DefaultNetworkAcl
Provides a resource to manage the default AWS Network ACL. VPC Only.
Each VPC created in AWS comes with a Default Network ACL that can be managed, but not destroyed. This is an advanced resource, and has special caveats to be aware of when using it. Please read this document in its entirety before using this resource.
The aws.ec2.DefaultNetworkAcl behaves differently from normal resources, in that
this provider does not create this resource, but instead attempts to “adopt” it
into management. We can do this because each VPC created has a Default Network
ACL that cannot be destroyed, and is created with a known set of default rules.
When this provider first adopts the Default Network ACL, it immediately removes all rules in the ACL. It then proceeds to create any rules specified in the configuration. This step is required so that only the rules specified in the configuration are created.
This resource treats its inline rules as absolute; only the rules defined
inline are created, and any additions/removals external to this resource will
result in diffs being shown. For these reasons, this resource is incompatible with the
aws.ec2.NetworkAclRule resource.
For more information about Network ACLs, see the AWS Documentation on [Network ACLs][aws-network-acls].
Basic Example Usage, with default rules
The following config gives the Default Network ACL the same rules that AWS includes, but pulls the resource under management by this provider. This means that any ACL rules added or changed will be detected as drift.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const mainvpc = new aws.ec2.Vpc("mainvpc", {cidrBlock: "10.1.0.0/16"});
const _default = new aws.ec2.DefaultNetworkAcl("default", {
defaultNetworkAclId: mainvpc.defaultNetworkAclId,
ingress: [{
protocol: -1,
ruleNo: 100,
action: "allow",
cidrBlock: mainvpc.cidrBlock,
fromPort: 0,
toPort: 0,
}],
egress: [{
protocol: -1,
ruleNo: 100,
action: "allow",
cidrBlock: "0.0.0.0/0",
fromPort: 0,
toPort: 0,
}],
});import pulumi
import pulumi_aws as aws
mainvpc = aws.ec2.Vpc("mainvpc", cidr_block="10.1.0.0/16")
default = aws.ec2.DefaultNetworkAcl("default",
default_network_acl_id=mainvpc.default_network_acl_id,
ingress=[{
"protocol": -1,
"ruleNo": 100,
"action": "allow",
"cidr_block": mainvpc.cidr_block,
"from_port": 0,
"to_port": 0,
}],
egress=[{
"protocol": -1,
"ruleNo": 100,
"action": "allow",
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"to_port": 0,
}])using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var mainvpc = new Aws.Ec2.Vpc("mainvpc", new Aws.Ec2.VpcArgs
{
CidrBlock = "10.1.0.0/16",
});
var @default = new Aws.Ec2.DefaultNetworkAcl("default", new Aws.Ec2.DefaultNetworkAclArgs
{
DefaultNetworkAclId = mainvpc.DefaultNetworkAclId,
Ingress =
{
new Aws.Ec2.Inputs.DefaultNetworkAclIngressArgs
{
Protocol = "-1",
RuleNo = 100,
Action = "allow",
CidrBlock = mainvpc.CidrBlock,
FromPort = 0,
ToPort = 0,
},
},
Egress =
{
new Aws.Ec2.Inputs.DefaultNetworkAclEgressArgs
{
Protocol = "-1",
RuleNo = 100,
Action = "allow",
CidrBlock = "0.0.0.0/0",
FromPort = 0,
ToPort = 0,
},
},
});
}
}
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v2/go/aws/ec2"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
mainvpc, err := ec2.NewVpc(ctx, "mainvpc", &ec2.VpcArgs{
CidrBlock: pulumi.String("10.1.0.0/16"),
})
if err != nil {
return err
}
_, err = ec2.NewDefaultNetworkAcl(ctx, "_default", &ec2.DefaultNetworkAclArgs{
DefaultNetworkAclId: mainvpc.DefaultNetworkAclId,
Ingress: ec2.DefaultNetworkAclIngressArray{
&ec2.DefaultNetworkAclIngressArgs{
Protocol: pulumi.String("-1"),
RuleNo: pulumi.Int(100),
Action: pulumi.String("allow"),
CidrBlock: mainvpc.CidrBlock,
FromPort: pulumi.Int(0),
ToPort: pulumi.Int(0),
},
},
Egress: ec2.DefaultNetworkAclEgressArray{
&ec2.DefaultNetworkAclEgressArgs{
Protocol: pulumi.String("-1"),
RuleNo: pulumi.Int(100),
Action: pulumi.String("allow"),
CidrBlock: pulumi.String("0.0.0.0/0"),
FromPort: pulumi.Int(0),
ToPort: pulumi.Int(0),
},
},
})
if err != nil {
return err
}
return nil
})
}Example config to deny all Egress traffic, allowing Ingress
The following denies all Egress traffic by omitting any egress rules, while
including the default ingress rule to allow all traffic.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const mainvpc = new aws.ec2.Vpc("mainvpc", {cidrBlock: "10.1.0.0/16"});
const _default = new aws.ec2.DefaultNetworkAcl("default", {
defaultNetworkAclId: mainvpc.defaultNetworkAclId,
ingress: [{
protocol: -1,
ruleNo: 100,
action: "allow",
cidrBlock: mainvpc.cidrBlock,
fromPort: 0,
toPort: 0,
}],
});import pulumi
import pulumi_aws as aws
mainvpc = aws.ec2.Vpc("mainvpc", cidr_block="10.1.0.0/16")
default = aws.ec2.DefaultNetworkAcl("default",
default_network_acl_id=mainvpc.default_network_acl_id,
ingress=[{
"protocol": -1,
"ruleNo": 100,
"action": "allow",
"cidr_block": mainvpc.cidr_block,
"from_port": 0,
"to_port": 0,
}])using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var mainvpc = new Aws.Ec2.Vpc("mainvpc", new Aws.Ec2.VpcArgs
{
CidrBlock = "10.1.0.0/16",
});
var @default = new Aws.Ec2.DefaultNetworkAcl("default", new Aws.Ec2.DefaultNetworkAclArgs
{
DefaultNetworkAclId = mainvpc.DefaultNetworkAclId,
Ingress =
{
new Aws.Ec2.Inputs.DefaultNetworkAclIngressArgs
{
Protocol = "-1",
RuleNo = 100,
Action = "allow",
CidrBlock = mainvpc.CidrBlock,
FromPort = 0,
ToPort = 0,
},
},
});
}
}
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v2/go/aws/ec2"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
mainvpc, err := ec2.NewVpc(ctx, "mainvpc", &ec2.VpcArgs{
CidrBlock: pulumi.String("10.1.0.0/16"),
})
if err != nil {
return err
}
_, err = ec2.NewDefaultNetworkAcl(ctx, "_default", &ec2.DefaultNetworkAclArgs{
DefaultNetworkAclId: mainvpc.DefaultNetworkAclId,
Ingress: ec2.DefaultNetworkAclIngressArray{
&ec2.DefaultNetworkAclIngressArgs{
Protocol: pulumi.String("-1"),
RuleNo: pulumi.Int(100),
Action: pulumi.String("allow"),
CidrBlock: mainvpc.CidrBlock,
FromPort: pulumi.Int(0),
ToPort: pulumi.Int(0),
},
},
})
if err != nil {
return err
}
return nil
})
}Example config to deny all traffic to any Subnet in the Default Network ACL
This config denies all traffic in the Default ACL. This can be useful if you want a locked down default to force all resources in the VPC to assign a non-default ACL.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const mainvpc = new aws.ec2.Vpc("mainvpc", {
cidrBlock: "10.1.0.0/16",
});
const defaultDefaultNetworkAcl = new aws.ec2.DefaultNetworkAcl("default", {
defaultNetworkAclId: mainvpc.defaultNetworkAclId,
});import pulumi
import pulumi_aws as aws
mainvpc = aws.ec2.Vpc("mainvpc", cidr_block="10.1.0.0/16")
default = aws.ec2.DefaultNetworkAcl("default", default_network_acl_id=mainvpc.default_network_acl_id)using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var mainvpc = new Aws.Ec2.Vpc("mainvpc", new Aws.Ec2.VpcArgs
{
CidrBlock = "10.1.0.0/16",
});
var @default = new Aws.Ec2.DefaultNetworkAcl("default", new Aws.Ec2.DefaultNetworkAclArgs
{
DefaultNetworkAclId = mainvpc.DefaultNetworkAclId,
});
}
}
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v2/go/aws/ec2"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
mainvpc, err := ec2.NewVpc(ctx, "mainvpc", &ec2.VpcArgs{
CidrBlock: pulumi.String("10.1.0.0/16"),
})
if err != nil {
return err
}
_, err = ec2.NewDefaultNetworkAcl(ctx, "_default", &ec2.DefaultNetworkAclArgs{
DefaultNetworkAclId: mainvpc.DefaultNetworkAclId,
})
if err != nil {
return err
}
return nil
})
}Create a DefaultNetworkAcl Resource
new DefaultNetworkAcl(name: string, args: DefaultNetworkAclArgs, opts?: CustomResourceOptions);def DefaultNetworkAcl(resource_name, opts=None, default_network_acl_id=None, egress=None, ingress=None, subnet_ids=None, tags=None, __props__=None);func NewDefaultNetworkAcl(ctx *Context, name string, args DefaultNetworkAclArgs, opts ...ResourceOption) (*DefaultNetworkAcl, error)public DefaultNetworkAcl(string name, DefaultNetworkAclArgs args, CustomResourceOptions? opts = null)- name string
- The unique name of the resource.
- args DefaultNetworkAclArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- opts ResourceOptions
- A bag of options that control this resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args DefaultNetworkAclArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args DefaultNetworkAclArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
DefaultNetworkAcl Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.
Inputs
The DefaultNetworkAcl resource accepts the following input properties:
- Default
Network stringAcl Id The Network ACL ID to manage. This attribute is exported from
aws.ec2.Vpc, or manually found via the AWS Console.- Egress
List<Default
Network Acl Egress Args> Specifies an egress rule. Parameters defined below.
- Ingress
List<Default
Network Acl Ingress Args> Specifies an ingress rule. Parameters defined below.
- Subnet
Ids List<string> A list of Subnet IDs to apply the ACL to. See the notes below on managing Subnets in the Default Network ACL
- Dictionary<string, string>
A map of tags to assign to the resource.
- Default
Network stringAcl Id The Network ACL ID to manage. This attribute is exported from
aws.ec2.Vpc, or manually found via the AWS Console.- Egress
[]Default
Network Acl Egress Specifies an egress rule. Parameters defined below.
- Ingress
[]Default
Network Acl Ingress Specifies an ingress rule. Parameters defined below.
- Subnet
Ids []string A list of Subnet IDs to apply the ACL to. See the notes below on managing Subnets in the Default Network ACL
- map[string]string
A map of tags to assign to the resource.
- default
Network stringAcl Id The Network ACL ID to manage. This attribute is exported from
aws.ec2.Vpc, or manually found via the AWS Console.- egress
Default
Network Acl Egress[] Specifies an egress rule. Parameters defined below.
- ingress
Default
Network Acl Ingress[] Specifies an ingress rule. Parameters defined below.
- subnet
Ids string[] A list of Subnet IDs to apply the ACL to. See the notes below on managing Subnets in the Default Network ACL
- {[key: string]: string}
A map of tags to assign to the resource.
- default_
network_ stracl_ id The Network ACL ID to manage. This attribute is exported from
aws.ec2.Vpc, or manually found via the AWS Console.- egress
List[Default
Network Acl Egress] Specifies an egress rule. Parameters defined below.
- ingress
List[Default
Network Acl Ingress] Specifies an ingress rule. Parameters defined below.
- subnet_
ids List[str] A list of Subnet IDs to apply the ACL to. See the notes below on managing Subnets in the Default Network ACL
- Dict[str, str]
A map of tags to assign to the resource.
Outputs
All input properties are implicitly available as output properties. Additionally, the DefaultNetworkAcl resource produces the following output properties:
Look up an Existing DefaultNetworkAcl Resource
Get an existing DefaultNetworkAcl resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: DefaultNetworkAclState, opts?: CustomResourceOptions): DefaultNetworkAclstatic get(resource_name, id, opts=None, arn=None, default_network_acl_id=None, egress=None, ingress=None, owner_id=None, subnet_ids=None, tags=None, vpc_id=None, __props__=None);func GetDefaultNetworkAcl(ctx *Context, name string, id IDInput, state *DefaultNetworkAclState, opts ...ResourceOption) (*DefaultNetworkAcl, error)public static DefaultNetworkAcl Get(string name, Input<string> id, DefaultNetworkAclState? state, CustomResourceOptions? opts = null)- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Arn string
The ARN of the Default Network ACL
- Default
Network stringAcl Id The Network ACL ID to manage. This attribute is exported from
aws.ec2.Vpc, or manually found via the AWS Console.- Egress
List<Default
Network Acl Egress Args> Specifies an egress rule. Parameters defined below.
- Ingress
List<Default
Network Acl Ingress Args> Specifies an ingress rule. Parameters defined below.
- Owner
Id string The ID of the AWS account that owns the Default Network ACL
- Subnet
Ids List<string> A list of Subnet IDs to apply the ACL to. See the notes below on managing Subnets in the Default Network ACL
- Dictionary<string, string>
A map of tags to assign to the resource.
- Vpc
Id string The ID of the associated VPC
- Arn string
The ARN of the Default Network ACL
- Default
Network stringAcl Id The Network ACL ID to manage. This attribute is exported from
aws.ec2.Vpc, or manually found via the AWS Console.- Egress
[]Default
Network Acl Egress Specifies an egress rule. Parameters defined below.
- Ingress
[]Default
Network Acl Ingress Specifies an ingress rule. Parameters defined below.
- Owner
Id string The ID of the AWS account that owns the Default Network ACL
- Subnet
Ids []string A list of Subnet IDs to apply the ACL to. See the notes below on managing Subnets in the Default Network ACL
- map[string]string
A map of tags to assign to the resource.
- Vpc
Id string The ID of the associated VPC
- arn string
The ARN of the Default Network ACL
- default
Network stringAcl Id The Network ACL ID to manage. This attribute is exported from
aws.ec2.Vpc, or manually found via the AWS Console.- egress
Default
Network Acl Egress[] Specifies an egress rule. Parameters defined below.
- ingress
Default
Network Acl Ingress[] Specifies an ingress rule. Parameters defined below.
- owner
Id string The ID of the AWS account that owns the Default Network ACL
- subnet
Ids string[] A list of Subnet IDs to apply the ACL to. See the notes below on managing Subnets in the Default Network ACL
- {[key: string]: string}
A map of tags to assign to the resource.
- vpc
Id string The ID of the associated VPC
- arn str
The ARN of the Default Network ACL
- default_
network_ stracl_ id The Network ACL ID to manage. This attribute is exported from
aws.ec2.Vpc, or manually found via the AWS Console.- egress
List[Default
Network Acl Egress] Specifies an egress rule. Parameters defined below.
- ingress
List[Default
Network Acl Ingress] Specifies an ingress rule. Parameters defined below.
- owner_
id str The ID of the AWS account that owns the Default Network ACL
- subnet_
ids List[str] A list of Subnet IDs to apply the ACL to. See the notes below on managing Subnets in the Default Network ACL
- Dict[str, str]
A map of tags to assign to the resource.
- vpc_
id str The ID of the associated VPC
Supporting Types
DefaultNetworkAclEgress
- Action string
The action to take.
- From
Port int The from port to match.
- Protocol string
The protocol to match. If using the -1 ‘all’ protocol, you must specify a from and to port of 0.
- Rule
No int The rule number. Used for ordering.
- To
Port int The to port to match.
- Cidr
Block string The CIDR block to match. This must be a valid network mask.
- Icmp
Code int The ICMP type code to be used. Default 0.
- Icmp
Type int The ICMP type to be used. Default 0.
- Ipv6Cidr
Block string The IPv6 CIDR block.
- Action string
The action to take.
- From
Port int The from port to match.
- Protocol string
The protocol to match. If using the -1 ‘all’ protocol, you must specify a from and to port of 0.
- Rule
No int The rule number. Used for ordering.
- To
Port int The to port to match.
- Cidr
Block string The CIDR block to match. This must be a valid network mask.
- Icmp
Code int The ICMP type code to be used. Default 0.
- Icmp
Type int The ICMP type to be used. Default 0.
- Ipv6Cidr
Block string The IPv6 CIDR block.
- action string
The action to take.
- from
Port number The from port to match.
- protocol string
The protocol to match. If using the -1 ‘all’ protocol, you must specify a from and to port of 0.
- rule
No number The rule number. Used for ordering.
- to
Port number The to port to match.
- cidr
Block string The CIDR block to match. This must be a valid network mask.
- icmp
Code number The ICMP type code to be used. Default 0.
- icmp
Type number The ICMP type to be used. Default 0.
- ipv6Cidr
Block string The IPv6 CIDR block.
- action str
The action to take.
- from_
port float The from port to match.
- protocol str
The protocol to match. If using the -1 ‘all’ protocol, you must specify a from and to port of 0.
- rule
No float The rule number. Used for ordering.
- to_
port float The to port to match.
- cidr_
block str The CIDR block to match. This must be a valid network mask.
- icmp_
code float The ICMP type code to be used. Default 0.
- icmp_
type float The ICMP type to be used. Default 0.
- ipv6_
cidr_ strblock The IPv6 CIDR block.
DefaultNetworkAclIngress
- Action string
The action to take.
- From
Port int The from port to match.
- Protocol string
The protocol to match. If using the -1 ‘all’ protocol, you must specify a from and to port of 0.
- Rule
No int The rule number. Used for ordering.
- To
Port int The to port to match.
- Cidr
Block string The CIDR block to match. This must be a valid network mask.
- Icmp
Code int The ICMP type code to be used. Default 0.
- Icmp
Type int The ICMP type to be used. Default 0.
- Ipv6Cidr
Block string The IPv6 CIDR block.
- Action string
The action to take.
- From
Port int The from port to match.
- Protocol string
The protocol to match. If using the -1 ‘all’ protocol, you must specify a from and to port of 0.
- Rule
No int The rule number. Used for ordering.
- To
Port int The to port to match.
- Cidr
Block string The CIDR block to match. This must be a valid network mask.
- Icmp
Code int The ICMP type code to be used. Default 0.
- Icmp
Type int The ICMP type to be used. Default 0.
- Ipv6Cidr
Block string The IPv6 CIDR block.
- action string
The action to take.
- from
Port number The from port to match.
- protocol string
The protocol to match. If using the -1 ‘all’ protocol, you must specify a from and to port of 0.
- rule
No number The rule number. Used for ordering.
- to
Port number The to port to match.
- cidr
Block string The CIDR block to match. This must be a valid network mask.
- icmp
Code number The ICMP type code to be used. Default 0.
- icmp
Type number The ICMP type to be used. Default 0.
- ipv6Cidr
Block string The IPv6 CIDR block.
- action str
The action to take.
- from_
port float The from port to match.
- protocol str
The protocol to match. If using the -1 ‘all’ protocol, you must specify a from and to port of 0.
- rule
No float The rule number. Used for ordering.
- to_
port float The to port to match.
- cidr_
block str The CIDR block to match. This must be a valid network mask.
- icmp_
code float The ICMP type code to be used. Default 0.
- icmp_
type float The ICMP type to be used. Default 0.
- ipv6_
cidr_ strblock The IPv6 CIDR block.
Package Details
- Repository
- https://github.com/pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.