Terraform: Feature Request: aws_network_acl create acl for multiple cidr's

Created on 8 Mar 2017  ยท  2Comments  ยท  Source: hashicorp/terraform

Hi together,

i have the following feature request:
Currently i'm working on my network ACLs. I have a multi AZ environment each AZ divided into public and private subnets.

My network ACLs on e.g. both private subnets look the same (regarding protocol, from_port, to_port, action ...) except from the cidr_block of the subnet.

With the current implementation i need to create (and manage) duplicate ACLs (regarding protocol, from_port, to_port, action...) for my different private subnets.
Example:

ingress {
    protocol = "tcp"
    rule_no = 5
    action = "allow"
    cidr_block = "10.10.10.0/24"
    from_port = 8000
    to_port = 8010
}
ingress {
    protocol = "tcp"
    rule_no = 6
    action = "allow"
    cidr_block = "10.10.20.0/24"
    from_port = 8000
    to_port = 8010
}

I'd suggest to change the cidr_block Attribute of aws_network_acl / aws_network_acl_rule into an Array of CIDRs.
Example:

ingress {
    protocol = "tcp"
    rule_no = 5
    action = "allow"
    cidr_block = ["10.10.10.0/24","10.10.20.0/24"]
    from_port = 8000
    to_port = 8010
}

So i would like terraform to create the acl rules for the different CIDRs (either as source or destination).
This would reduce complexity in the configuration and better manageable for users.

Terraform Version

terraform -v
Terraform v0.8.5

Affected Resource(s)

  • aws_network_acl
  • aws_network_acl_rule

Kind regards,
Alex

enhancement provideaws
Source
picture awuetz

Most helpful comment

It's possible to work around like this.

variable "cidr" {
  type = "list"
  default = ["10.10.10.0/24", "10.10.20.0/24"]
}

resource "aws_network_acl_rule" "ingress" {
  count       = "${length(var.cidr)}"
  rule_number = "${5 + count.index}"
  egress      = false
  protocol    = "tcp"
  rule_action = "allow"
  cidr_block  = "${element(var.cidr, count.index)}"
  from_port   = 8000
  to_port     = 8010
}
picture jonlil on 10 Apr 2017
👍3

All 2 comments

It's possible to work around like this.

variable "cidr" {
  type = "list"
  default = ["10.10.10.0/24", "10.10.20.0/24"]
}

resource "aws_network_acl_rule" "ingress" {
  count       = "${length(var.cidr)}"
  rule_number = "${5 + count.index}"
  egress      = false
  protocol    = "tcp"
  rule_action = "allow"
  cidr_block  = "${element(var.cidr, count.index)}"
  from_port   = 8000
  to_port     = 8010
}
jonlil picture jonlil on 10 Apr 2017
👍3

I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashibot[bot] picture hashibot[bot] on 9 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jrnt30 picture jrnt30  ยท  3Comments
zeninfinity picture zeninfinity  ยท  3Comments
carl-youngblood picture carl-youngblood  ยท  3Comments
c4milo picture c4milo  ยท  3Comments
rkulagowski picture rkulagowski  ยท  3Comments