github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/website/source/docs/providers/aws/r/default_network_acl.html.markdown (about) 1 --- 2 layout: "aws" 3 page_title: "AWS: aws_default_network_acl" 4 sidebar_current: "docs-aws-resource-default-network-acl" 5 description: |- 6 Manage the default Network ACL resource. 7 --- 8 9 # aws\_default\_network\_acl 10 11 Provides a resource to manage the default AWS Network ACL. VPC Only. 12 13 Each VPC created in AWS comes with a Default Network ACL that can be managed, but not 14 destroyed. **This is an advanced resource**, and has special caveats to be aware 15 of when using it. Please read this document in its entirety before using this 16 resource. 17 18 The `aws_default_network_acl` behaves differently from normal resources, in that 19 Terraform does not _create_ this resource, but instead attempts to "adopt" it 20 into management. We can do this because each VPC created has a Default Network 21 ACL that cannot be destroyed, and is created with a known set of default rules. 22 23 When Terraform first adopts the Default Network ACL, it **immediately removes all 24 rules in the ACL**. It then proceeds to create any rules specified in the 25 configuration. This step is required so that only the rules specified in the 26 configuration are created. 27 28 This resource treats its inline rules as absolute; only the rules defined 29 inline are created, and any additions/removals external to this resource will 30 result in diffs being shown. For these reasons, this resource is incompatible with the 31 `aws_network_acl_rule` resource. 32 33 For more information about Network ACLs, see the AWS Documentation on 34 [Network ACLs][aws-network-acls]. 35 36 ## Basic Example Usage, with default rules 37 38 The following config gives the Default Network ACL the same rules that AWS 39 includes, but pulls the resource under management by Terraform. This means that 40 any ACL rules added or changed will be detected as drift. 41 42 ```hcl 43 resource "aws_vpc" "mainvpc" { 44 cidr_block = "10.1.0.0/16" 45 } 46 47 resource "aws_default_network_acl" "default" { 48 default_network_acl_id = "${aws_vpc.mainvpc.default_network_acl_id}" 49 50 ingress { 51 protocol = -1 52 rule_no = 100 53 action = "allow" 54 cidr_block = "0.0.0.0/0" 55 from_port = 0 56 to_port = 0 57 } 58 59 egress { 60 protocol = -1 61 rule_no = 100 62 action = "allow" 63 cidr_block = "0.0.0.0/0" 64 from_port = 0 65 to_port = 0 66 } 67 } 68 ``` 69 70 ## Example config to deny all Egress traffic, allowing Ingress 71 72 The following denies all Egress traffic by omitting any `egress` rules, while 73 including the default `ingress` rule to allow all traffic. 74 75 ```hcl 76 resource "aws_vpc" "mainvpc" { 77 cidr_block = "10.1.0.0/16" 78 } 79 80 resource "aws_default_network_acl" "default" { 81 default_network_acl_id = "${aws_vpc.mainvpc.default_network_acl_id}" 82 83 ingress { 84 protocol = -1 85 rule_no = 100 86 action = "allow" 87 cidr_block = "0.0.0.0/0" 88 from_port = 0 89 to_port = 0 90 } 91 } 92 ``` 93 94 ## Example config to deny all traffic to any Subnet in the Default Network ACL: 95 96 This config denies all traffic in the Default ACL. This can be useful if you 97 want a locked down default to force all resources in the VPC to assign a 98 non-default ACL. 99 100 ```hcl 101 resource "aws_vpc" "mainvpc" { 102 cidr_block = "10.1.0.0/16" 103 } 104 105 resource "aws_default_network_acl" "default" { 106 default_network_acl_id = "${aws_vpc.mainvpc.default_network_acl_id}" 107 108 # no rules defined, deny all traffic in this ACL 109 } 110 ``` 111 112 ## Argument Reference 113 114 The following arguments are supported: 115 116 * `default_network_acl_id` - (Required) The Network ACL ID to manage. This 117 attribute is exported from `aws_vpc`, or manually found via the AWS Console. 118 * `subnet_ids` - (Optional) A list of Subnet IDs to apply the ACL to. See the 119 notes below on managing Subnets in the Default Network ACL 120 * `ingress` - (Optional) Specifies an ingress rule. Parameters defined below. 121 * `egress` - (Optional) Specifies an egress rule. Parameters defined below. 122 * `tags` - (Optional) A mapping of tags to assign to the resource. 123 124 Both `egress` and `ingress` support the following keys: 125 126 * `from_port` - (Required) The from port to match. 127 * `to_port` - (Required) The to port to match. 128 * `rule_no` - (Required) The rule number. Used for ordering. 129 * `action` - (Required) The action to take. 130 * `protocol` - (Required) The protocol to match. If using the -1 'all' 131 protocol, you must specify a from and to port of 0. 132 * `cidr_block` - (Optional) The CIDR block to match. This must be a 133 valid network mask. 134 * `icmp_type` - (Optional) The ICMP type to be used. Default 0. 135 * `icmp_code` - (Optional) The ICMP type code to be used. Default 0. 136 137 ~> Note: For more information on ICMP types and codes, see here: http://www.nthelp.com/icmp.html 138 139 ### Managing Subnets in the Default Network ACL 140 141 Within a VPC, all Subnets must be associated with a Network ACL. In order to 142 "delete" the association between a Subnet and a non-default Network ACL, the 143 association is destroyed by replacing it with an association between the Subnet 144 and the Default ACL instead. 145 146 When managing the Default Network ACL, you cannot "remove" Subnets. 147 Instead, they must be reassigned to another Network ACL, or the Subnet itself must be 148 destroyed. Because of these requirements, removing the `subnet_ids` attribute from the 149 configuration of a `aws_default_network_acl` resource may result in a reoccurring 150 plan, until the Subnets are reassigned to another Network ACL or are destroyed. 151 152 Because Subnets are by default associated with the Default Network ACL, any 153 non-explicit association will show up as a plan to remove the Subnet. For 154 example: if you have a custom `aws_network_acl` with two subnets attached, and 155 you remove the `aws_network_acl` resource, after successfully destroying this 156 resource future plans will show a diff on the managed `aws_default_network_acl`, 157 as those two Subnets have been orphaned by the now destroyed network acl and thus 158 adopted by the Default Network ACL. In order to avoid a reoccurring plan, they 159 will need to be reassigned, destroyed, or added to the `subnet_ids` attribute of 160 the `aws_default_network_acl` entry. 161 162 ### Removing `aws_default_network_acl` from your configuration 163 164 Each AWS VPC comes with a Default Network ACL that cannot be deleted. The `aws_default_network_acl` 165 allows you to manage this Network ACL, but Terraform cannot destroy it. Removing 166 this resource from your configuration will remove it from your statefile and 167 management, **but will not destroy the Network ACL.** All Subnets associations 168 and ingress or egress rules will be left as they are at the time of removal. You 169 can resume managing them via the AWS Console. 170 171 ## Attributes Reference 172 173 The following attributes are exported: 174 175 * `id` - The ID of the Default Network ACL 176 * `vpc_id` - The ID of the associated VPC 177 * `ingress` - Set of ingress rules 178 * `egress` - Set of egress rules 179 * `subnet_ids` – IDs of associated Subnets 180 181 [aws-network-acls]: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html