41,6 +42,7 @@ module Aws::Route53Resolver
   # * {ResourceUnavailableException}
   # * {ThrottlingException}
   # * {UnknownResourceException}
+  # * {ValidationException}
   #
   # Additionally, error classes are dynamically generated for service errors based on the error code
   # if they are not defined above.
@@ -63,6 +65,21 @@ module Aws::Route53Resolver
       end
     end
 
+    class ConflictException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::Route53Resolver::Types::ConflictException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+    end
+
     class InternalServiceErrorException < ServiceError
 
       # @param [Seahorse::Client::RequestContext] context
@@ -288,5 +305,20 @@ module Aws::Route53Resolver
       end
     end
 
+    class ValidationException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::Route53Resolver::Types::ValidationException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+    end
+
   end
 end

data/lib/aws-sdk-route53resolver/types.rb

@@ -24,6 +24,100 @@ module Aws::Route53Resolver
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass AssociateFirewallRuleGroupRequest
+    #   data as a hash:
+    #
+    #       {
+    #         creator_request_id: "CreatorRequestId", # required
+    #         firewall_rule_group_id: "ResourceId", # required
+    #         vpc_id: "ResourceId", # required
+    #         priority: 1, # required
+    #         name: "Name", # required
+    #         mutation_protection: "ENABLED", # accepts ENABLED, DISABLED
+    #         tags: [
+    #           {
+    #             key: "TagKey", # required
+    #             value: "TagValue", # required
+    #           },
+    #         ],
+    #       }
+    #
+    # @!attribute [rw] creator_request_id
+    #   A unique string that identifies the request and that allows failed
+    #   requests to be retried without the risk of executing the operation
+    #   twice. `CreatorRequestId` can be any unique string, for example, a
+    #   date/time stamp.
+    #
+    #   **A suitable default value is auto-generated.** You should normally
+    #   not need to pass this option.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_rule_group_id
+    #   The unique identifier of the firewall rule group.
+    #   @return [String]
+    #
+    # @!attribute [rw] vpc_id
+    #   The unique identifier of the VPC that you want to associate with the
+    #   rule group.
+    #   @return [String]
+    #
+    # @!attribute [rw] priority
+    #   The setting that determines the processing order of the rule group
+    #   among the rule groups that you associate with the specified VPC. DNS
+    #   Firewall filters VPC traffic starting from rule group with the
+    #   lowest numeric priority setting.
+    #
+    #   You must specify a unique priority for each rule group that you
+    #   associate with a single VPC. To make it easier to insert rule groups
+    #   later, leave space between the numbers, for example, use 100, 200,
+    #   and so on. You can change the priority setting for a rule group
+    #   association after you create it.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] name
+    #   A name that lets you identify the association, to manage and use it.
+    #   @return [String]
+    #
+    # @!attribute [rw] mutation_protection
+    #   If enabled, this setting disallows modification or removal of the
+    #   association, to help prevent against accidentally altering DNS
+    #   firewall protections. When you create the association, the default
+    #   setting is `DISABLED`.
+    #   @return [String]
+    #
+    # @!attribute [rw] tags
+    #   A list of the tag keys and values that you want to associate with
+    #   the rule group association.
+    #   @return [Array<Types::Tag>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/AssociateFirewallRuleGroupRequest AWS API Documentation
+    #
+    class AssociateFirewallRuleGroupRequest < Struct.new(
+      :creator_request_id,
+      :firewall_rule_group_id,
+      :vpc_id,
+      :priority,
+      :name,
+      :mutation_protection,
+      :tags)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] firewall_rule_group_association
+    #   The association that you just created. The association has an Id
+    #   that you can use to identify it in other requests, like update and
+    #   delete.
+    #   @return [Types::FirewallRuleGroupAssociation]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/AssociateFirewallRuleGroupResponse AWS API Documentation
+    #
+    class AssociateFirewallRuleGroupResponse < Struct.new(
+      :firewall_rule_group_association)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass AssociateResolverEndpointIpAddressRequest
     #   data as a hash:
     #
@@ -163,6 +257,263 @@ module Aws::Route53Resolver
       include Aws::Structure
     end
 
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/ConflictException AWS API Documentation
+    #
+    class ConflictException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass CreateFirewallDomainListRequest
+    #   data as a hash:
+    #
+    #       {
+    #         creator_request_id: "CreatorRequestId", # required
+    #         name: "Name", # required
+    #         tags: [
+    #           {
+    #             key: "TagKey", # required
+    #             value: "TagValue", # required
+    #           },
+    #         ],
+    #       }
+    #
+    # @!attribute [rw] creator_request_id
+    #   A unique string that identifies the request and that allows you to
+    #   retry failed requests without the risk of executing the operation
+    #   twice. `CreatorRequestId` can be any unique string, for example, a
+    #   date/time stamp.
+    #
+    #   **A suitable default value is auto-generated.** You should normally
+    #   not need to pass this option.
+    #   @return [String]
+    #
+    # @!attribute [rw] name
+    #   A name that lets you identify the domain list to manage and use it.
+    #   @return [String]
+    #
+    # @!attribute [rw] tags
+    #   A list of the tag keys and values that you want to associate with
+    #   the domain list.
+    #   @return [Array<Types::Tag>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/CreateFirewallDomainListRequest AWS API Documentation
+    #
+    class CreateFirewallDomainListRequest < Struct.new(
+      :creator_request_id,
+      :name,
+      :tags)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] firewall_domain_list
+    #   The domain list that you just created.
+    #   @return [Types::FirewallDomainList]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/CreateFirewallDomainListResponse AWS API Documentation
+    #
+    class CreateFirewallDomainListResponse < Struct.new(
+      :firewall_domain_list)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass CreateFirewallRuleGroupRequest
+    #   data as a hash:
+    #
+    #       {
+    #         creator_request_id: "CreatorRequestId", # required
+    #         name: "Name", # required
+    #         tags: [
+    #           {
+    #             key: "TagKey", # required
+    #             value: "TagValue", # required
+    #           },
+    #         ],
+    #       }
+    #
+    # @!attribute [rw] creator_request_id
+    #   A unique string defined by you to identify the request. This allows
+    #   you to retry failed requests without the risk of executing the
+    #   operation twice. This can be any unique string, for example, a
+    #   timestamp.
+    #
+    #   **A suitable default value is auto-generated.** You should normally
+    #   not need to pass this option.
+    #   @return [String]
+    #
+    # @!attribute [rw] name
+    #   A name that lets you identify the rule group, to manage and use it.
+    #   @return [String]
+    #
+    # @!attribute [rw] tags
+    #   A list of the tag keys and values that you want to associate with
+    #   the rule group.
+    #   @return [Array<Types::Tag>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/CreateFirewallRuleGroupRequest AWS API Documentation
+    #
+    class CreateFirewallRuleGroupRequest < Struct.new(
+      :creator_request_id,
+      :name,
+      :tags)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] firewall_rule_group
+    #   A collection of rules used to filter DNS network traffic.
+    #   @return [Types::FirewallRuleGroup]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/CreateFirewallRuleGroupResponse AWS API Documentation
+    #
+    class CreateFirewallRuleGroupResponse < Struct.new(
+      :firewall_rule_group)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass CreateFirewallRuleRequest
+    #   data as a hash:
+    #
+    #       {
+    #         creator_request_id: "CreatorRequestId", # required
+    #         firewall_rule_group_id: "ResourceId", # required
+    #         firewall_domain_list_id: "ResourceId", # required
+    #         priority: 1, # required
+    #         action: "ALLOW", # required, accepts ALLOW, BLOCK, ALERT
+    #         block_response: "NODATA", # accepts NODATA, NXDOMAIN, OVERRIDE
+    #         block_override_domain: "BlockOverrideDomain",
+    #         block_override_dns_type: "CNAME", # accepts CNAME
+    #         block_override_ttl: 1,
+    #         name: "Name", # required
+    #       }
+    #
+    # @!attribute [rw] creator_request_id
+    #   A unique string that identifies the request and that allows you to
+    #   retry failed requests without the risk of executing the operation
+    #   twice. `CreatorRequestId` can be any unique string, for example, a
+    #   date/time stamp.
+    #
+    #   **A suitable default value is auto-generated.** You should normally
+    #   not need to pass this option.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_rule_group_id
+    #   The unique identifier of the firewall rule group where you want to
+    #   create the rule.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_domain_list_id
+    #   The ID of the domain list that you want to use in the rule.
+    #   @return [String]
+    #
+    # @!attribute [rw] priority
+    #   The setting that determines the processing order of the rule in the
+    #   rule group. DNS Firewall processes the rules in a rule group by
+    #   order of priority, starting from the lowest setting.
+    #
+    #   You must specify a unique priority for each rule in a rule group. To
+    #   make it easier to insert rules later, leave space between the
+    #   numbers, for example, use 100, 200, and so on. You can change the
+    #   priority setting for the rules in a rule group at any time.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] action
+    #   The action that DNS Firewall should take on a DNS query when it
+    #   matches one of the domains in the rule's domain list:
+    #
+    #   * `ALLOW` - Permit the request to go through.
+    #
+    #   * `ALERT` - Permit the request and send metrics and log to Cloud
+    #     Watch.
+    #
+    #   * `BLOCK` - Disallow the request. This option requires additional
+    #     details in the rule's `BlockResponse`.
+    #   @return [String]
+    #
+    # @!attribute [rw] block_response
+    #   The way that you want DNS Firewall to block the request, used with
+    #   the rule aciton setting `BLOCK`.
+    #
+    #   * `NODATA` - Respond indicating that the query was successful, but
+    #     no response is available for it.
+    #
+    #   * `NXDOMAIN` - Respond indicating that the domain name that's in
+    #     the query doesn't exist.
+    #
+    #   * `OVERRIDE` - Provide a custom override in the response. This
+    #     option requires custom handling details in the rule's
+    #     `BlockOverride*` settings.
+    #
+    #   This setting is required if the rule action setting is `BLOCK`.
+    #   @return [String]
+    #
+    # @!attribute [rw] block_override_domain
+    #   The custom DNS record to send back in response to the query. Used
+    #   for the rule action `BLOCK` with a `BlockResponse` setting of
+    #   `OVERRIDE`.
+    #
+    #   This setting is required if the `BlockResponse` setting is
+    #   `OVERRIDE`.
+    #   @return [String]
+    #
+    # @!attribute [rw] block_override_dns_type
+    #   The DNS record's type. This determines the format of the record
+    #   value that you provided in `BlockOverrideDomain`. Used for the rule
+    #   action `BLOCK` with a `BlockResponse` setting of `OVERRIDE`.
+    #
+    #   This setting is required if the `BlockResponse` setting is
+    #   `OVERRIDE`.
+    #   @return [String]
+    #
+    # @!attribute [rw] block_override_ttl
+    #   The recommended amount of time, in seconds, for the DNS resolver or
+    #   web browser to cache the provided override record. Used for the rule
+    #   action `BLOCK` with a `BlockResponse` setting of `OVERRIDE`.
+    #
+    #   This setting is required if the `BlockResponse` setting is
+    #   `OVERRIDE`.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] name
+    #   A name that lets you identify the rule in the rule group.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/CreateFirewallRuleRequest AWS API Documentation
+    #
+    class CreateFirewallRuleRequest < Struct.new(
+      :creator_request_id,
+      :firewall_rule_group_id,
+      :firewall_domain_list_id,
+      :priority,
+      :action,
+      :block_response,
+      :block_override_domain,
+      :block_override_dns_type,
+      :block_override_ttl,
+      :name)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] firewall_rule
+    #   The firewall rule that you just created.
+    #   @return [Types::FirewallRule]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/CreateFirewallRuleResponse AWS API Documentation
+    #
+    class CreateFirewallRuleResponse < Struct.new(
+      :firewall_rule)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass CreateResolverEndpointRequest
     #   data as a hash:
     #
@@ -442,120 +793,252 @@ module Aws::Route53Resolver
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass DeleteResolverEndpointRequest
+    # @note When making an API call, you may pass DeleteFirewallDomainListRequest
     #   data as a hash:
     #
     #       {
-    #         resolver_endpoint_id: "ResourceId", # required
+    #         firewall_domain_list_id: "ResourceId", # required
     #       }
     #
-    # @!attribute [rw] resolver_endpoint_id
-    #   The ID of the Resolver endpoint that you want to delete.
+    # @!attribute [rw] firewall_domain_list_id
+    #   The ID of the domain list that you want to delete.
     #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/DeleteResolverEndpointRequest AWS API Documentation
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/DeleteFirewallDomainListRequest AWS API Documentation
     #
-    class DeleteResolverEndpointRequest < Struct.new(
-      :resolver_endpoint_id)
+    class DeleteFirewallDomainListRequest < Struct.new(
+      :firewall_domain_list_id)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # @!attribute [rw] resolver_endpoint
-    #   Information about the `DeleteResolverEndpoint` request, including
-    #   the status of the request.
-    #   @return [Types::ResolverEndpoint]
+    # @!attribute [rw] firewall_domain_list
+    #   The domain list that you just deleted.
+    #   @return [Types::FirewallDomainList]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/DeleteResolverEndpointResponse AWS API Documentation
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/DeleteFirewallDomainListResponse AWS API Documentation
     #
-    class DeleteResolverEndpointResponse < Struct.new(
-      :resolver_endpoint)
+    class DeleteFirewallDomainListResponse < Struct.new(
+      :firewall_domain_list)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass DeleteResolverQueryLogConfigRequest
+    # @note When making an API call, you may pass DeleteFirewallRuleGroupRequest
     #   data as a hash:
     #
     #       {
-    #         resolver_query_log_config_id: "ResourceId", # required
+    #         firewall_rule_group_id: "ResourceId", # required
     #       }
     #
-    # @!attribute [rw] resolver_query_log_config_id
-    #   The ID of the query logging configuration that you want to delete.
+    # @!attribute [rw] firewall_rule_group_id
+    #   The unique identifier of the firewall rule group that you want to
+    #   delete.
     #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/DeleteResolverQueryLogConfigRequest AWS API Documentation
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/DeleteFirewallRuleGroupRequest AWS API Documentation
     #
-    class DeleteResolverQueryLogConfigRequest < Struct.new(
-      :resolver_query_log_config_id)
+    class DeleteFirewallRuleGroupRequest < Struct.new(
+      :firewall_rule_group_id)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # @!attribute [rw] resolver_query_log_config
-    #   Information about the query logging configuration that you deleted,
-    #   including the status of the request.
-    #   @return [Types::ResolverQueryLogConfig]
+    # @!attribute [rw] firewall_rule_group
+    #   A collection of rules used to filter DNS network traffic.
+    #   @return [Types::FirewallRuleGroup]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/DeleteResolverQueryLogConfigResponse AWS API Documentation
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/DeleteFirewallRuleGroupResponse AWS API Documentation
     #
-    class DeleteResolverQueryLogConfigResponse < Struct.new(
-      :resolver_query_log_config)
+    class DeleteFirewallRuleGroupResponse < Struct.new(
+      :firewall_rule_group)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass DeleteResolverRuleRequest
+    # @note When making an API call, you may pass DeleteFirewallRuleRequest
     #   data as a hash:
     #
     #       {
-    #         resolver_rule_id: "ResourceId", # required
+    #         firewall_rule_group_id: "ResourceId", # required
+    #         firewall_domain_list_id: "ResourceId", # required
     #       }
     #
-    # @!attribute [rw] resolver_rule_id
-    #   The ID of the Resolver rule that you want to delete.
+    # @!attribute [rw] firewall_rule_group_id
+    #   The unique identifier of the firewall rule group that you want to
+    #   delete the rule from.
     #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/DeleteResolverRuleRequest AWS API Documentation
+    # @!attribute [rw] firewall_domain_list_id
+    #   The ID of the domain list that's used in the rule.
+    #   @return [String]
     #
-    class DeleteResolverRuleRequest < Struct.new(
-      :resolver_rule_id)
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/DeleteFirewallRuleRequest AWS API Documentation
+    #
+    class DeleteFirewallRuleRequest < Struct.new(
+      :firewall_rule_group_id,
+      :firewall_domain_list_id)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # @!attribute [rw] resolver_rule
-    #   Information about the `DeleteResolverRule` request, including the
-    #   status of the request.
-    #   @return [Types::ResolverRule]
+    # @!attribute [rw] firewall_rule
+    #   The specification for the firewall rule that you just deleted.
+    #   @return [Types::FirewallRule]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/DeleteResolverRuleResponse AWS API Documentation
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/DeleteFirewallRuleResponse AWS API Documentation
     #
-    class DeleteResolverRuleResponse < Struct.new(
-      :resolver_rule)
+    class DeleteFirewallRuleResponse < Struct.new(
+      :firewall_rule)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass DisassociateResolverEndpointIpAddressRequest
+    # @note When making an API call, you may pass DeleteResolverEndpointRequest
     #   data as a hash:
     #
     #       {
     #         resolver_endpoint_id: "ResourceId", # required
-    #         ip_address: { # required
-    #           ip_id: "ResourceId",
-    #           subnet_id: "SubnetId",
-    #           ip: "Ip",
-    #         },
     #       }
     #
     # @!attribute [rw] resolver_endpoint_id
-    #   The ID of the Resolver endpoint that you want to disassociate an IP
-    #   address from.
+    #   The ID of the Resolver endpoint that you want to delete.
     #   @return [String]
     #
-    # @!attribute [rw] ip_address
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/DeleteResolverEndpointRequest AWS API Documentation
+    #
+    class DeleteResolverEndpointRequest < Struct.new(
+      :resolver_endpoint_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] resolver_endpoint
+    #   Information about the `DeleteResolverEndpoint` request, including
+    #   the status of the request.
+    #   @return [Types::ResolverEndpoint]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/DeleteResolverEndpointResponse AWS API Documentation
+    #
+    class DeleteResolverEndpointResponse < Struct.new(
+      :resolver_endpoint)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass DeleteResolverQueryLogConfigRequest
+    #   data as a hash:
+    #
+    #       {
+    #         resolver_query_log_config_id: "ResourceId", # required
+    #       }
+    #
+    # @!attribute [rw] resolver_query_log_config_id
+    #   The ID of the query logging configuration that you want to delete.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/DeleteResolverQueryLogConfigRequest AWS API Documentation
+    #
+    class DeleteResolverQueryLogConfigRequest < Struct.new(
+      :resolver_query_log_config_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] resolver_query_log_config
+    #   Information about the query logging configuration that you deleted,
+    #   including the status of the request.
+    #   @return [Types::ResolverQueryLogConfig]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/DeleteResolverQueryLogConfigResponse AWS API Documentation
+    #
+    class DeleteResolverQueryLogConfigResponse < Struct.new(
+      :resolver_query_log_config)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass DeleteResolverRuleRequest
+    #   data as a hash:
+    #
+    #       {
+    #         resolver_rule_id: "ResourceId", # required
+    #       }
+    #
+    # @!attribute [rw] resolver_rule_id
+    #   The ID of the Resolver rule that you want to delete.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/DeleteResolverRuleRequest AWS API Documentation
+    #
+    class DeleteResolverRuleRequest < Struct.new(
+      :resolver_rule_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] resolver_rule
+    #   Information about the `DeleteResolverRule` request, including the
+    #   status of the request.
+    #   @return [Types::ResolverRule]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/DeleteResolverRuleResponse AWS API Documentation
+    #
+    class DeleteResolverRuleResponse < Struct.new(
+      :resolver_rule)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass DisassociateFirewallRuleGroupRequest
+    #   data as a hash:
+    #
+    #       {
+    #         firewall_rule_group_association_id: "ResourceId", # required
+    #       }
+    #
+    # @!attribute [rw] firewall_rule_group_association_id
+    #   The identifier of the FirewallRuleGroupAssociation.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/DisassociateFirewallRuleGroupRequest AWS API Documentation
+    #
+    class DisassociateFirewallRuleGroupRequest < Struct.new(
+      :firewall_rule_group_association_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] firewall_rule_group_association
+    #   The firewall rule group association that you just removed.
+    #   @return [Types::FirewallRuleGroupAssociation]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/DisassociateFirewallRuleGroupResponse AWS API Documentation
+    #
+    class DisassociateFirewallRuleGroupResponse < Struct.new(
+      :firewall_rule_group_association)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass DisassociateResolverEndpointIpAddressRequest
+    #   data as a hash:
+    #
+    #       {
+    #         resolver_endpoint_id: "ResourceId", # required
+    #         ip_address: { # required
+    #           ip_id: "ResourceId",
+    #           subnet_id: "SubnetId",
+    #           ip: "Ip",
+    #         },
+    #       }
+    #
+    # @!attribute [rw] resolver_endpoint_id
+    #   The ID of the Resolver endpoint that you want to disassociate an IP
+    #   address from.
+    #   @return [String]
+    #
+    # @!attribute [rw] ip_address
     #   The IPv4 address that you want to remove from a Resolver endpoint.
     #   @return [Types::IpAddressUpdate]
     #
@@ -889,128 +1372,768 @@ module Aws::Route53Resolver
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass GetResolverDnssecConfigRequest
-    #   data as a hash:
+    # Configuration of the firewall behavior provided by DNS Firewall for a
+    # single Amazon virtual private cloud (VPC).
     #
-    #       {
-    #         resource_id: "ResourceId", # required
-    #       }
+    # @!attribute [rw] id
+    #   The Id of the firewall configuration.
+    #   @return [String]
     #
     # @!attribute [rw] resource_id
-    #   The ID of the virtual private cloud (VPC) for the DNSSEC validation
-    #   status.
+    #   The ID of the VPC that this firewall configuration applies to.
     #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetResolverDnssecConfigRequest AWS API Documentation
+    # @!attribute [rw] owner_id
+    #   The AWS account ID of the owner of the VPC that this firewall
+    #   configuration applies to.
+    #   @return [String]
     #
-    class GetResolverDnssecConfigRequest < Struct.new(
-      :resource_id)
-      SENSITIVE = []
-      include Aws::Structure
-    end
-
-    # @!attribute [rw] resolver_dnssec_config
-    #   The information about a configuration for DNSSEC validation.
-    #   @return [Types::ResolverDnssecConfig]
+    # @!attribute [rw] firewall_fail_open
+    #   Determines how DNS Firewall operates during failures, for example
+    #   when all traffic that is sent to DNS Firewall fails to receive a
+    #   reply.
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetResolverDnssecConfigResponse AWS API Documentation
+    #   * By default, fail open is disabled, which means the failure mode is
+    #     closed. This approach favors security over availability. DNS
+    #     Firewall returns a failure error when it is unable to properly
+    #     evaluate a query.
     #
-    class GetResolverDnssecConfigResponse < Struct.new(
-      :resolver_dnssec_config)
+    #   * If you enable this option, the failure mode is open. This approach
+    #     favors availability over security. DNS Firewall allows queries to
+    #     proceed if it is unable to properly evaluate them.
+    #
+    #   This behavior is only enforced for VPCs that have at least one DNS
+    #   Firewall rule group association.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/FirewallConfig AWS API Documentation
+    #
+    class FirewallConfig < Struct.new(
+      :id,
+      :resource_id,
+      :owner_id,
+      :firewall_fail_open)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass GetResolverEndpointRequest
-    #   data as a hash:
+    # High level information about a list of firewall domains for use in a
+    # FirewallRule. This is returned by GetFirewallDomainList.
     #
-    #       {
-    #         resolver_endpoint_id: "ResourceId", # required
-    #       }
+    # To retrieve the domains that are defined for this domain list, call
+    # ListFirewallDomains.
     #
-    # @!attribute [rw] resolver_endpoint_id
-    #   The ID of the Resolver endpoint that you want to get information
-    #   about.
+    # @!attribute [rw] id
+    #   The ID of the domain list.
     #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetResolverEndpointRequest AWS API Documentation
+    # @!attribute [rw] arn
+    #   The Amazon Resource Name (ARN) of the firewall domain list.
+    #   @return [String]
     #
-    class GetResolverEndpointRequest < Struct.new(
-      :resolver_endpoint_id)
-      SENSITIVE = []
-      include Aws::Structure
-    end
-
-    # @!attribute [rw] resolver_endpoint
-    #   Information about the Resolver endpoint that you specified in a
-    #   `GetResolverEndpoint` request.
-    #   @return [Types::ResolverEndpoint]
+    # @!attribute [rw] name
+    #   The name of the domain list.
+    #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetResolverEndpointResponse AWS API Documentation
+    # @!attribute [rw] domain_count
+    #   The number of domain names that are specified in the domain list.
+    #   @return [Integer]
     #
-    class GetResolverEndpointResponse < Struct.new(
-      :resolver_endpoint)
-      SENSITIVE = []
-      include Aws::Structure
-    end
-
-    # @note When making an API call, you may pass GetResolverQueryLogConfigAssociationRequest
-    #   data as a hash:
+    # @!attribute [rw] status
+    #   The status of the domain list.
+    #   @return [String]
     #
-    #       {
-    #         resolver_query_log_config_association_id: "ResourceId", # required
-    #       }
+    # @!attribute [rw] status_message
+    #   Additional information about the status of the list, if available.
+    #   @return [String]
     #
-    # @!attribute [rw] resolver_query_log_config_association_id
-    #   The ID of the Resolver query logging configuration association that
-    #   you want to get information about.
+    # @!attribute [rw] managed_owner_name
+    #   The owner of the list, used only for lists that are not managed by
+    #   you. For example, the managed domain list
+    #   `AWSManagedDomainsMalwareDomainList` has the managed owner name
+    #   `Route 53 Resolver DNS Firewall`.
     #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetResolverQueryLogConfigAssociationRequest AWS API Documentation
+    # @!attribute [rw] creator_request_id
+    #   A unique string defined by you to identify the request. This allows
+    #   you to retry failed requests without the risk of executing the
+    #   operation twice. This can be any unique string, for example, a
+    #   timestamp.
+    #   @return [String]
     #
-    class GetResolverQueryLogConfigAssociationRequest < Struct.new(
-      :resolver_query_log_config_association_id)
-      SENSITIVE = []
-      include Aws::Structure
-    end
-
-    # @!attribute [rw] resolver_query_log_config_association
-    #   Information about the Resolver query logging configuration
-    #   association that you specified in a `GetQueryLogConfigAssociation`
-    #   request.
-    #   @return [Types::ResolverQueryLogConfigAssociation]
+    # @!attribute [rw] creation_time
+    #   The date and time that the domain list was created, in Unix time
+    #   format and Coordinated Universal Time (UTC).
+    #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetResolverQueryLogConfigAssociationResponse AWS API Documentation
+    # @!attribute [rw] modification_time
+    #   The date and time that the domain list was last modified, in Unix
+    #   time format and Coordinated Universal Time (UTC).
+    #   @return [String]
     #
-    class GetResolverQueryLogConfigAssociationResponse < Struct.new(
-      :resolver_query_log_config_association)
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/FirewallDomainList AWS API Documentation
+    #
+    class FirewallDomainList < Struct.new(
+      :id,
+      :arn,
+      :name,
+      :domain_count,
+      :status,
+      :status_message,
+      :managed_owner_name,
+      :creator_request_id,
+      :creation_time,
+      :modification_time)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass GetResolverQueryLogConfigPolicyRequest
-    #   data as a hash:
+    # Minimal high-level information for a firewall domain list. The action
+    # ListFirewallDomainLists returns an array of these objects.
     #
-    #       {
-    #         arn: "Arn", # required
-    #       }
+    # To retrieve full information for a firewall domain list, call
+    # GetFirewallDomainList and ListFirewallDomains.
+    #
+    # @!attribute [rw] id
+    #   The ID of the domain list.
+    #   @return [String]
     #
     # @!attribute [rw] arn
-    #   The ARN of the query logging configuration that you want to get the
-    #   query logging policy for.
+    #   The Amazon Resource Name (ARN) of the firewall domain list metadata.
     #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetResolverQueryLogConfigPolicyRequest AWS API Documentation
+    # @!attribute [rw] name
+    #   The name of the domain list.
+    #   @return [String]
     #
-    class GetResolverQueryLogConfigPolicyRequest < Struct.new(
-      :arn)
+    # @!attribute [rw] creator_request_id
+    #   A unique string defined by you to identify the request. This allows
+    #   you to retry failed requests without the risk of executing the
+    #   operation twice. This can be any unique string, for example, a
+    #   timestamp.
+    #   @return [String]
+    #
+    # @!attribute [rw] managed_owner_name
+    #   The owner of the list, used only for lists that are not managed by
+    #   you. For example, the managed domain list
+    #   `AWSManagedDomainsMalwareDomainList` has the managed owner name
+    #   `Route 53 Resolver DNS Firewall`.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/FirewallDomainListMetadata AWS API Documentation
+    #
+    class FirewallDomainListMetadata < Struct.new(
+      :id,
+      :arn,
+      :name,
+      :creator_request_id,
+      :managed_owner_name)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # @!attribute [rw] resolver_query_log_config_policy
-    #   Information about the query logging policy for the query logging
-    #   configuration that you specified in a
+    # A single firewall rule in a rule group.
+    #
+    # @!attribute [rw] firewall_rule_group_id
+    #   The unique identifier of the firewall rule group of the rule.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_domain_list_id
+    #   The ID of the domain list that's used in the rule.
+    #   @return [String]
+    #
+    # @!attribute [rw] name
+    #   The name of the rule.
+    #   @return [String]
+    #
+    # @!attribute [rw] priority
+    #   The priority of the rule in the rule group. This value must be
+    #   unique within the rule group. DNS Firewall processes the rules in a
+    #   rule group by order of priority, starting from the lowest setting.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] action
+    #   The action that DNS Firewall should take on a DNS query when it
+    #   matches one of the domains in the rule's domain list:
+    #
+    #   * `ALLOW` - Permit the request to go through.
+    #
+    #   * `ALERT` - Permit the request to go through but send an alert to
+    #     the logs.
+    #
+    #   * `BLOCK` - Disallow the request. If this is specified, additional
+    #     handling details are provided in the rule's `BlockResponse`
+    #     setting.
+    #   @return [String]
+    #
+    # @!attribute [rw] block_response
+    #   The way that you want DNS Firewall to block the request. Used for
+    #   the rule action setting `BLOCK`.
+    #
+    #   * `NODATA` - Respond indicating that the query was successful, but
+    #     no response is available for it.
+    #
+    #   * `NXDOMAIN` - Respond indicating that the domain name that's in
+    #     the query doesn't exist.
+    #
+    #   * `OVERRIDE` - Provide a custom override in the response. This
+    #     option requires custom handling details in the rule's
+    #     `BlockOverride*` settings.
+    #   @return [String]
+    #
+    # @!attribute [rw] block_override_domain
+    #   The custom DNS record to send back in response to the query. Used
+    #   for the rule action `BLOCK` with a `BlockResponse` setting of
+    #   `OVERRIDE`.
+    #   @return [String]
+    #
+    # @!attribute [rw] block_override_dns_type
+    #   The DNS record's type. This determines the format of the record
+    #   value that you provided in `BlockOverrideDomain`. Used for the rule
+    #   action `BLOCK` with a `BlockResponse` setting of `OVERRIDE`.
+    #   @return [String]
+    #
+    # @!attribute [rw] block_override_ttl
+    #   The recommended amount of time, in seconds, for the DNS resolver or
+    #   web browser to cache the provided override record. Used for the rule
+    #   action `BLOCK` with a `BlockResponse` setting of `OVERRIDE`.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] creator_request_id
+    #   A unique string defined by you to identify the request. This allows
+    #   you to retry failed requests without the risk of executing the
+    #   operation twice. This can be any unique string, for example, a
+    #   timestamp.
+    #   @return [String]
+    #
+    # @!attribute [rw] creation_time
+    #   The date and time that the rule was created, in Unix time format and
+    #   Coordinated Universal Time (UTC).
+    #   @return [String]
+    #
+    # @!attribute [rw] modification_time
+    #   The date and time that the rule was last modified, in Unix time
+    #   format and Coordinated Universal Time (UTC).
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/FirewallRule AWS API Documentation
+    #
+    class FirewallRule < Struct.new(
+      :firewall_rule_group_id,
+      :firewall_domain_list_id,
+      :name,
+      :priority,
+      :action,
+      :block_response,
+      :block_override_domain,
+      :block_override_dns_type,
+      :block_override_ttl,
+      :creator_request_id,
+      :creation_time,
+      :modification_time)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # High-level information for a firewall rule group. A firewall rule
+    # group is a collection of rules that DNS Firewall uses to filter DNS
+    # network traffic for a VPC. To retrieve the rules for the rule group,
+    # call ListFirewallRules.
+    #
+    # @!attribute [rw] id
+    #   The ID of the rule group.
+    #   @return [String]
+    #
+    # @!attribute [rw] arn
+    #   The ARN (Amazon Resource Name) of the rule group.
+    #   @return [String]
+    #
+    # @!attribute [rw] name
+    #   The name of the rule group.
+    #   @return [String]
+    #
+    # @!attribute [rw] rule_count
+    #   The number of rules in the rule group.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] status
+    #   The status of the domain list.
+    #   @return [String]
+    #
+    # @!attribute [rw] status_message
+    #   Additional information about the status of the rule group, if
+    #   available.
+    #   @return [String]
+    #
+    # @!attribute [rw] owner_id
+    #   The AWS account ID for the account that created the rule group. When
+    #   a rule group is shared with your account, this is the account that
+    #   has shared the rule group with you.
+    #   @return [String]
+    #
+    # @!attribute [rw] creator_request_id
+    #   A unique string defined by you to identify the request. This allows
+    #   you to retry failed requests without the risk of executing the
+    #   operation twice. This can be any unique string, for example, a
+    #   timestamp.
+    #   @return [String]
+    #
+    # @!attribute [rw] share_status
+    #   Whether the rule group is shared with other AWS accounts, or was
+    #   shared with the current account by another AWS account. Sharing is
+    #   configured through AWS Resource Access Manager (AWS RAM).
+    #   @return [String]
+    #
+    # @!attribute [rw] creation_time
+    #   The date and time that the rule group was created, in Unix time
+    #   format and Coordinated Universal Time (UTC).
+    #   @return [String]
+    #
+    # @!attribute [rw] modification_time
+    #   The date and time that the rule group was last modified, in Unix
+    #   time format and Coordinated Universal Time (UTC).
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/FirewallRuleGroup AWS API Documentation
+    #
+    class FirewallRuleGroup < Struct.new(
+      :id,
+      :arn,
+      :name,
+      :rule_count,
+      :status,
+      :status_message,
+      :owner_id,
+      :creator_request_id,
+      :share_status,
+      :creation_time,
+      :modification_time)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # An association between a firewall rul group and a VPC, which enables
+    # DNS filtering for the VPC.
+    #
+    # @!attribute [rw] id
+    #   The identifier for the association.
+    #   @return [String]
+    #
+    # @!attribute [rw] arn
+    #   The Amazon Resource Name (ARN) of the firewall rule group
+    #   association.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_rule_group_id
+    #   The unique identifier of the firewall rule group.
+    #   @return [String]
+    #
+    # @!attribute [rw] vpc_id
+    #   The unique identifier of the VPC that is associated with the rule
+    #   group.
+    #   @return [String]
+    #
+    # @!attribute [rw] name
+    #   The name of the association.
+    #   @return [String]
+    #
+    # @!attribute [rw] priority
+    #   The setting that determines the processing order of the rule group
+    #   among the rule groups that are associated with a single VPC. DNS
+    #   Firewall filters VPC traffic starting from rule group with the
+    #   lowest numeric priority setting.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] mutation_protection
+    #   If enabled, this setting disallows modification or removal of the
+    #   association, to help prevent against accidentally altering DNS
+    #   firewall protections.
+    #   @return [String]
+    #
+    # @!attribute [rw] managed_owner_name
+    #   The owner of the association, used only for associations that are
+    #   not managed by you. If you use AWS Firewall Manager to manage your
+    #   DNS Firewalls, then this reports Firewall Manager as the managed
+    #   owner.
+    #   @return [String]
+    #
+    # @!attribute [rw] status
+    #   The current status of the association.
+    #   @return [String]
+    #
+    # @!attribute [rw] status_message
+    #   Additional information about the status of the response, if
+    #   available.
+    #   @return [String]
+    #
+    # @!attribute [rw] creator_request_id
+    #   A unique string defined by you to identify the request. This allows
+    #   you to retry failed requests without the risk of executing the
+    #   operation twice. This can be any unique string, for example, a
+    #   timestamp.
+    #   @return [String]
+    #
+    # @!attribute [rw] creation_time
+    #   The date and time that the association was created, in Unix time
+    #   format and Coordinated Universal Time (UTC).
+    #   @return [String]
+    #
+    # @!attribute [rw] modification_time
+    #   The date and time that the association was last modified, in Unix
+    #   time format and Coordinated Universal Time (UTC).
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/FirewallRuleGroupAssociation AWS API Documentation
+    #
+    class FirewallRuleGroupAssociation < Struct.new(
+      :id,
+      :arn,
+      :firewall_rule_group_id,
+      :vpc_id,
+      :name,
+      :priority,
+      :mutation_protection,
+      :managed_owner_name,
+      :status,
+      :status_message,
+      :creator_request_id,
+      :creation_time,
+      :modification_time)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Minimal high-level information for a firewall rule group. The action
+    # ListFirewallRuleGroups returns an array of these objects.
+    #
+    # To retrieve full information for a firewall rule group, call
+    # GetFirewallRuleGroup and ListFirewallRules.
+    #
+    # @!attribute [rw] id
+    #   The ID of the rule group.
+    #   @return [String]
+    #
+    # @!attribute [rw] arn
+    #   The ARN (Amazon Resource Name) of the rule group.
+    #   @return [String]
+    #
+    # @!attribute [rw] name
+    #   The name of the rule group.
+    #   @return [String]
+    #
+    # @!attribute [rw] owner_id
+    #   The AWS account ID for the account that created the rule group. When
+    #   a rule group is shared with your account, this is the account that
+    #   has shared the rule group with you.
+    #   @return [String]
+    #
+    # @!attribute [rw] creator_request_id
+    #   A unique string defined by you to identify the request. This allows
+    #   you to retry failed requests without the risk of executing the
+    #   operation twice. This can be any unique string, for example, a
+    #   timestamp.
+    #   @return [String]
+    #
+    # @!attribute [rw] share_status
+    #   Whether the rule group is shared with other AWS accounts, or was
+    #   shared with the current account by another AWS account. Sharing is
+    #   configured through AWS Resource Access Manager (AWS RAM).
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/FirewallRuleGroupMetadata AWS API Documentation
+    #
+    class FirewallRuleGroupMetadata < Struct.new(
+      :id,
+      :arn,
+      :name,
+      :owner_id,
+      :creator_request_id,
+      :share_status)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass GetFirewallConfigRequest
+    #   data as a hash:
+    #
+    #       {
+    #         resource_id: "ResourceId", # required
+    #       }
+    #
+    # @!attribute [rw] resource_id
+    #   The ID of the Amazon virtual private cloud (VPC) that the
+    #   configuration is for.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetFirewallConfigRequest AWS API Documentation
+    #
+    class GetFirewallConfigRequest < Struct.new(
+      :resource_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] firewall_config
+    #   Configuration of the firewall behavior provided by DNS Firewall for
+    #   a single Amazon virtual private cloud (VPC).
+    #   @return [Types::FirewallConfig]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetFirewallConfigResponse AWS API Documentation
+    #
+    class GetFirewallConfigResponse < Struct.new(
+      :firewall_config)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass GetFirewallDomainListRequest
+    #   data as a hash:
+    #
+    #       {
+    #         firewall_domain_list_id: "ResourceId", # required
+    #       }
+    #
+    # @!attribute [rw] firewall_domain_list_id
+    #   The ID of the domain list.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetFirewallDomainListRequest AWS API Documentation
+    #
+    class GetFirewallDomainListRequest < Struct.new(
+      :firewall_domain_list_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] firewall_domain_list
+    #   The domain list that you requested.
+    #   @return [Types::FirewallDomainList]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetFirewallDomainListResponse AWS API Documentation
+    #
+    class GetFirewallDomainListResponse < Struct.new(
+      :firewall_domain_list)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass GetFirewallRuleGroupAssociationRequest
+    #   data as a hash:
+    #
+    #       {
+    #         firewall_rule_group_association_id: "ResourceId", # required
+    #       }
+    #
+    # @!attribute [rw] firewall_rule_group_association_id
+    #   The identifier of the FirewallRuleGroupAssociation.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetFirewallRuleGroupAssociationRequest AWS API Documentation
+    #
+    class GetFirewallRuleGroupAssociationRequest < Struct.new(
+      :firewall_rule_group_association_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] firewall_rule_group_association
+    #   The association that you requested.
+    #   @return [Types::FirewallRuleGroupAssociation]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetFirewallRuleGroupAssociationResponse AWS API Documentation
+    #
+    class GetFirewallRuleGroupAssociationResponse < Struct.new(
+      :firewall_rule_group_association)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass GetFirewallRuleGroupPolicyRequest
+    #   data as a hash:
+    #
+    #       {
+    #         arn: "Arn", # required
+    #       }
+    #
+    # @!attribute [rw] arn
+    #   The ARN (Amazon Resource Name) for the rule group.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetFirewallRuleGroupPolicyRequest AWS API Documentation
+    #
+    class GetFirewallRuleGroupPolicyRequest < Struct.new(
+      :arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] firewall_rule_group_policy
+    #   The AWS Identity and Access Management (AWS IAM) policy for sharing
+    #   the specified rule group. You can use the policy to share the rule
+    #   group using AWS Resource Access Manager (RAM).
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetFirewallRuleGroupPolicyResponse AWS API Documentation
+    #
+    class GetFirewallRuleGroupPolicyResponse < Struct.new(
+      :firewall_rule_group_policy)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass GetFirewallRuleGroupRequest
+    #   data as a hash:
+    #
+    #       {
+    #         firewall_rule_group_id: "ResourceId", # required
+    #       }
+    #
+    # @!attribute [rw] firewall_rule_group_id
+    #   The unique identifier of the firewall rule group.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetFirewallRuleGroupRequest AWS API Documentation
+    #
+    class GetFirewallRuleGroupRequest < Struct.new(
+      :firewall_rule_group_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] firewall_rule_group
+    #   A collection of rules used to filter DNS network traffic.
+    #   @return [Types::FirewallRuleGroup]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetFirewallRuleGroupResponse AWS API Documentation
+    #
+    class GetFirewallRuleGroupResponse < Struct.new(
+      :firewall_rule_group)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass GetResolverDnssecConfigRequest
+    #   data as a hash:
+    #
+    #       {
+    #         resource_id: "ResourceId", # required
+    #       }
+    #
+    # @!attribute [rw] resource_id
+    #   The ID of the virtual private cloud (VPC) for the DNSSEC validation
+    #   status.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetResolverDnssecConfigRequest AWS API Documentation
+    #
+    class GetResolverDnssecConfigRequest < Struct.new(
+      :resource_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] resolver_dnssec_config
+    #   The information about a configuration for DNSSEC validation.
+    #   @return [Types::ResolverDnssecConfig]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetResolverDnssecConfigResponse AWS API Documentation
+    #
+    class GetResolverDnssecConfigResponse < Struct.new(
+      :resolver_dnssec_config)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass GetResolverEndpointRequest
+    #   data as a hash:
+    #
+    #       {
+    #         resolver_endpoint_id: "ResourceId", # required
+    #       }
+    #
+    # @!attribute [rw] resolver_endpoint_id
+    #   The ID of the Resolver endpoint that you want to get information
+    #   about.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetResolverEndpointRequest AWS API Documentation
+    #
+    class GetResolverEndpointRequest < Struct.new(
+      :resolver_endpoint_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] resolver_endpoint
+    #   Information about the Resolver endpoint that you specified in a
+    #   `GetResolverEndpoint` request.
+    #   @return [Types::ResolverEndpoint]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetResolverEndpointResponse AWS API Documentation
+    #
+    class GetResolverEndpointResponse < Struct.new(
+      :resolver_endpoint)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass GetResolverQueryLogConfigAssociationRequest
+    #   data as a hash:
+    #
+    #       {
+    #         resolver_query_log_config_association_id: "ResourceId", # required
+    #       }
+    #
+    # @!attribute [rw] resolver_query_log_config_association_id
+    #   The ID of the Resolver query logging configuration association that
+    #   you want to get information about.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetResolverQueryLogConfigAssociationRequest AWS API Documentation
+    #
+    class GetResolverQueryLogConfigAssociationRequest < Struct.new(
+      :resolver_query_log_config_association_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] resolver_query_log_config_association
+    #   Information about the Resolver query logging configuration
+    #   association that you specified in a `GetQueryLogConfigAssociation`
+    #   request.
+    #   @return [Types::ResolverQueryLogConfigAssociation]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetResolverQueryLogConfigAssociationResponse AWS API Documentation
+    #
+    class GetResolverQueryLogConfigAssociationResponse < Struct.new(
+      :resolver_query_log_config_association)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass GetResolverQueryLogConfigPolicyRequest
+    #   data as a hash:
+    #
+    #       {
+    #         arn: "Arn", # required
+    #       }
+    #
+    # @!attribute [rw] arn
+    #   The ARN of the query logging configuration that you want to get the
+    #   query logging policy for.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/GetResolverQueryLogConfigPolicyRequest AWS API Documentation
+    #
+    class GetResolverQueryLogConfigPolicyRequest < Struct.new(
+      :arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] resolver_query_log_config_policy
+    #   Information about the query logging policy for the query logging
+    #   configuration that you specified in a
     #   `GetResolverQueryLogConfigPolicy` request.
     #   @return [String]
     #
@@ -1153,6 +2276,71 @@ module Aws::Route53Resolver
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass ImportFirewallDomainsRequest
+    #   data as a hash:
+    #
+    #       {
+    #         firewall_domain_list_id: "ResourceId", # required
+    #         operation: "REPLACE", # required, accepts REPLACE
+    #         domain_file_url: "DomainListFileUrl", # required
+    #       }
+    #
+    # @!attribute [rw] firewall_domain_list_id
+    #   The ID of the domain list that you want to modify with the import
+    #   operation.
+    #   @return [String]
+    #
+    # @!attribute [rw] operation
+    #   What you want DNS Firewall to do with the domains that are listed in
+    #   the file. This must be set to `REPLACE`, which updates the domain
+    #   list to exactly match the list in the file.
+    #   @return [String]
+    #
+    # @!attribute [rw] domain_file_url
+    #   The fully qualified URL or URI of the file stored in Amazon Simple
+    #   Storage Service (S3) that contains the list of domains to import.
+    #
+    #   The file must be in an S3 bucket that's in the same Region as your
+    #   DNS Firewall. The file must be a text file and must contain a single
+    #   domain per line.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/ImportFirewallDomainsRequest AWS API Documentation
+    #
+    class ImportFirewallDomainsRequest < Struct.new(
+      :firewall_domain_list_id,
+      :operation,
+      :domain_file_url)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] id
+    #   The Id of the firewall domain list that DNS Firewall just updated.
+    #   @return [String]
+    #
+    # @!attribute [rw] name
+    #   The name of the domain list.
+    #   @return [String]
+    #
+    # @!attribute [rw] status
+    #   @return [String]
+    #
+    # @!attribute [rw] status_message
+    #   Additional information about the status of the list, if available.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/ImportFirewallDomainsResponse AWS API Documentation
+    #
+    class ImportFirewallDomainsResponse < Struct.new(
+      :id,
+      :name,
+      :status,
+      :status_message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # We encountered an unknown error. Try again in a few minutes.
     #
     # @!attribute [rw] message
@@ -1301,94 +2489,520 @@ module Aws::Route53Resolver
     #   the request.
     #   @return [String]
     #
-    # @!attribute [rw] creation_time
-    #   The date and time that the IP address was created, in Unix time
-    #   format and Coordinated Universal Time (UTC).
-    #   @return [String]
+    # @!attribute [rw] creation_time
+    #   The date and time that the IP address was created, in Unix time
+    #   format and Coordinated Universal Time (UTC).
+    #   @return [String]
+    #
+    # @!attribute [rw] modification_time
+    #   The date and time that the IP address was last modified, in Unix
+    #   time format and Coordinated Universal Time (UTC).
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/IpAddressResponse AWS API Documentation
+    #
+    class IpAddressResponse < Struct.new(
+      :ip_id,
+      :subnet_id,
+      :ip,
+      :status,
+      :status_message,
+      :creation_time,
+      :modification_time)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # In an [UpdateResolverEndpoint][1] request, information about an IP
+    # address to update.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_UpdateResolverEndpoint.html
+    #
+    # @note When making an API call, you may pass IpAddressUpdate
+    #   data as a hash:
+    #
+    #       {
+    #         ip_id: "ResourceId",
+    #         subnet_id: "SubnetId",
+    #         ip: "Ip",
+    #       }
+    #
+    # @!attribute [rw] ip_id
+    #   *Only when removing an IP address from a Resolver endpoint*\: The ID
+    #   of the IP address that you want to remove. To get this ID, use
+    #   [GetResolverEndpoint][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_GetResolverEndpoint.html
+    #   @return [String]
+    #
+    # @!attribute [rw] subnet_id
+    #   The ID of the subnet that includes the IP address that you want to
+    #   update. To get this ID, use [GetResolverEndpoint][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_GetResolverEndpoint.html
+    #   @return [String]
+    #
+    # @!attribute [rw] ip
+    #   The new IP address.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/IpAddressUpdate AWS API Documentation
+    #
+    class IpAddressUpdate < Struct.new(
+      :ip_id,
+      :subnet_id,
+      :ip)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The request caused one or more limits to be exceeded.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @!attribute [rw] resource_type
+    #   For a `LimitExceededException` error, the type of resource that
+    #   exceeded the current limit.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/LimitExceededException AWS API Documentation
+    #
+    class LimitExceededException < Struct.new(
+      :message,
+      :resource_type)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass ListFirewallConfigsRequest
+    #   data as a hash:
+    #
+    #       {
+    #         max_results: 1,
+    #         next_token: "NextToken",
+    #       }
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of objects that you want Resolver to return for
+    #   this request. If more objects are available, in the response,
+    #   Resolver provides a `NextToken` value that you can use in a
+    #   subsequent call to get the next batch of objects.
+    #
+    #   If you don't specify a value for `MaxResults`, Resolver returns up
+    #   to 100 objects.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] next_token
+    #   For the first call to this list request, omit this value.
+    #
+    #   When you request a list of objects, Resolver returns at most the
+    #   number of objects specified in `MaxResults`. If more objects are
+    #   available for retrieval, Resolver returns a `NextToken` value in the
+    #   response. To retrieve the next batch of objects, use the token that
+    #   was returned for the prior request in your next request.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/ListFirewallConfigsRequest AWS API Documentation
+    #
+    class ListFirewallConfigsRequest < Struct.new(
+      :max_results,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] next_token
+    #   If objects are still available for retrieval, Resolver returns this
+    #   token in the response. To retrieve the next batch of objects,
+    #   provide this token in your next request.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_configs
+    #   The configurations for the firewall behavior provided by DNS
+    #   Firewall for Amazon virtual private clouds (VPC).
+    #   @return [Array<Types::FirewallConfig>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/ListFirewallConfigsResponse AWS API Documentation
+    #
+    class ListFirewallConfigsResponse < Struct.new(
+      :next_token,
+      :firewall_configs)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass ListFirewallDomainListsRequest
+    #   data as a hash:
+    #
+    #       {
+    #         max_results: 1,
+    #         next_token: "NextToken",
+    #       }
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of objects that you want Resolver to return for
+    #   this request. If more objects are available, in the response,
+    #   Resolver provides a `NextToken` value that you can use in a
+    #   subsequent call to get the next batch of objects.
+    #
+    #   If you don't specify a value for `MaxResults`, Resolver returns up
+    #   to 100 objects.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] next_token
+    #   For the first call to this list request, omit this value.
+    #
+    #   When you request a list of objects, Resolver returns at most the
+    #   number of objects specified in `MaxResults`. If more objects are
+    #   available for retrieval, Resolver returns a `NextToken` value in the
+    #   response. To retrieve the next batch of objects, use the token that
+    #   was returned for the prior request in your next request.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/ListFirewallDomainListsRequest AWS API Documentation
+    #
+    class ListFirewallDomainListsRequest < Struct.new(
+      :max_results,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] next_token
+    #   If objects are still available for retrieval, Resolver returns this
+    #   token in the response. To retrieve the next batch of objects,
+    #   provide this token in your next request.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_domain_lists
+    #   A list of the domain lists that you have defined.
+    #
+    #   This might be a parital list of the domain lists that you've
+    #   defined. For information, see `MaxResults`.
+    #   @return [Array<Types::FirewallDomainListMetadata>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/ListFirewallDomainListsResponse AWS API Documentation
+    #
+    class ListFirewallDomainListsResponse < Struct.new(
+      :next_token,
+      :firewall_domain_lists)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass ListFirewallDomainsRequest
+    #   data as a hash:
+    #
+    #       {
+    #         firewall_domain_list_id: "ResourceId", # required
+    #         max_results: 1,
+    #         next_token: "NextToken",
+    #       }
+    #
+    # @!attribute [rw] firewall_domain_list_id
+    #   The ID of the domain list whose domains you want to retrieve.
+    #   @return [String]
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of objects that you want Resolver to return for
+    #   this request. If more objects are available, in the response,
+    #   Resolver provides a `NextToken` value that you can use in a
+    #   subsequent call to get the next batch of objects.
+    #
+    #   If you don't specify a value for `MaxResults`, Resolver returns up
+    #   to 100 objects.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] next_token
+    #   For the first call to this list request, omit this value.
+    #
+    #   When you request a list of objects, Resolver returns at most the
+    #   number of objects specified in `MaxResults`. If more objects are
+    #   available for retrieval, Resolver returns a `NextToken` value in the
+    #   response. To retrieve the next batch of objects, use the token that
+    #   was returned for the prior request in your next request.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/ListFirewallDomainsRequest AWS API Documentation
+    #
+    class ListFirewallDomainsRequest < Struct.new(
+      :firewall_domain_list_id,
+      :max_results,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] next_token
+    #   If objects are still available for retrieval, Resolver returns this
+    #   token in the response. To retrieve the next batch of objects,
+    #   provide this token in your next request.
+    #   @return [String]
+    #
+    # @!attribute [rw] domains
+    #   A list of the domains in the firewall domain list.
+    #
+    #   This might be a parital list of the domains that you've defined in
+    #   the domain list. For information, see `MaxResults`.
+    #   @return [Array<String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/ListFirewallDomainsResponse AWS API Documentation
+    #
+    class ListFirewallDomainsResponse < Struct.new(
+      :next_token,
+      :domains)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass ListFirewallRuleGroupAssociationsRequest
+    #   data as a hash:
+    #
+    #       {
+    #         firewall_rule_group_id: "ResourceId",
+    #         vpc_id: "ResourceId",
+    #         priority: 1,
+    #         status: "COMPLETE", # accepts COMPLETE, DELETING, UPDATING
+    #         max_results: 1,
+    #         next_token: "NextToken",
+    #       }
+    #
+    # @!attribute [rw] firewall_rule_group_id
+    #   The unique identifier of the firewall rule group that you want to
+    #   retrieve the associations for. Leave this blank to retrieve
+    #   associations for any rule group.
+    #   @return [String]
+    #
+    # @!attribute [rw] vpc_id
+    #   The unique identifier of the VPC that you want to retrieve the
+    #   associations for. Leave this blank to retrieve associations for any
+    #   VPC.
+    #   @return [String]
+    #
+    # @!attribute [rw] priority
+    #   The setting that determines the processing order of the rule group
+    #   among the rule groups that are associated with a single VPC. DNS
+    #   Firewall filters VPC traffic starting from rule group with the
+    #   lowest numeric priority setting.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] status
+    #   The association `Status` setting that you want DNS Firewall to
+    #   filter on for the list. If you don't specify this, then DNS
+    #   Firewall returns all associations, regardless of status.
+    #   @return [String]
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of objects that you want Resolver to return for
+    #   this request. If more objects are available, in the response,
+    #   Resolver provides a `NextToken` value that you can use in a
+    #   subsequent call to get the next batch of objects.
+    #
+    #   If you don't specify a value for `MaxResults`, Resolver returns up
+    #   to 100 objects.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] next_token
+    #   For the first call to this list request, omit this value.
+    #
+    #   When you request a list of objects, Resolver returns at most the
+    #   number of objects specified in `MaxResults`. If more objects are
+    #   available for retrieval, Resolver returns a `NextToken` value in the
+    #   response. To retrieve the next batch of objects, use the token that
+    #   was returned for the prior request in your next request.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/ListFirewallRuleGroupAssociationsRequest AWS API Documentation
+    #
+    class ListFirewallRuleGroupAssociationsRequest < Struct.new(
+      :firewall_rule_group_id,
+      :vpc_id,
+      :priority,
+      :status,
+      :max_results,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] next_token
+    #   If objects are still available for retrieval, Resolver returns this
+    #   token in the response. To retrieve the next batch of objects,
+    #   provide this token in your next request.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_rule_group_associations
+    #   A list of your firewall rule group associations.
+    #
+    #   This might be a partial list of the associations that you have
+    #   defined. For information, see `MaxResults`.
+    #   @return [Array<Types::FirewallRuleGroupAssociation>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/ListFirewallRuleGroupAssociationsResponse AWS API Documentation
+    #
+    class ListFirewallRuleGroupAssociationsResponse < Struct.new(
+      :next_token,
+      :firewall_rule_group_associations)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass ListFirewallRuleGroupsRequest
+    #   data as a hash:
+    #
+    #       {
+    #         max_results: 1,
+    #         next_token: "NextToken",
+    #       }
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of objects that you want Resolver to return for
+    #   this request. If more objects are available, in the response,
+    #   Resolver provides a `NextToken` value that you can use in a
+    #   subsequent call to get the next batch of objects.
+    #
+    #   If you don't specify a value for `MaxResults`, Resolver returns up
+    #   to 100 objects.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] next_token
+    #   For the first call to this list request, omit this value.
     #
-    # @!attribute [rw] modification_time
-    #   The date and time that the IP address was last modified, in Unix
-    #   time format and Coordinated Universal Time (UTC).
+    #   When you request a list of objects, Resolver returns at most the
+    #   number of objects specified in `MaxResults`. If more objects are
+    #   available for retrieval, Resolver returns a `NextToken` value in the
+    #   response. To retrieve the next batch of objects, use the token that
+    #   was returned for the prior request in your next request.
     #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/IpAddressResponse AWS API Documentation
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/ListFirewallRuleGroupsRequest AWS API Documentation
     #
-    class IpAddressResponse < Struct.new(
-      :ip_id,
-      :subnet_id,
-      :ip,
-      :status,
-      :status_message,
-      :creation_time,
-      :modification_time)
+    class ListFirewallRuleGroupsRequest < Struct.new(
+      :max_results,
+      :next_token)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # In an [UpdateResolverEndpoint][1] request, information about an IP
-    # address to update.
+    # @!attribute [rw] next_token
+    #   If objects are still available for retrieval, Resolver returns this
+    #   token in the response. To retrieve the next batch of objects,
+    #   provide this token in your next request.
+    #   @return [String]
     #
+    # @!attribute [rw] firewall_rule_groups
+    #   A list of your firewall rule groups.
     #
+    #   This might be a partial list of the rule groups that you have
+    #   defined. For information, see `MaxResults`.
+    #   @return [Array<Types::FirewallRuleGroupMetadata>]
     #
-    # [1]: https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_UpdateResolverEndpoint.html
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/ListFirewallRuleGroupsResponse AWS API Documentation
     #
-    # @note When making an API call, you may pass IpAddressUpdate
+    class ListFirewallRuleGroupsResponse < Struct.new(
+      :next_token,
+      :firewall_rule_groups)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass ListFirewallRulesRequest
     #   data as a hash:
     #
     #       {
-    #         ip_id: "ResourceId",
-    #         subnet_id: "SubnetId",
-    #         ip: "Ip",
+    #         firewall_rule_group_id: "ResourceId", # required
+    #         priority: 1,
+    #         action: "ALLOW", # accepts ALLOW, BLOCK, ALERT
+    #         max_results: 1,
+    #         next_token: "NextToken",
     #       }
     #
-    # @!attribute [rw] ip_id
-    #   *Only when removing an IP address from a Resolver endpoint*\: The ID
-    #   of the IP address that you want to remove. To get this ID, use
-    #   [GetResolverEndpoint][1].
+    # @!attribute [rw] firewall_rule_group_id
+    #   The unique identifier of the firewall rule group that you want to
+    #   retrieve the rules for.
+    #   @return [String]
     #
+    # @!attribute [rw] priority
+    #   Optional additional filter for the rules to retrieve.
     #
+    #   The setting that determines the processing order of the rules in a
+    #   rule group. DNS Firewall processes the rules in a rule group by
+    #   order of priority, starting from the lowest setting.
+    #   @return [Integer]
     #
-    #   [1]: https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_GetResolverEndpoint.html
-    #   @return [String]
+    # @!attribute [rw] action
+    #   Optional additional filter for the rules to retrieve.
     #
-    # @!attribute [rw] subnet_id
-    #   The ID of the subnet that includes the IP address that you want to
-    #   update. To get this ID, use [GetResolverEndpoint][1].
+    #   The action that DNS Firewall should take on a DNS query when it
+    #   matches one of the domains in the rule's domain list:
     #
+    #   * `ALLOW` - Permit the request to go through.
     #
+    #   * `ALERT` - Permit the request to go through but send an alert to
+    #     the logs.
     #
-    #   [1]: https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_GetResolverEndpoint.html
+    #   * `BLOCK` - Disallow the request. If this is specified, additional
+    #     handling details are provided in the rule's `BlockResponse`
+    #     setting.
     #   @return [String]
     #
-    # @!attribute [rw] ip
-    #   The new IP address.
+    # @!attribute [rw] max_results
+    #   The maximum number of objects that you want Resolver to return for
+    #   this request. If more objects are available, in the response,
+    #   Resolver provides a `NextToken` value that you can use in a
+    #   subsequent call to get the next batch of objects.
+    #
+    #   If you don't specify a value for `MaxResults`, Resolver returns up
+    #   to 100 objects.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] next_token
+    #   For the first call to this list request, omit this value.
+    #
+    #   When you request a list of objects, Resolver returns at most the
+    #   number of objects specified in `MaxResults`. If more objects are
+    #   available for retrieval, Resolver returns a `NextToken` value in the
+    #   response. To retrieve the next batch of objects, use the token that
+    #   was returned for the prior request in your next request.
     #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/IpAddressUpdate AWS API Documentation
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/ListFirewallRulesRequest AWS API Documentation
     #
-    class IpAddressUpdate < Struct.new(
-      :ip_id,
-      :subnet_id,
-      :ip)
+    class ListFirewallRulesRequest < Struct.new(
+      :firewall_rule_group_id,
+      :priority,
+      :action,
+      :max_results,
+      :next_token)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # The request caused one or more limits to be exceeded.
-    #
-    # @!attribute [rw] message
+    # @!attribute [rw] next_token
+    #   If objects are still available for retrieval, Resolver returns this
+    #   token in the response. To retrieve the next batch of objects,
+    #   provide this token in your next request.
     #   @return [String]
     #
-    # @!attribute [rw] resource_type
-    #   For a `LimitExceededException` error, the type of resource that
-    #   exceeded the current limit.
-    #   @return [String]
+    # @!attribute [rw] firewall_rules
+    #   A list of the rules that you have defined.
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/LimitExceededException AWS API Documentation
+    #   This might be a parital list of the firewall rules that you've
+    #   defined. For information, see `MaxResults`.
+    #   @return [Array<Types::FirewallRule>]
     #
-    class LimitExceededException < Struct.new(
-      :message,
-      :resource_type)
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/ListFirewallRulesResponse AWS API Documentation
+    #
+    class ListFirewallRulesResponse < Struct.new(
+      :next_token,
+      :firewall_rules)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2171,6 +3785,44 @@ module Aws::Route53Resolver
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass PutFirewallRuleGroupPolicyRequest
+    #   data as a hash:
+    #
+    #       {
+    #         arn: "Arn", # required
+    #         firewall_rule_group_policy: "FirewallRuleGroupPolicy", # required
+    #       }
+    #
+    # @!attribute [rw] arn
+    #   The ARN (Amazon Resource Name) for the rule group that you want to
+    #   share.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_rule_group_policy
+    #   The AWS Identity and Access Management (AWS IAM) policy to attach to
+    #   the rule group.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/PutFirewallRuleGroupPolicyRequest AWS API Documentation
+    #
+    class PutFirewallRuleGroupPolicyRequest < Struct.new(
+      :arn,
+      :firewall_rule_group_policy)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] return_value
+    #   @return [Boolean]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/PutFirewallRuleGroupPolicyResponse AWS API Documentation
+    #
+    class PutFirewallRuleGroupPolicyResponse < Struct.new(
+      :return_value)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass PutResolverQueryLogConfigPolicyRequest
     #   data as a hash:
     #
@@ -3157,6 +4809,308 @@ module Aws::Route53Resolver
     #
     class UntagResourceResponse < Aws::EmptyStructure; end
 
+    # @note When making an API call, you may pass UpdateFirewallConfigRequest
+    #   data as a hash:
+    #
+    #       {
+    #         resource_id: "ResourceId", # required
+    #         firewall_fail_open: "ENABLED", # required, accepts ENABLED, DISABLED
+    #       }
+    #
+    # @!attribute [rw] resource_id
+    #   The ID of the Amazon virtual private cloud (VPC) that the
+    #   configuration is for.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_fail_open
+    #   Determines how Route 53 Resolver handles queries during failures,
+    #   for example when all traffic that is sent to DNS Firewall fails to
+    #   receive a reply.
+    #
+    #   * By default, fail open is disabled, which means the failure mode is
+    #     closed. This approach favors security over availability. DNS
+    #     Firewall blocks queries that it is unable to evaluate properly.
+    #
+    #   * If you enable this option, the failure mode is open. This approach
+    #     favors availability over security. DNS Firewall allows queries to
+    #     proceed if it is unable to properly evaluate them.
+    #
+    #   This behavior is only enforced for VPCs that have at least one DNS
+    #   Firewall rule group association.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/UpdateFirewallConfigRequest AWS API Documentation
+    #
+    class UpdateFirewallConfigRequest < Struct.new(
+      :resource_id,
+      :firewall_fail_open)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] firewall_config
+    #   Configuration of the firewall behavior provided by DNS Firewall for
+    #   a single Amazon virtual private cloud (VPC).
+    #   @return [Types::FirewallConfig]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/UpdateFirewallConfigResponse AWS API Documentation
+    #
+    class UpdateFirewallConfigResponse < Struct.new(
+      :firewall_config)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass UpdateFirewallDomainsRequest
+    #   data as a hash:
+    #
+    #       {
+    #         firewall_domain_list_id: "ResourceId", # required
+    #         operation: "ADD", # required, accepts ADD, REMOVE, REPLACE
+    #         domains: ["FirewallDomainName"], # required
+    #       }
+    #
+    # @!attribute [rw] firewall_domain_list_id
+    #   The ID of the domain list whose domains you want to update.
+    #   @return [String]
+    #
+    # @!attribute [rw] operation
+    #   What you want DNS Firewall to do with the domains that you are
+    #   providing:
+    #
+    #   * `ADD` - Add the domains to the ones that are already in the domain
+    #     list.
+    #
+    #   * `REMOVE` - Search the domain list for the domains and remove them
+    #     from the list.
+    #
+    #   * `REPLACE` - Update the domain list to exactly match the list that
+    #     you are providing.
+    #   @return [String]
+    #
+    # @!attribute [rw] domains
+    #   A list of domains to use in the update operation.
+    #
+    #   Each domain specification in your domain list must satisfy the
+    #   following requirements:
+    #
+    #   * It can optionally start with `*` (asterisk).
+    #
+    #   * With the exception of the optional starting asterisk, it must only
+    #     contain the following characters: `A-Z`, `a-z`, `0-9`, `-`
+    #     (hyphen).
+    #
+    #   * It must be from 1-255 characters in length.
+    #   @return [Array<String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/UpdateFirewallDomainsRequest AWS API Documentation
+    #
+    class UpdateFirewallDomainsRequest < Struct.new(
+      :firewall_domain_list_id,
+      :operation,
+      :domains)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] id
+    #   The Id of the firewall domain list that DNS Firewall just updated.
+    #   @return [String]
+    #
+    # @!attribute [rw] name
+    #   The name of the domain list.
+    #   @return [String]
+    #
+    # @!attribute [rw] status
+    #   @return [String]
+    #
+    # @!attribute [rw] status_message
+    #   Additional information about the status of the list, if available.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/UpdateFirewallDomainsResponse AWS API Documentation
+    #
+    class UpdateFirewallDomainsResponse < Struct.new(
+      :id,
+      :name,
+      :status,
+      :status_message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass UpdateFirewallRuleGroupAssociationRequest
+    #   data as a hash:
+    #
+    #       {
+    #         firewall_rule_group_association_id: "ResourceId", # required
+    #         priority: 1,
+    #         mutation_protection: "ENABLED", # accepts ENABLED, DISABLED
+    #         name: "Name",
+    #       }
+    #
+    # @!attribute [rw] firewall_rule_group_association_id
+    #   The identifier of the FirewallRuleGroupAssociation.
+    #   @return [String]
+    #
+    # @!attribute [rw] priority
+    #   The setting that determines the processing order of the rule group
+    #   among the rule groups that you associate with the specified VPC. DNS
+    #   Firewall filters VPC traffic starting from rule group with the
+    #   lowest numeric priority setting.
+    #
+    #   You must specify a unique priority for each rule group that you
+    #   associate with a single VPC. To make it easier to insert rule groups
+    #   later, leave space between the numbers, for example, use 100, 200,
+    #   and so on. You can change the priority setting for a rule group
+    #   association after you create it.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] mutation_protection
+    #   If enabled, this setting disallows modification or removal of the
+    #   association, to help prevent against accidentally altering DNS
+    #   firewall protections.
+    #   @return [String]
+    #
+    # @!attribute [rw] name
+    #   The name of the rule group association.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/UpdateFirewallRuleGroupAssociationRequest AWS API Documentation
+    #
+    class UpdateFirewallRuleGroupAssociationRequest < Struct.new(
+      :firewall_rule_group_association_id,
+      :priority,
+      :mutation_protection,
+      :name)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] firewall_rule_group_association
+    #   The association that you just updated.
+    #   @return [Types::FirewallRuleGroupAssociation]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/UpdateFirewallRuleGroupAssociationResponse AWS API Documentation
+    #
+    class UpdateFirewallRuleGroupAssociationResponse < Struct.new(
+      :firewall_rule_group_association)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass UpdateFirewallRuleRequest
+    #   data as a hash:
+    #
+    #       {
+    #         firewall_rule_group_id: "ResourceId", # required
+    #         firewall_domain_list_id: "ResourceId", # required
+    #         priority: 1,
+    #         action: "ALLOW", # accepts ALLOW, BLOCK, ALERT
+    #         block_response: "NODATA", # accepts NODATA, NXDOMAIN, OVERRIDE
+    #         block_override_domain: "BlockOverrideDomain",
+    #         block_override_dns_type: "CNAME", # accepts CNAME
+    #         block_override_ttl: 1,
+    #         name: "Name",
+    #       }
+    #
+    # @!attribute [rw] firewall_rule_group_id
+    #   The unique identifier of the firewall rule group for the rule.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_domain_list_id
+    #   The ID of the domain list to use in the rule.
+    #   @return [String]
+    #
+    # @!attribute [rw] priority
+    #   The setting that determines the processing order of the rule in the
+    #   rule group. DNS Firewall processes the rules in a rule group by
+    #   order of priority, starting from the lowest setting.
+    #
+    #   You must specify a unique priority for each rule in a rule group. To
+    #   make it easier to insert rules later, leave space between the
+    #   numbers, for example, use 100, 200, and so on. You can change the
+    #   priority setting for the rules in a rule group at any time.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] action
+    #   The action that DNS Firewall should take on a DNS query when it
+    #   matches one of the domains in the rule's domain list:
+    #
+    #   * `ALLOW` - Permit the request to go through.
+    #
+    #   * `ALERT` - Permit the request to go through but send an alert to
+    #     the logs.
+    #
+    #   * `BLOCK` - Disallow the request. This option requires additional
+    #     details in the rule's `BlockResponse`.
+    #   @return [String]
+    #
+    # @!attribute [rw] block_response
+    #   The way that you want DNS Firewall to block the request. Used for
+    #   the rule action setting `BLOCK`.
+    #
+    #   * `NODATA` - Respond indicating that the query was successful, but
+    #     no response is available for it.
+    #
+    #   * `NXDOMAIN` - Respond indicating that the domain name that's in
+    #     the query doesn't exist.
+    #
+    #   * `OVERRIDE` - Provide a custom override in the response. This
+    #     option requires custom handling details in the rule's
+    #     `BlockOverride*` settings.
+    #   @return [String]
+    #
+    # @!attribute [rw] block_override_domain
+    #   The custom DNS record to send back in response to the query. Used
+    #   for the rule action `BLOCK` with a `BlockResponse` setting of
+    #   `OVERRIDE`.
+    #   @return [String]
+    #
+    # @!attribute [rw] block_override_dns_type
+    #   The DNS record's type. This determines the format of the record
+    #   value that you provided in `BlockOverrideDomain`. Used for the rule
+    #   action `BLOCK` with a `BlockResponse` setting of `OVERRIDE`.
+    #   @return [String]
+    #
+    # @!attribute [rw] block_override_ttl
+    #   The recommended amount of time, in seconds, for the DNS resolver or
+    #   web browser to cache the provided override record. Used for the rule
+    #   action `BLOCK` with a `BlockResponse` setting of `OVERRIDE`.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] name
+    #   The name of the rule.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/UpdateFirewallRuleRequest AWS API Documentation
+    #
+    class UpdateFirewallRuleRequest < Struct.new(
+      :firewall_rule_group_id,
+      :firewall_domain_list_id,
+      :priority,
+      :action,
+      :block_response,
+      :block_override_domain,
+      :block_override_dns_type,
+      :block_override_ttl,
+      :name)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] firewall_rule
+    #   The firewall rule that you just updated.
+    #   @return [Types::FirewallRule]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/UpdateFirewallRuleResponse AWS API Documentation
+    #
+    class UpdateFirewallRuleResponse < Struct.new(
+      :firewall_rule)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass UpdateResolverDnssecConfigRequest
     #   data as a hash:
     #
@@ -3281,5 +5235,16 @@ module Aws::Route53Resolver
       include Aws::Structure
     end
 
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/ValidationException AWS API Documentation
+    #
+    class ValidationException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
   end
 end