Class DefaultNetworkAcl

Provides a resource to manage the default AWS Network ACL. VPC Only.

Each VPC created in AWS comes with a Default Network ACL that can be managed, but not destroyed. This is an advanced resource, and has special caveats to be aware of when using it. Please read this document in its entirety before using this resource.

The aws.ec2.DefaultNetworkAcl behaves differently from normal resources, in that this provider does not create this resource, but instead attempts to "adopt" it into management. We can do this because each VPC created has a Default Network ACL that cannot be destroyed, and is created with a known set of default rules.

When this provider first adopts the Default Network ACL, it immediately removes all rules in the ACL. It then proceeds to create any rules specified in the configuration. This step is required so that only the rules specified in the configuration are created.

This resource treats its inline rules as absolute; only the rules defined inline are created, and any additions/removals external to this resource will result in diffs being shown. For these reasons, this resource is incompatible with the aws.ec2.NetworkAclRule resource.

For more information about Network ACLs, see the AWS Documentation on [Network ACLs][aws-network-acls].

Basic Example Usage, with default rules

The following config gives the Default Network ACL the same rules that AWS includes, but pulls the resource under management by this provider. This means that any ACL rules added or changed will be detected as drift.

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var mainvpc = new Aws.Ec2.Vpc("mainvpc", new Aws.Ec2.VpcArgs
    {
        CidrBlock = "10.1.0.0/16",
    });
    var @default = new Aws.Ec2.DefaultNetworkAcl("default", new Aws.Ec2.DefaultNetworkAclArgs
    {
        DefaultNetworkAclId = mainvpc.DefaultNetworkAclId,
        Ingress = 
        {
            new Aws.Ec2.Inputs.DefaultNetworkAclIngressArgs
            {
                Protocol = -1,
                RuleNo = 100,
                Action = "allow",
                CidrBlock = mainvpc.CidrBlock,
                FromPort = 0,
                ToPort = 0,
            },
        },
        Egress = 
        {
            new Aws.Ec2.Inputs.DefaultNetworkAclEgressArgs
            {
                Protocol = -1,
                RuleNo = 100,
                Action = "allow",
                CidrBlock = "0.0.0.0/0",
                FromPort = 0,
                ToPort = 0,
            },
        },
    });
}

}

Example config to deny all Egress traffic, allowing Ingress

The following denies all Egress traffic by omitting any egress rules, while including the default ingress rule to allow all traffic.

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var mainvpc = new Aws.Ec2.Vpc("mainvpc", new Aws.Ec2.VpcArgs
    {
        CidrBlock = "10.1.0.0/16",
    });
    var @default = new Aws.Ec2.DefaultNetworkAcl("default", new Aws.Ec2.DefaultNetworkAclArgs
    {
        DefaultNetworkAclId = mainvpc.DefaultNetworkAclId,
        Ingress = 
        {
            new Aws.Ec2.Inputs.DefaultNetworkAclIngressArgs
            {
                Protocol = -1,
                RuleNo = 100,
                Action = "allow",
                CidrBlock = mainvpc.CidrBlock,
                FromPort = 0,
                ToPort = 0,
            },
        },
    });
}

}

Example config to deny all traffic to any Subnet in the Default Network ACL

This config denies all traffic in the Default ACL. This can be useful if you want a locked down default to force all resources in the VPC to assign a non-default ACL.

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var mainvpc = new Aws.Ec2.Vpc("mainvpc", new Aws.Ec2.VpcArgs
    {
        CidrBlock = "10.1.0.0/16",
    });
    var @default = new Aws.Ec2.DefaultNetworkAcl("default", new Aws.Ec2.DefaultNetworkAclArgs
    {
        DefaultNetworkAclId = mainvpc.DefaultNetworkAclId,
    });
}

}
Inheritance
System.Object
Resource
CustomResource
DefaultNetworkAcl
Inherited Members
System.Object.Equals(System.Object)
System.Object.Equals(System.Object, System.Object)
System.Object.GetHashCode()
System.Object.GetType()
System.Object.MemberwiseClone()
System.Object.ReferenceEquals(System.Object, System.Object)
System.Object.ToString()
Namespace: Pulumi.Aws.Ec2
Assembly: Pulumi.Aws.dll
Syntax
public class DefaultNetworkAcl : CustomResource

Constructors

View Source

DefaultNetworkAcl(String, DefaultNetworkAclArgs, CustomResourceOptions)

Create a DefaultNetworkAcl resource with the given unique name, arguments, and options.

Declaration
public DefaultNetworkAcl(string name, DefaultNetworkAclArgs args, CustomResourceOptions options = null)
Parameters
Type Name Description
System.String name

The unique name of the resource
DefaultNetworkAclArgs args

The arguments used to populate this resource's properties
CustomResourceOptions options

A bag of options that control this resource's behavior

Properties

View Source

DefaultNetworkAclId

The Network ACL ID to manage. This attribute is exported from aws.ec2.Vpc, or manually found via the AWS Console.

Declaration
public Output<string> DefaultNetworkAclId { get; }
Property Value
Type Description
Output<System.String>
View Source

Egress

Specifies an egress rule. Parameters defined below.

Declaration
public Output<ImmutableArray<DefaultNetworkAclEgress>> Egress { get; }
Property Value
Type Description
Output<System.Collections.Immutable.ImmutableArray<DefaultNetworkAclEgress>>
View Source

Ingress

Specifies an ingress rule. Parameters defined below.

Declaration
public Output<ImmutableArray<DefaultNetworkAclIngress>> Ingress { get; }
Property Value
Type Description
Output<System.Collections.Immutable.ImmutableArray<DefaultNetworkAclIngress>>
View Source

OwnerId

The ID of the AWS account that owns the Default Network ACL

Declaration
public Output<string> OwnerId { get; }
Property Value
Type Description
Output<System.String>
View Source

SubnetIds

A list of Subnet IDs to apply the ACL to. See the notes below on managing Subnets in the Default Network ACL

Declaration
public Output<ImmutableArray<string>> SubnetIds { get; }
Property Value
Type Description
Output<System.Collections.Immutable.ImmutableArray<System.String>>
View Source

Tags

A map of tags to assign to the resource.

Declaration
public Output<ImmutableDictionary<string, object>> Tags { get; }
Property Value
Type Description
Output<System.Collections.Immutable.ImmutableDictionary<System.String, System.Object>>
View Source

VpcId

The ID of the associated VPC

Declaration
public Output<string> VpcId { get; }
Property Value
Type Description
Output<System.String>

Methods

View Source

Get(String, Input<String>, DefaultNetworkAclState, CustomResourceOptions)

Get an existing DefaultNetworkAcl resource's state with the given name, ID, and optional extra properties used to qualify the lookup.

Declaration
public static DefaultNetworkAcl Get(string name, Input<string> id, DefaultNetworkAclState state = null, CustomResourceOptions options = null)
Parameters
Type Name Description
System.String name

The unique name of the resulting resource.
Input<System.String> id

The unique provider ID of the resource to lookup.
DefaultNetworkAclState state

Any extra arguments used during the lookup.
CustomResourceOptions options

A bag of options that control this resource's behavior
Returns
Type Description
DefaultNetworkAcl