Terraform-provider-aws: aws_default_network_acl resource destroys aws_network_acl_rule resources on subsequent runs
_This issue was originally opened by @tokenshift as hashicorp/terraform#16838. It was migrated here as a result of the provider split. The original body of the issue is below._
I am using the aws_default_vpc and aws_default_network_acl resources in order to "adopt" the default VPC in an account add add ingress/egress rules. The first time I run terraform apply, it works; but if I run it again, all the NetworkACL rules are deleted.
I am providing ingress & egress rules only as aws_network_acl_rule resources, not as ingress and egress blocks in the aws_default_network_acl resource, because I want to parameterize this module with an additional list of whitelisted CIDR ranges that will be permitted ingress.
Terraform Version
$ terraform -v
Terraform v0.11.1
+ provider.aws v1.5.0
Terraform Configuration Files
Config using aws_default_vpc/aws_default_network_acl:
resource "aws_default_vpc" "default" {}
resource "aws_default_network_acl" "default" {
default_network_acl_id = "${aws_default_vpc.default.default_network_acl_id}"
}
# Egress rules:
resource "aws_network_acl_rule" "allow_all_egress" {
network_acl_id = "${aws_default_network_acl.default.id}"
rule_number = 1
rule_action = "allow"
egress = true
protocol = -1
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 0
}
# Ingress rules:
resource "aws_network_acl_rule" "allow_local_ingress" {
network_acl_id = "${aws_default_network_acl.default.id}"
rule_number = 1
rule_action = "allow"
egress = false
protocol = -1
cidr_block = "${aws_default_vpc.default.cidr_block}"
from_port = 0
to_port = 0
}
$ terraform init
$ terraform apply # The first apply creates the NetworkACL rules that I expect
$ terraform apply # The second apply then deletes those rules
$ terraform apply # Then re-adds them
$ terraform apply # Then deletes them
# and so on
The following config, using aws_network_acl instead of aws_default_network_acl, works (does not subsequently delete the NetworkACL rules):
resource "aws_default_vpc" "default" {}
resource "aws_network_acl" "new_nacl" {
vpc_id = "${aws_default_vpc.default.id}"
}
# Egress rules:
resource "aws_network_acl_rule" "allow_all_egress" {
network_acl_id = "${aws_network_acl.new_nacl.id}"
rule_number = 1
rule_action = "allow"
egress = true
protocol = -1
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 0
}
# Ingress rules:
resource "aws_network_acl_rule" "allow_local_ingress" {
network_acl_id = "${aws_network_acl.new_nacl.id}"
rule_number = 1
rule_action = "allow"
egress = false
protocol = -1
cidr_block = "${aws_default_vpc.default.cidr_block}"
from_port = 0
to_port = 0
}
I would expect aws_default_network_acl to have similar behavior regarding aws_network_acl_rule resources as aws_network_acl.
hashibot
All 5 comments
I have a similar problem with aws_network_acl and aws_network_acl_rule where rules are lost and readded on every apply.
exNewbie
on 1 Aug 2018
Same problem in Terraform (v0.11.11) with AWS (v1.57)
rahuljain1311
on 2 Feb 2019
Very same problem in here with
Terraform v0.11.10
+ provider.aws v1.51.0
+ provider.null v1.0.0
Pretty bad I have to re-run it twice!!!
@radeksimko, any idea when this would be fixed?
rainmanh
on 22 Feb 2019
I added
lifecycle {
ignore_changes = ["subnet_ids", "ingress", "egress"]
}
to my aws_default_network_acl resource and it seems allow management of rules, at least for updates. I'm not in a position to completely tear down and recreate this network currently so I'm not sure what it does for original creation from scratch.
deweysasser
on 16 Apr 2019
Same problem in Terraform v0.12.3
ccsalway
on 6 Jul 2019
Related issues
hashibot
路
3Comments
EmmN
路
3Comments
hashibot
路
3Comments
hashibot
路
3Comments
ccslamstack
路
3Comments
Most helpful comment
I added
to my
aws_default_network_aclresource and it seems allow management of rules, at least for updates. I'm not in a position to completely tear down and recreate this network currently so I'm not sure what it does for original creation from scratch.