From fa1c4b72b7a08cf26eb1c0f10cf4ef5c2c63ece1 Mon Sep 17 00:00:00 2001
From: Angie Pinilla <angelinepinilla@gmail.com>
Date: Wed, 18 Nov 2020 10:40:39 -0500
Subject: [PATCH 1/6] add resource_policy resource support

---
 aws/provider.go                               |   1 +
 ...rce_aws_networkfirewall_resource_policy.go | 110 ++++++
 ...ws_networkfirewall_resource_policy_test.go | 332 ++++++++++++++++++
 ...workfirewall_resource_policy.html.markdown |  86 +++++
 4 files changed, 529 insertions(+)
 create mode 100644 aws/resource_aws_networkfirewall_resource_policy.go
 create mode 100644 aws/resource_aws_networkfirewall_resource_policy_test.go
 create mode 100644 website/docs/r/networkfirewall_resource_policy.html.markdown

diff --git a/aws/provider.go b/aws/provider.go
index 34533b76eaf..23849c8d63c 100644
--- a/aws/provider.go
+++ b/aws/provider.go
@@ -772,6 +772,7 @@ func Provider() *schema.Provider {
 			"aws_network_acl_rule":                                    resourceAwsNetworkAclRule(),
 			"aws_network_interface":                                   resourceAwsNetworkInterface(),
 			"aws_network_interface_attachment":                        resourceAwsNetworkInterfaceAttachment(),
+			"aws_networkfirewall_resource_policy":                     resourceAwsNetworkFirewallResourcePolicy(),
 			"aws_opsworks_application":                                resourceAwsOpsworksApplication(),
 			"aws_opsworks_stack":                                      resourceAwsOpsworksStack(),
 			"aws_opsworks_java_app_layer":                             resourceAwsOpsworksJavaAppLayer(),
diff --git a/aws/resource_aws_networkfirewall_resource_policy.go b/aws/resource_aws_networkfirewall_resource_policy.go
new file mode 100644
index 00000000000..004f115d599
--- /dev/null
+++ b/aws/resource_aws_networkfirewall_resource_policy.go
@@ -0,0 +1,110 @@
+package aws
+
+import (
+	"context"
+	"fmt"
+	"log"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/networkfirewall"
+	"github.com/hashicorp/aws-sdk-go-base/tfawserr"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+	"github.com/terraform-providers/terraform-provider-aws/aws/internal/service/networkfirewall/finder"
+)
+
+func resourceAwsNetworkFirewallResourcePolicy() *schema.Resource {
+	return &schema.Resource{
+		CreateContext: resourceAwsNetworkFirewallResourcePolicyPut,
+		ReadContext:   resourceAwsNetworkFirewallResourcePolicyRead,
+		UpdateContext: resourceAwsNetworkFirewallResourcePolicyPut,
+		DeleteContext: resourceAwsNetworkFirewallResourcePolicyDelete,
+
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"policy": {
+				Type:             schema.TypeString,
+				Required:         true,
+				ValidateFunc:     validation.StringIsJSON,
+				DiffSuppressFunc: suppressEquivalentJsonDiffs,
+			},
+			"resource_arn": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: validateArn,
+			},
+		},
+	}
+}
+
+func resourceAwsNetworkFirewallResourcePolicyPut(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	conn := meta.(*AWSClient).networkfirewallconn
+	resourceArn := d.Get("resource_arn").(string)
+	input := &networkfirewall.PutResourcePolicyInput{
+		ResourceArn: aws.String(resourceArn),
+		Policy:      aws.String(d.Get("policy").(string)),
+	}
+
+	log.Printf("[DEBUG] Putting NetworkFirewall Resource Policy for resource: %s", resourceArn)
+
+	_, err := conn.PutResourcePolicyWithContext(ctx, input)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("error creating NetworkFirewall Resource Policy (for resource: %s): %w", resourceArn, err))
+	}
+
+	d.SetId(resourceArn)
+
+	return resourceAwsNetworkFirewallResourcePolicyRead(ctx, d, meta)
+}
+
+func resourceAwsNetworkFirewallResourcePolicyRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	conn := meta.(*AWSClient).networkfirewallconn
+	resourceArn := d.Id()
+
+	log.Printf("[DEBUG] Reading NetworkFirewall Resource Policy for resource: %s", resourceArn)
+
+	policy, err := finder.ResourcePolicy(ctx, conn, resourceArn)
+	if !d.IsNewResource() && tfawserr.ErrCodeEquals(err, networkfirewall.ErrCodeResourceNotFoundException) {
+		log.Printf("[WARN] NetworkFirewall Resource Policy (for resource: %s) not found, removing from state", resourceArn)
+		d.SetId("")
+		return nil
+	}
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("error reading NetworkFirewall Resource Policy (for resource: %s): %w", resourceArn, err))
+	}
+
+	if policy == nil {
+		return diag.FromErr(fmt.Errorf("error reading NetworkFirewall Resource Policy (for resource: %s): empty output", resourceArn))
+	}
+
+	d.Set("policy", policy)
+	d.Set("resource_arn", resourceArn)
+
+	return nil
+}
+
+func resourceAwsNetworkFirewallResourcePolicyDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	conn := meta.(*AWSClient).networkfirewallconn
+
+	log.Printf("[DEBUG] Deleting NetworkFirewall Resource Policy for resource: %s", d.Id())
+
+	input := &networkfirewall.DeleteResourcePolicyInput{
+		ResourceArn: aws.String(d.Id()),
+	}
+
+	_, err := conn.DeleteResourcePolicyWithContext(ctx, input)
+
+	if err != nil {
+		if tfawserr.ErrCodeEquals(err, networkfirewall.ErrCodeResourceNotFoundException) {
+			return nil
+		}
+		return diag.FromErr(fmt.Errorf("error deleting NetworkFirewall Resource Policy (for resource: %s): %w", d.Id(), err))
+	}
+
+	return nil
+}
diff --git a/aws/resource_aws_networkfirewall_resource_policy_test.go b/aws/resource_aws_networkfirewall_resource_policy_test.go
new file mode 100644
index 00000000000..322efb0175e
--- /dev/null
+++ b/aws/resource_aws_networkfirewall_resource_policy_test.go
@@ -0,0 +1,332 @@
+package aws
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/service/networkfirewall"
+	"github.com/hashicorp/aws-sdk-go-base/tfawserr"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+	"github.com/terraform-providers/terraform-provider-aws/aws/internal/service/networkfirewall/finder"
+)
+
+func TestAccAwsNetworkFirewallResourcePolicy_firewallPolicy(t *testing.T) {
+	var providers []*schema.Provider
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "aws_networkfirewall_resource_policy.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:          func() { testAccPreCheck(t) },
+		ProviderFactories: testAccProviderFactoriesAlternate(&providers),
+		CheckDestroy:      testAccCheckAwsNetworkFirewallResourcePolicyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNetworkFirewallResourcePolicy_firewallPolicy(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsNetworkFirewallResourcePolicyExists(resourceName),
+					resource.TestCheckResourceAttrPair(resourceName, "resource_arn", "aws_iam_user.test", "arn"),
+					resource.TestMatchResourceAttr(resourceName, "policy", regexp.MustCompile(`\"Action\":[\"network\-firewall:ListFirewallPolicies\"]`)),
+				),
+			},
+			{
+				Config: testAccNetworkFirewallResourcePolicy_firewallPolicy_updatePolicy(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsNetworkFirewallResourcePolicyExists(resourceName),
+					resource.TestMatchResourceAttr(resourceName, "policy", regexp.MustCompile(`\"Action\":[\"network\-firewall:ListFirewallPolicies\", \"network\-firewall:AssociateFirewallPolicy\"]`)),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccAwsNetworkFirewallResourcePolicy_ruleGroup(t *testing.T) {
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "aws_networkfirewall_resource_policy.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAwsNetworkFirewallResourcePolicyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNetworkFirewallResourcePolicy_ruleGroup(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsNetworkFirewallResourcePolicyExists(resourceName),
+					resource.TestCheckResourceAttrPair(resourceName, "resource_arn", "aws_iam_user.test", "arn"),
+					resource.TestMatchResourceAttr(resourceName, "policy", regexp.MustCompile(`\"Action\":[\"network\-firewall:ListRuleGroups\"]`)),
+				),
+			},
+			{
+				Config: testAccNetworkFirewallResourcePolicy_ruleGroup_updatePolicy(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsNetworkFirewallResourcePolicyExists(resourceName),
+					resource.TestMatchResourceAttr(resourceName, "policy", regexp.MustCompile(`\"Action\":[\"network\-firewall:ListRuleGroups\", \"network\-firewall:CreateFirewallPolicy\"]`)),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccAwsNetworkFirewallResourcePolicy_disappears(t *testing.T) {
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "aws_networkfirewall_resource_policy.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAwsNetworkFirewallResourcePolicyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNetworkFirewallResourcePolicy_firewallPolicy(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsNetworkFirewallResourcePolicyExists(resourceName),
+					testAccCheckResourceDisappears(testAccProvider, resourceAwsNetworkFirewallResourcePolicy(), resourceName),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
+func testAccCheckAwsNetworkFirewallResourcePolicyDestroy(s *terraform.State) error {
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_networkfirewall_resource_policy" {
+			continue
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).networkfirewallconn
+		policy, err := finder.ResourcePolicy(context.Background(), conn, rs.Primary.ID)
+		if tfawserr.ErrCodeEquals(err, networkfirewall.ErrCodeResourceNotFoundException) {
+			continue
+		}
+		if err != nil {
+			return err
+		}
+		if policy != nil {
+			return fmt.Errorf("NetworkFirewall Resource Policy (for resource: %s) still exists", rs.Primary.ID)
+		}
+	}
+
+	return nil
+}
+
+func testAccCheckAwsNetworkFirewallResourcePolicyExists(n string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Not found: %s", n)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No NetworkFirewall Resource Policy ID is set")
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).networkfirewallconn
+		policy, err := finder.ResourcePolicy(context.Background(), conn, rs.Primary.ID)
+		if err != nil {
+			return err
+		}
+
+		if policy == nil {
+			return fmt.Errorf("NetworkFirewall Resource Policy (for resource: %s) not found", rs.Primary.ID)
+		}
+
+		return nil
+	}
+}
+
+func testAccNetworkFirewallResourcePolicyFirewallPolicyBaseConfig(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_iam_user" "test" {
+  name = %[1]q
+  path = "/"
+}
+
+resource "aws_networkfirewall_firewall_policy" "test" {
+  name = %[1]q
+  firewall_policy {
+    stateless_fragment_default_actions = ["aws:drop"]
+    stateless_default_actions          = ["aws:pass"]
+  }
+}
+
+resource "aws_ram_resource_share" "test" {
+  name                      = %[1]q
+  allow_external_principals = true
+
+  tags = {
+    Name = %[1]q
+  }
+}
+
+resource "aws_ram_resource_association" "test" {
+  resource_arn       = aws_networkfirewall_firewall_policy.test.arn
+  resource_share_arn = aws_ram_resource_share.test.id
+}
+
+resource "aws_ram_principal_association" "test" {
+  principal          = aws_iam_user.test.arn
+  resource_share_arn = aws_ram_resource_share.test.id
+}
+`, rName)
+}
+
+func testAccNetworkFirewallResourcePolicy_firewallPolicy(rName string) string {
+	return composeConfig(
+		testAccNetworkFirewallResourcePolicyFirewallPolicyBaseConfig(rName), `
+resource "aws_networkfirewall_resource_policy" "test" {
+  resource_arn = aws_iam_user.test.arn
+  policy       = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "network-firewall:ListFirewallPolicies",
+      "Resource": "${aws_networkfirewall_firewall_policy.test.arn}"
+    }
+  ]
+}
+POLICY
+
+  depends_on = [aws_ram_principal_association.test, aws_ram_resource_association.test]
+}
+`)
+}
+
+func testAccNetworkFirewallResourcePolicy_firewallPolicy_updatePolicy(rName string) string {
+	return composeConfig(
+		testAccNetworkFirewallResourcePolicyFirewallPolicyBaseConfig(rName), `
+resource "aws_networkfirewall_resource_policy" "test" {
+  resource_arn = aws_iam_user.test.arn
+  policy       = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": [
+        "network-firewall:ListFirewallPolicies",
+        "network-firewall:AssociateFirewallPolicy"
+      ],
+      "Resource": "${aws_networkfirewall_firewall_policy.test.arn}"
+    }
+  ]
+}
+POLICY
+}
+  depends_on = [aws_ram_principal_association.test, aws_ram_resource_association.test]
+`)
+}
+
+func testAccNetworkFirewallResourcePolicyRuleGroupBaseConfig(rName string) string {
+	return composeConfig(
+		fmt.Sprintf(`
+resource "aws_iam_user" "test" {
+  name = %[1]q
+  path = "/"
+}
+
+resource "aws_ram_resource_share" "test" {
+  name                      = %[1]q
+  allow_external_principals = true
+
+  tags = {
+    Name = %[1]q
+  }
+}
+
+resource "aws_networkfirewall_rule_group" "test" {
+  capacity = 100
+  name     = %[1]q
+  type     = "STATEFUL"
+  rule_group {
+    rules_source {
+      rules_source_list {
+        generated_rules_type = "ALLOWLIST"
+        target_types         = ["HTTP_HOST"]
+        targets              = ["test.example.com"]
+      }
+    }
+  }
+}
+
+resource "aws_ram_resource_association" "test" {
+  resource_arn       = aws_networkfirewall_rule_group.test.arn
+  resource_share_arn = aws_ram_resource_share.test.id
+}
+
+resource "aws_ram_principal_association" "test" {
+  principal          = aws_iam_user.test.arn
+  resource_share_arn = aws_ram_resource_share.test.id
+}
+`, rName))
+}
+
+func testAccNetworkFirewallResourcePolicy_ruleGroup(rName string) string {
+	return composeConfig(
+		testAccNetworkFirewallResourcePolicyRuleGroupBaseConfig(rName), `
+resource "aws_networkfirewall_resource_policy" "test" {
+  resource_arn = aws_iam_user.test.arn
+  policy       = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "network-firewall:ListRuleGroups",
+      "Resource": "${aws_networkfirewall_rule_group.test.arn}"
+    }
+  ]
+}
+POLICY
+
+  depends_on = [aws_ram_principal_association.test, aws_ram_resource_association.test]
+}
+`)
+}
+
+func testAccNetworkFirewallResourcePolicy_ruleGroup_updatePolicy(rName string) string {
+	return composeConfig(
+		testAccNetworkFirewallResourcePolicyRuleGroupBaseConfig(rName), `
+resource "aws_networkfirewall_resource_policy" "test" {
+  resource_arn = aws_iam_user.test.arn
+  policy       = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": [
+        "network-firewall:ListRuleGroups",
+        "network-firewall:CreateFirewallPolicy"
+      ],
+      "Resource": "${aws_networkfirewall_rule_group.test.arn}"
+    }
+  ]
+}
+POLICY
+
+  depends_on = [aws_ram_principal_association.test, aws_ram_resource_association.test]
+}
+`)
+}
diff --git a/website/docs/r/networkfirewall_resource_policy.html.markdown b/website/docs/r/networkfirewall_resource_policy.html.markdown
new file mode 100644
index 00000000000..417b075b21e
--- /dev/null
+++ b/website/docs/r/networkfirewall_resource_policy.html.markdown
@@ -0,0 +1,86 @@
+---
+subcategory: "Network Firewall"
+layout: "aws"
+page_title: "AWS: aws_networkfirewall_resource_policy"
+description: |-
+  Provides an AWS Network Firewall Resource Policy resource.
+---
+
+# Resource: aws_networkfirewall_resource_policy
+
+Provides an AWS Network Firewall Resource Policy Resource for a rule group or firewall policy.
+
+## Example Usage
+
+### For a Firewall Policy resource
+
+```hcl
+resource "aws_networkfirewall_resource_policy" "example" {
+  resource_arn = data.aws_iam_user.example.arn
+  policy       = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": [
+        "network-firewall:ListFirewallPolicies",
+        "network-firewall:AssociateFirewallPolicy"
+      ],
+      "Resource": [
+        "${aws_networkfirewall_firewall_policy.example.arn}"
+      ]
+    }
+  ]
+}
+POLICY
+}
+```
+
+### For a Rule Group resource
+
+```hcl
+resource "aws_networkfirewall_resource_policy" "example" {
+  resource_arn = data.aws_iam_user.example.arn
+  policy       = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": [
+        "network-firewall:ListRuleGroups"
+      ],
+      "Resource": [
+        "${aws_networkfirewall_rule_group.example.arn}"
+      ]
+    }
+  ]
+}
+POLICY
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `policy` - (Required) JSON formatted policy document that controls access to the Network Firewall resource.
+
+* `resource_arn` - (Required, Forces new resource) The Amazon Resource Name (ARN) of the account that you want to share rule groups and firewall policies with.
+
+## Attribute Reference
+
+In addition to all arguments above, the following attribute is exported:
+
+* `id` - The Amazon Resource Name (ARN) of the account associated with the resource policy.
+
+## Import
+
+Network Firewall Resource Policies can be imported using the `resource_arn` e.g.
+
+```
+$ terraform import aws_networkfirewall_resource_policy.example arn:aws:iam:1234567890:user/example
+```

From c1584dbfe319b51d5ab6a8b1201540ec91ed7e4b Mon Sep 17 00:00:00 2001
From: Angie Pinilla <angelinepinilla@gmail.com>
Date: Wed, 18 Nov 2020 10:54:35 -0500
Subject: [PATCH 2/6] update acctest data source

---
 ...ws_networkfirewall_resource_policy_test.go | 22 +++++++++----------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/aws/resource_aws_networkfirewall_resource_policy_test.go b/aws/resource_aws_networkfirewall_resource_policy_test.go
index 322efb0175e..94d6adaed9c 100644
--- a/aws/resource_aws_networkfirewall_resource_policy_test.go
+++ b/aws/resource_aws_networkfirewall_resource_policy_test.go
@@ -152,9 +152,8 @@ func testAccCheckAwsNetworkFirewallResourcePolicyExists(n string) resource.TestC
 
 func testAccNetworkFirewallResourcePolicyFirewallPolicyBaseConfig(rName string) string {
 	return fmt.Sprintf(`
-resource "aws_iam_user" "test" {
-  name = %[1]q
-  path = "/"
+data "aws_caller_identity" "alternate" {
+  provider = "awsalternate"
 }
 
 resource "aws_networkfirewall_firewall_policy" "test" {
@@ -180,7 +179,7 @@ resource "aws_ram_resource_association" "test" {
 }
 
 resource "aws_ram_principal_association" "test" {
-  principal          = aws_iam_user.test.arn
+  principal          = data.aws_caller_identity.alternate.account_id
   resource_share_arn = aws_ram_resource_share.test.id
 }
 `, rName)
@@ -190,7 +189,7 @@ func testAccNetworkFirewallResourcePolicy_firewallPolicy(rName string) string {
 	return composeConfig(
 		testAccNetworkFirewallResourcePolicyFirewallPolicyBaseConfig(rName), `
 resource "aws_networkfirewall_resource_policy" "test" {
-  resource_arn = aws_iam_user.test.arn
+  resource_arn = data.aws_caller_identity.alternate.arn
   policy       = <<POLICY
 {
   "Version": "2012-10-17",
@@ -214,7 +213,7 @@ func testAccNetworkFirewallResourcePolicy_firewallPolicy_updatePolicy(rName stri
 	return composeConfig(
 		testAccNetworkFirewallResourcePolicyFirewallPolicyBaseConfig(rName), `
 resource "aws_networkfirewall_resource_policy" "test" {
-  resource_arn = aws_iam_user.test.arn
+  resource_arn = data.aws_caller_identity.alternate.arn
   policy       = <<POLICY
 {
   "Version": "2012-10-17",
@@ -239,9 +238,8 @@ POLICY
 func testAccNetworkFirewallResourcePolicyRuleGroupBaseConfig(rName string) string {
 	return composeConfig(
 		fmt.Sprintf(`
-resource "aws_iam_user" "test" {
-  name = %[1]q
-  path = "/"
+data "aws_caller_identity" "alternate" {
+  provider = "awsalternate"
 }
 
 resource "aws_ram_resource_share" "test" {
@@ -274,7 +272,7 @@ resource "aws_ram_resource_association" "test" {
 }
 
 resource "aws_ram_principal_association" "test" {
-  principal          = aws_iam_user.test.arn
+  principal          = data.aws_caller_identity.alternate.account_id
   resource_share_arn = aws_ram_resource_share.test.id
 }
 `, rName))
@@ -284,7 +282,7 @@ func testAccNetworkFirewallResourcePolicy_ruleGroup(rName string) string {
 	return composeConfig(
 		testAccNetworkFirewallResourcePolicyRuleGroupBaseConfig(rName), `
 resource "aws_networkfirewall_resource_policy" "test" {
-  resource_arn = aws_iam_user.test.arn
+  resource_arn = data.aws_caller_identity.alternate.arn
   policy       = <<POLICY
 {
   "Version": "2012-10-17",
@@ -308,7 +306,7 @@ func testAccNetworkFirewallResourcePolicy_ruleGroup_updatePolicy(rName string) s
 	return composeConfig(
 		testAccNetworkFirewallResourcePolicyRuleGroupBaseConfig(rName), `
 resource "aws_networkfirewall_resource_policy" "test" {
-  resource_arn = aws_iam_user.test.arn
+  resource_arn = data.aws_caller_identity.alternate.arn
   policy       = <<POLICY
 {
   "Version": "2012-10-17",

From 66063dd80ecd9e04b9dec400e7912ada6c8ba987 Mon Sep 17 00:00:00 2001
From: Angie Pinilla <angelinepinilla@gmail.com>
Date: Wed, 18 Nov 2020 11:05:02 -0500
Subject: [PATCH 3/6] add alternate provider config

---
 ...ws_networkfirewall_resource_policy_test.go | 25 +++++++------------
 1 file changed, 9 insertions(+), 16 deletions(-)

diff --git a/aws/resource_aws_networkfirewall_resource_policy_test.go b/aws/resource_aws_networkfirewall_resource_policy_test.go
index 94d6adaed9c..ba658c6c05d 100644
--- a/aws/resource_aws_networkfirewall_resource_policy_test.go
+++ b/aws/resource_aws_networkfirewall_resource_policy_test.go
@@ -151,7 +151,9 @@ func testAccCheckAwsNetworkFirewallResourcePolicyExists(n string) resource.TestC
 }
 
 func testAccNetworkFirewallResourcePolicyFirewallPolicyBaseConfig(rName string) string {
-	return fmt.Sprintf(`
+	return composeConfig(
+		testAccAlternateAccountProviderConfig(),
+		fmt.Sprintf(`
 data "aws_caller_identity" "alternate" {
   provider = "awsalternate"
 }
@@ -177,12 +179,7 @@ resource "aws_ram_resource_association" "test" {
   resource_arn       = aws_networkfirewall_firewall_policy.test.arn
   resource_share_arn = aws_ram_resource_share.test.id
 }
-
-resource "aws_ram_principal_association" "test" {
-  principal          = data.aws_caller_identity.alternate.account_id
-  resource_share_arn = aws_ram_resource_share.test.id
-}
-`, rName)
+`, rName))
 }
 
 func testAccNetworkFirewallResourcePolicy_firewallPolicy(rName string) string {
@@ -204,7 +201,7 @@ resource "aws_networkfirewall_resource_policy" "test" {
 }
 POLICY
 
-  depends_on = [aws_ram_principal_association.test, aws_ram_resource_association.test]
+  depends_on = [aws_ram_resource_association.test]
 }
 `)
 }
@@ -231,12 +228,13 @@ resource "aws_networkfirewall_resource_policy" "test" {
 }
 POLICY
 }
-  depends_on = [aws_ram_principal_association.test, aws_ram_resource_association.test]
+  depends_on = [aws_ram_resource_association.test]
 `)
 }
 
 func testAccNetworkFirewallResourcePolicyRuleGroupBaseConfig(rName string) string {
 	return composeConfig(
+		testAccAlternateAccountProviderConfig(),
 		fmt.Sprintf(`
 data "aws_caller_identity" "alternate" {
   provider = "awsalternate"
@@ -270,11 +268,6 @@ resource "aws_ram_resource_association" "test" {
   resource_arn       = aws_networkfirewall_rule_group.test.arn
   resource_share_arn = aws_ram_resource_share.test.id
 }
-
-resource "aws_ram_principal_association" "test" {
-  principal          = data.aws_caller_identity.alternate.account_id
-  resource_share_arn = aws_ram_resource_share.test.id
-}
 `, rName))
 }
 
@@ -297,7 +290,7 @@ resource "aws_networkfirewall_resource_policy" "test" {
 }
 POLICY
 
-  depends_on = [aws_ram_principal_association.test, aws_ram_resource_association.test]
+  depends_on = [aws_ram_resource_association.test]
 }
 `)
 }
@@ -324,7 +317,7 @@ resource "aws_networkfirewall_resource_policy" "test" {
 }
 POLICY
 
-  depends_on = [aws_ram_principal_association.test, aws_ram_resource_association.test]
+  depends_on = [aws_ram_resource_association.test]
 }
 `)
 }

From b1550e9b0c646a447c0c51a004c58cbbaa6bf40c Mon Sep 17 00:00:00 2001
From: Angie Pinilla <angelinepinilla@gmail.com>
Date: Tue, 24 Nov 2020 15:43:57 -0500
Subject: [PATCH 4/6] update tests with jsonencode for policy

---
 ...rce_aws_networkfirewall_resource_policy.go |   2 +-
 ...ws_networkfirewall_resource_policy_test.go | 234 +++++++++---------
 ...workfirewall_resource_policy.html.markdown |  69 +++---
 3 files changed, 140 insertions(+), 165 deletions(-)

diff --git a/aws/resource_aws_networkfirewall_resource_policy.go b/aws/resource_aws_networkfirewall_resource_policy.go
index 004f115d599..288c9026f8c 100644
--- a/aws/resource_aws_networkfirewall_resource_policy.go
+++ b/aws/resource_aws_networkfirewall_resource_policy.go
@@ -54,7 +54,7 @@ func resourceAwsNetworkFirewallResourcePolicyPut(ctx context.Context, d *schema.
 
 	_, err := conn.PutResourcePolicyWithContext(ctx, input)
 	if err != nil {
-		return diag.FromErr(fmt.Errorf("error creating NetworkFirewall Resource Policy (for resource: %s): %w", resourceArn, err))
+		return diag.FromErr(fmt.Errorf("error putting NetworkFirewall Resource Policy (for resource: %s): %w", resourceArn, err))
 	}
 
 	d.SetId(resourceArn)
diff --git a/aws/resource_aws_networkfirewall_resource_policy_test.go b/aws/resource_aws_networkfirewall_resource_policy_test.go
index ba658c6c05d..2ba8e477d4f 100644
--- a/aws/resource_aws_networkfirewall_resource_policy_test.go
+++ b/aws/resource_aws_networkfirewall_resource_policy_test.go
@@ -10,34 +10,32 @@ import (
 	"github.com/hashicorp/aws-sdk-go-base/tfawserr"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 	"github.com/terraform-providers/terraform-provider-aws/aws/internal/service/networkfirewall/finder"
 )
 
 func TestAccAwsNetworkFirewallResourcePolicy_firewallPolicy(t *testing.T) {
-	var providers []*schema.Provider
 	rName := acctest.RandomWithPrefix("tf-acc-test")
 	resourceName := "aws_networkfirewall_resource_policy.test"
 
 	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:          func() { testAccPreCheck(t) },
-		ProviderFactories: testAccProviderFactoriesAlternate(&providers),
-		CheckDestroy:      testAccCheckAwsNetworkFirewallResourcePolicyDestroy,
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAwsNetworkFirewallResourcePolicyDestroy,
 		Steps: []resource.TestStep{
 			{
 				Config: testAccNetworkFirewallResourcePolicy_firewallPolicy(rName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAwsNetworkFirewallResourcePolicyExists(resourceName),
-					resource.TestCheckResourceAttrPair(resourceName, "resource_arn", "aws_iam_user.test", "arn"),
-					resource.TestMatchResourceAttr(resourceName, "policy", regexp.MustCompile(`\"Action\":[\"network\-firewall:ListFirewallPolicies\"]`)),
+					resource.TestCheckResourceAttrPair(resourceName, "resource_arn", "aws_networkfirewall_firewall_policy.test", "arn"),
+					resource.TestMatchResourceAttr(resourceName, "policy", regexp.MustCompile(`"Action":"network-firewall:ListFirewallPolicies"`)),
 				),
 			},
 			{
 				Config: testAccNetworkFirewallResourcePolicy_firewallPolicy_updatePolicy(rName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAwsNetworkFirewallResourcePolicyExists(resourceName),
-					resource.TestMatchResourceAttr(resourceName, "policy", regexp.MustCompile(`\"Action\":[\"network\-firewall:ListFirewallPolicies\", \"network\-firewall:AssociateFirewallPolicy\"]`)),
+					resource.TestMatchResourceAttr(resourceName, "policy", regexp.MustCompile(`"Action":\["network-firewall:ListFirewallPolicies","network-firewall:AssociateFirewallPolicy"\]`)),
 				),
 			},
 			{
@@ -62,15 +60,15 @@ func TestAccAwsNetworkFirewallResourcePolicy_ruleGroup(t *testing.T) {
 				Config: testAccNetworkFirewallResourcePolicy_ruleGroup(rName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAwsNetworkFirewallResourcePolicyExists(resourceName),
-					resource.TestCheckResourceAttrPair(resourceName, "resource_arn", "aws_iam_user.test", "arn"),
-					resource.TestMatchResourceAttr(resourceName, "policy", regexp.MustCompile(`\"Action\":[\"network\-firewall:ListRuleGroups\"]`)),
+					resource.TestCheckResourceAttrPair(resourceName, "resource_arn", "aws_networkfirewall_rule_group.test", "arn"),
+					resource.TestMatchResourceAttr(resourceName, "policy", regexp.MustCompile(`"Action":"network-firewall:ListRuleGroups"`)),
 				),
 			},
 			{
 				Config: testAccNetworkFirewallResourcePolicy_ruleGroup_updatePolicy(rName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAwsNetworkFirewallResourcePolicyExists(resourceName),
-					resource.TestMatchResourceAttr(resourceName, "policy", regexp.MustCompile(`\"Action\":[\"network\-firewall:ListRuleGroups\", \"network\-firewall:CreateFirewallPolicy\"]`)),
+					resource.TestMatchResourceAttr(resourceName, "policy", regexp.MustCompile(`"Action":\["network-firewall:ListRuleGroups","network-firewall:CreateFirewallPolicy"\]`)),
 				),
 			},
 			{
@@ -103,6 +101,48 @@ func TestAccAwsNetworkFirewallResourcePolicy_disappears(t *testing.T) {
 	})
 }
 
+func TestAccAwsNetworkFirewallResourcePolicy_firewallPolicy_disappears(t *testing.T) {
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "aws_networkfirewall_resource_policy.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAwsNetworkFirewallResourcePolicyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNetworkFirewallResourcePolicy_firewallPolicy(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsNetworkFirewallResourcePolicyExists(resourceName),
+					testAccCheckResourceDisappears(testAccProvider, resourceAwsNetworkFirewallFirewallPolicy(), "aws_networkfirewall_firewall_policy.test"),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
+func TestAccAwsNetworkFirewallResourcePolicy_ruleGroup_disappears(t *testing.T) {
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "aws_networkfirewall_resource_policy.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAwsNetworkFirewallResourcePolicyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNetworkFirewallResourcePolicy_ruleGroup(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsNetworkFirewallResourcePolicyExists(resourceName),
+					testAccCheckResourceDisappears(testAccProvider, resourceAwsNetworkFirewallRuleGroup(), "aws_networkfirewall_rule_group.test"),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
 func testAccCheckAwsNetworkFirewallResourcePolicyDestroy(s *terraform.State) error {
 	for _, rs := range s.RootModule().Resources {
 		if rs.Type != "aws_networkfirewall_resource_policy" {
@@ -147,61 +187,42 @@ func testAccCheckAwsNetworkFirewallResourcePolicyExists(n string) resource.TestC
 		}
 
 		return nil
+
 	}
 }
 
 func testAccNetworkFirewallResourcePolicyFirewallPolicyBaseConfig(rName string) string {
-	return composeConfig(
-		testAccAlternateAccountProviderConfig(),
-		fmt.Sprintf(`
-data "aws_caller_identity" "alternate" {
-  provider = "awsalternate"
-}
+	return fmt.Sprintf(`
+data "aws_partition" "current" {}
+
+data "aws_caller_identity" "current" {}
 
 resource "aws_networkfirewall_firewall_policy" "test" {
-  name = %[1]q
+  name = %q
   firewall_policy {
     stateless_fragment_default_actions = ["aws:drop"]
     stateless_default_actions          = ["aws:pass"]
   }
 }
-
-resource "aws_ram_resource_share" "test" {
-  name                      = %[1]q
-  allow_external_principals = true
-
-  tags = {
-    Name = %[1]q
-  }
-}
-
-resource "aws_ram_resource_association" "test" {
-  resource_arn       = aws_networkfirewall_firewall_policy.test.arn
-  resource_share_arn = aws_ram_resource_share.test.id
-}
-`, rName))
+`, rName)
 }
 
 func testAccNetworkFirewallResourcePolicy_firewallPolicy(rName string) string {
 	return composeConfig(
 		testAccNetworkFirewallResourcePolicyFirewallPolicyBaseConfig(rName), `
 resource "aws_networkfirewall_resource_policy" "test" {
-  resource_arn = data.aws_caller_identity.alternate.arn
-  policy       = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": "*",
-      "Action": "network-firewall:ListFirewallPolicies",
-      "Resource": "${aws_networkfirewall_firewall_policy.test.arn}"
-    }
-  ]
-}
-POLICY
-
-  depends_on = [aws_ram_resource_association.test]
+  resource_arn = aws_networkfirewall_firewall_policy.test.arn
+  policy = jsonencode({
+    Statement = [{
+      Action   = "network-firewall:ListFirewallPolicies"
+      Effect   = "Allow"
+      Resource = aws_networkfirewall_firewall_policy.test.arn
+      Principal = {
+        AWS = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
+      }
+    }]
+    Version = "2012-10-17"
+  })
 }
 `)
 }
@@ -210,48 +231,31 @@ func testAccNetworkFirewallResourcePolicy_firewallPolicy_updatePolicy(rName stri
 	return composeConfig(
 		testAccNetworkFirewallResourcePolicyFirewallPolicyBaseConfig(rName), `
 resource "aws_networkfirewall_resource_policy" "test" {
-  resource_arn = data.aws_caller_identity.alternate.arn
-  policy       = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": "*",
-      "Action": [
-        "network-firewall:ListFirewallPolicies",
-        "network-firewall:AssociateFirewallPolicy"
-      ],
-      "Resource": "${aws_networkfirewall_firewall_policy.test.arn}"
-    }
-  ]
-}
-POLICY
+  resource_arn = aws_networkfirewall_firewall_policy.test.arn
+  policy = jsonencode({
+    Statement = [{
+      Action   = ["network-firewall:ListFirewallPolicies", "network-firewall:AssociateFirewallPolicy"]
+      Effect   = "Allow"
+      Resource = aws_networkfirewall_firewall_policy.test.arn
+      Principal = {
+        AWS = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
+      }
+    }]
+    Version = "2012-10-17"
+  })
 }
-  depends_on = [aws_ram_resource_association.test]
 `)
 }
 
 func testAccNetworkFirewallResourcePolicyRuleGroupBaseConfig(rName string) string {
-	return composeConfig(
-		testAccAlternateAccountProviderConfig(),
-		fmt.Sprintf(`
-data "aws_caller_identity" "alternate" {
-  provider = "awsalternate"
-}
+	return fmt.Sprintf(`
+data "aws_partition" "current" {}
 
-resource "aws_ram_resource_share" "test" {
-  name                      = %[1]q
-  allow_external_principals = true
-
-  tags = {
-    Name = %[1]q
-  }
-}
+data "aws_caller_identity" "current" {}
 
 resource "aws_networkfirewall_rule_group" "test" {
   capacity = 100
-  name     = %[1]q
+  name     = %q
   type     = "STATEFUL"
   rule_group {
     rules_source {
@@ -263,34 +267,25 @@ resource "aws_networkfirewall_rule_group" "test" {
     }
   }
 }
-
-resource "aws_ram_resource_association" "test" {
-  resource_arn       = aws_networkfirewall_rule_group.test.arn
-  resource_share_arn = aws_ram_resource_share.test.id
-}
-`, rName))
+`, rName)
 }
 
 func testAccNetworkFirewallResourcePolicy_ruleGroup(rName string) string {
 	return composeConfig(
 		testAccNetworkFirewallResourcePolicyRuleGroupBaseConfig(rName), `
 resource "aws_networkfirewall_resource_policy" "test" {
-  resource_arn = data.aws_caller_identity.alternate.arn
-  policy       = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": "*",
-      "Action": "network-firewall:ListRuleGroups",
-      "Resource": "${aws_networkfirewall_rule_group.test.arn}"
-    }
-  ]
-}
-POLICY
-
-  depends_on = [aws_ram_resource_association.test]
+  resource_arn = aws_networkfirewall_rule_group.test.arn
+  policy = jsonencode({
+    Statement = [{
+      Action   = "network-firewall:ListRuleGroups"
+      Effect   = "Allow"
+      Resource = aws_networkfirewall_rule_group.test.arn
+      Principal = {
+        AWS = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
+      }
+    }]
+    Version = "2012-10-17"
+  })
 }
 `)
 }
@@ -299,25 +294,18 @@ func testAccNetworkFirewallResourcePolicy_ruleGroup_updatePolicy(rName string) s
 	return composeConfig(
 		testAccNetworkFirewallResourcePolicyRuleGroupBaseConfig(rName), `
 resource "aws_networkfirewall_resource_policy" "test" {
-  resource_arn = data.aws_caller_identity.alternate.arn
-  policy       = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": "*",
-      "Action": [
-        "network-firewall:ListRuleGroups",
-        "network-firewall:CreateFirewallPolicy"
-      ],
-      "Resource": "${aws_networkfirewall_rule_group.test.arn}"
-    }
-  ]
-}
-POLICY
-
-  depends_on = [aws_ram_resource_association.test]
+  resource_arn = aws_networkfirewall_rule_group.test.arn
+  policy = jsonencode({
+    Statement = [{
+      Action   = ["network-firewall:ListRuleGroups", "network-firewall:CreateFirewallPolicy"]
+      Effect   = "Allow"
+      Resource = aws_networkfirewall_rule_group.test.arn
+      Principal = {
+        AWS = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
+      }
+    }]
+    Version = "2012-10-17"
+  })
 }
 `)
 }
diff --git a/website/docs/r/networkfirewall_resource_policy.html.markdown b/website/docs/r/networkfirewall_resource_policy.html.markdown
index 417b075b21e..360d6a36182 100644
--- a/website/docs/r/networkfirewall_resource_policy.html.markdown
+++ b/website/docs/r/networkfirewall_resource_policy.html.markdown
@@ -16,25 +16,18 @@ Provides an AWS Network Firewall Resource Policy Resource for a rule group or fi
 
 ```hcl
 resource "aws_networkfirewall_resource_policy" "example" {
-  resource_arn = data.aws_iam_user.example.arn
-  policy       = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": "*",
-      "Action": [
-        "network-firewall:ListFirewallPolicies",
-        "network-firewall:AssociateFirewallPolicy"
-      ],
-      "Resource": [
-        "${aws_networkfirewall_firewall_policy.example.arn}"
-      ]
-    }
-  ]
-}
-POLICY
+  resource_arn = aws_networkfirewall_firewall_policy.example.arn
+  policy = jsonencode({
+    Statement = [{
+      Action   = "network-firewall:ListFirewallPolicies"
+      Effect   = "Allow"
+      Resource = aws_networkfirewall_firewall_policy.example.arn
+      Principal = {
+        AWS = "arn:aws:iam::1234567890:user/example"
+      }
+    }]
+    Version = "2012-10-17"
+  })
 }
 ```
 
@@ -42,24 +35,18 @@ POLICY
 
 ```hcl
 resource "aws_networkfirewall_resource_policy" "example" {
-  resource_arn = data.aws_iam_user.example.arn
-  policy       = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": "*",
-      "Action": [
-        "network-firewall:ListRuleGroups"
-      ],
-      "Resource": [
-        "${aws_networkfirewall_rule_group.example.arn}"
-      ]
-    }
-  ]
-}
-POLICY
+  resource_arn = aws_networkfirewall_rule_group.example.arn
+  policy = jsonencode({
+    Statement = [{
+      Action   = "network-firewall:ListRuleGroups"
+      Effect   = "Allow"
+      Resource = aws_networkfirewall_rule_group.example.arn
+      Principal = {
+        AWS = "arn:aws:iam::1234567890:user/example"
+      }
+    }]
+    Version = "2012-10-17"
+  })
 }
 ```
 
@@ -67,20 +54,20 @@ POLICY
 
 The following arguments are supported:
 
-* `policy` - (Required) JSON formatted policy document that controls access to the Network Firewall resource.
+* `policy` - (Required) JSON formatted policy document that controls access to the Network Firewall resource. The policy must be provided **without whitespaces**.  It is recommended to use [jsonencode](https://www.terraform.io/docs/configuration/functions/jsonencode.html) for formatting as seen in the examples above. For more details, including available policy statement Actions, see the [Policy](https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_PutResourcePolicy.html#API_PutResourcePolicy_RequestSyntax) parameter in the AWS API documentation.
 
-* `resource_arn` - (Required, Forces new resource) The Amazon Resource Name (ARN) of the account that you want to share rule groups and firewall policies with.
+* `resource_arn` - (Required, Forces new resource) The Amazon Resource Name (ARN) of the rule group or firewall policy.
 
 ## Attribute Reference
 
 In addition to all arguments above, the following attribute is exported:
 
-* `id` - The Amazon Resource Name (ARN) of the account associated with the resource policy.
+* `id` - The Amazon Resource Name (ARN) of the rule group or firewall policy associated with the resource policy.
 
 ## Import
 
 Network Firewall Resource Policies can be imported using the `resource_arn` e.g.
 
 ```
-$ terraform import aws_networkfirewall_resource_policy.example arn:aws:iam:1234567890:user/example
+$ terraform import aws_networkfirewall_resource_policy.example aws_networkfirewall_rule_group.example arn:aws:network-firewall:us-west-1:123456789012:stateful-rulegroup/example
 ```

From 6465e9e249c3284dcdd509b14e08d0423cc2581c Mon Sep 17 00:00:00 2001
From: angie pinilla <angelinepinilla@gmail.com>
Date: Wed, 25 Nov 2020 11:18:44 -0500
Subject: [PATCH 5/6] Update example usage principal ARN

Co-authored-by: Brian Flad <bflad417@gmail.com>
---
 website/docs/r/networkfirewall_resource_policy.html.markdown | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/website/docs/r/networkfirewall_resource_policy.html.markdown b/website/docs/r/networkfirewall_resource_policy.html.markdown
index 360d6a36182..f208a71c832 100644
--- a/website/docs/r/networkfirewall_resource_policy.html.markdown
+++ b/website/docs/r/networkfirewall_resource_policy.html.markdown
@@ -23,7 +23,7 @@ resource "aws_networkfirewall_resource_policy" "example" {
       Effect   = "Allow"
       Resource = aws_networkfirewall_firewall_policy.example.arn
       Principal = {
-        AWS = "arn:aws:iam::1234567890:user/example"
+        AWS = "arn:aws:iam::123456789012:root"
       }
     }]
     Version = "2012-10-17"

From 3abb3f167279d1147405050d0a96608a1d87a766 Mon Sep 17 00:00:00 2001
From: angie pinilla <angelinepinilla@gmail.com>
Date: Wed, 25 Nov 2020 11:18:56 -0500
Subject: [PATCH 6/6] Update
 website/docs/r/networkfirewall_resource_policy.html.markdown

Co-authored-by: Brian Flad <bflad417@gmail.com>
---
 website/docs/r/networkfirewall_resource_policy.html.markdown | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/website/docs/r/networkfirewall_resource_policy.html.markdown b/website/docs/r/networkfirewall_resource_policy.html.markdown
index f208a71c832..a456f502267 100644
--- a/website/docs/r/networkfirewall_resource_policy.html.markdown
+++ b/website/docs/r/networkfirewall_resource_policy.html.markdown
@@ -42,7 +42,7 @@ resource "aws_networkfirewall_resource_policy" "example" {
       Effect   = "Allow"
       Resource = aws_networkfirewall_rule_group.example.arn
       Principal = {
-        AWS = "arn:aws:iam::1234567890:user/example"
+        AWS = "arn:aws:iam::123456789012:root"
       }
     }]
     Version = "2012-10-17"