github.com/pmcatominey/terraform@v0.7.0-rc2.0.20160708105029-1401a52a5cc5/website/source/docs/providers/aws/r/default_network_acl.html.markdown (about)

     1  ---
     2  layout: "aws"
     3  page_title: "AWS: aws_default_network_acl"
     4  sidebar_current: "docs-aws-resource-default-network-acl"
     5  description: |-
     6    Manage the default Network ACL resource.
     7  ---
     8  
     9  # aws\_default\_network\_acl
    10  
    11  Provides a resource to manage the default AWS Network ACL. VPC Only.
    12  
    13  Each VPC created in AWS comes with a Default Network ACL that can be managed, but not
    14  destroyed. **This is an advanced resource**, and has special caveats to be aware
    15  of when using it. Please read this document in its entirety before using this
    16  resource.
    17  
    18  The `aws_default_network_acl` behaves differently from normal resources, in that
    19  Terraform does not _create_ this resource, but instead attempts to "adopt" it
    20  into management. We can do this because each VPC created has a Default Network
    21  ACL that cannot be destroyed, and is created with a known set of default rules. 
    22  
    23  When Terraform first adopts the Default Network ACL, it **immediately removes all
    24  rules in the ACL**. It then proceeds to create any rules specified in the 
    25  configuration. This step is required so that only the rules specified in the 
    26  configuration are created.
    27  
    28  For more information about Network ACLs, see the AWS Documentation on 
    29  [Network ACLs][aws-network-acls].
    30  
    31  ## Basic Example Usage, with default rules
    32  
    33  The following config gives the Default Network ACL the same rules that AWS 
    34  includes, but pulls the resource under management by Terraform. This means that 
    35  any ACL rules added or changed will be detected as drift.
    36  
    37  ```
    38  resource "aws_vpc" "mainvpc" {
    39    cidr_block = "10.1.0.0/16"
    40  }
    41  
    42  resource "aws_default_network_acl" "default" {
    43    default_network_acl_id = "${aws_vpc.mainvpc.default_network_acl_id}"
    44  
    45    ingress {
    46      protocol   = -1
    47      rule_no    = 100
    48      action     = "allow"
    49      cidr_block = "0.0.0.0/0"
    50      from_port  = 0
    51      to_port    = 0
    52    }
    53  
    54    egress {
    55      protocol   = -1
    56      rule_no    = 100
    57      action     = "allow"
    58      cidr_block = "0.0.0.0/0"
    59      from_port  = 0
    60      to_port    = 0
    61    }
    62  }
    63  ```
    64  
    65  ## Example config to deny all Egress traffic, allowing Ingress
    66  
    67  The following denies all Egress traffic by omitting any `egress` rules, while
    68  including the default `ingress` rule to allow all traffic.
    69  
    70  ```
    71  resource "aws_vpc" "mainvpc" {
    72    cidr_block = "10.1.0.0/16"
    73  }
    74  
    75  resource "aws_default_network_acl" "default" {
    76    default_network_acl_id = "${aws_vpc.mainvpc.default_network_acl_id}"
    77  
    78    ingress {
    79      protocol   = -1
    80      rule_no    = 100
    81      action     = "allow"
    82      cidr_block = "0.0.0.0/0"
    83      from_port  = 0
    84      to_port    = 0
    85    }
    86  
    87  }
    88  ```
    89  
    90  ## Example config to deny all traffic to any Subnet in the Default Network ACL:
    91  
    92  This config denies all traffic in the Default ACL. This can be useful if you 
    93  want a locked down default to force all resources in the VPC to assign a 
    94  non-default ACL.
    95  
    96  ```
    97  resource "aws_vpc" "mainvpc" {
    98    cidr_block = "10.1.0.0/16"
    99  }
   100  
   101  resource "aws_default_network_acl" "default" {
   102    default_network_acl_id = "${aws_vpc.mainvpc.default_network_acl_id}"
   103    # no rules defined, deny all traffic in this ACL
   104  }
   105  ```
   106  
   107  ## Argument Reference
   108  
   109  The following arguments are supported:
   110  
   111  * `default_network_acl_id` - (Required) The Network ACL ID to manage. This
   112  attribute is exported from `aws_vpc`, or manually found via the AWS Console.
   113  * `subnet_ids` - (Optional) A list of Subnet IDs to apply the ACL to. See the
   114  notes below on managing Subnets in the Default VPC
   115  * `ingress` - (Optional) Specifies an ingress rule. Parameters defined below.
   116  * `egress` - (Optional) Specifies an egress rule. Parameters defined below.
   117  * `tags` - (Optional) A mapping of tags to assign to the resource.
   118  
   119  Both `egress` and `ingress` support the following keys:
   120  
   121  * `from_port` - (Required) The from port to match.
   122  * `to_port` - (Required) The to port to match.
   123  * `rule_no` - (Required) The rule number. Used for ordering.
   124  * `action` - (Required) The action to take.
   125  * `protocol` - (Required) The protocol to match. If using the -1 'all'
   126  protocol, you must specify a from and to port of 0.
   127  * `cidr_block` - (Optional) The CIDR block to match. This must be a
   128  valid network mask.
   129  * `icmp_type` - (Optional) The ICMP type to be used. Default 0.
   130  * `icmp_code` - (Optional) The ICMP type code to be used. Default 0.
   131  
   132  ~> Note: For more information on ICMP types and codes, see here: http://www.nthelp.com/icmp.html
   133  
   134  ### Managing Subnets in the Default Network ACL
   135  
   136  Within a VPC, all Subnets must be associated with a Network ACL. In order to
   137  "delete" the association between a Subnet and a non-default Network ACL, the
   138  association is destroyed by replacing it with an association between the Subnet 
   139  and the Default ACL instead. 
   140  
   141  When managing the Default Network ACL, you cannot "remove" Subnets.
   142  Instead, they must be reassigned to another Network ACL, or the Subnet itself must be
   143  destroyed. Because of these requirements, removing the `subnet_ids` attribute from the
   144  configuration of a `aws_default_network_acl` resource may result in a reoccurring
   145  plan, until the Subnets are reassigned to another Network ACL or are destroyed.
   146  
   147  Because Subnets are by default associated with the Default Network ACL, any
   148  non-explicit association will show up as a plan to remove the Subnet. For
   149  example: if you have a custom `aws_network_acl` with two subnets attached, and
   150  you remove the `aws_network_acl` resource, after successfully destroying this
   151  resource future plans will show a diff on the managed `aws_default_network_acl`,
   152  as those two Subnets have been orphaned by the now destroyed network acl and thus
   153  adopted by the Default Network ACL. In order to avoid a reoccurring plan, they 
   154  will need to be reassigned, destroyed, or added to the `subnet_ids` attribute of 
   155  the `aws_default_network_acl` entry. 
   156  
   157  ### Removing `aws_default_network_acl` from your configuration
   158  
   159  Each AWS VPC comes with a Default Network ACL that cannot be deleted. The `aws_default_network_acl` 
   160  allows you to manage this Network ACL, but Terraform cannot destroy it. Removing
   161  this resource from your configuration will remove it from your statefile and
   162  management, **but will not destroy the Network ACL.** All Subnets associations
   163  and ingress or egress rules will be left as they are at the time of removal. You
   164  can resume managing them via the AWS Console.
   165  
   166  ## Attributes Reference
   167  
   168  The following attributes are exported:
   169  
   170  * `id` - The ID of the Default Network ACL
   171  * `vpc_id` -  The ID of the associated VPC
   172  * `ingress` - Set of ingress rules 
   173  * `egress` - Set of egress rules
   174  * `subnet_ids` – IDs of associated Subnets
   175  
   176  [aws-network-acls]: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html