Skip to content

Resource: awsNetworkAcl

Provides an network ACL resource. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.

\~> NOTE on Network ACLs and Network ACL Rules: Terraform currently provides both a standalone Network ACL Rule resource and a Network ACL resource with rules defined in-line. At this time you cannot use a Network ACL with in-line rules in conjunction with any Network ACL Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.

\~> NOTE on Network ACLs and Network ACL Associations: Terraform provides both a standalone network ACL association resource and a network ACL resource with a subnetIds attribute. Do not use the same subnet ID in both a network ACL resource and a network ACL association resource. Doing so will cause a conflict of associations and will overwrite the association.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.networkAcl.NetworkAcl(this, "main", {
  egress: [
    {
      action: "allow",
      cidrBlock: "10.3.0.0/18",
      fromPort: 443,
      protocol: "tcp",
      ruleNo: 200,
      toPort: 443,
    },
  ],
  ingress: [
    {
      action: "allow",
      cidrBlock: "10.3.0.0/18",
      fromPort: 80,
      protocol: "tcp",
      ruleNo: 100,
      toPort: 80,
    },
  ],
  tags: {
    Name: "main",
  },
  vpcId: "${aws_vpc.main.id}",
});

Argument Reference

The following arguments are supported:

  • vpcId - (Required) The ID of the associated VPC.
  • subnetIds - (Optional) A list of Subnet IDs to apply the ACL to
  • ingress - (Optional) Specifies an ingress rule. Parameters defined below. This argument is processed in attribute-as-blocks mode.
  • egress - (Optional) Specifies an egress rule. Parameters defined below. This argument is processed in attribute-as-blocks mode.
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

egress and ingress

Both arguments are processed in attribute-as-blocks mode.

Both egress and ingress support the following keys:

  • fromPort - (Required) The from port to match.
  • toPort - (Required) The to port to match.
  • ruleNo - (Required) The rule number. Used for ordering.
  • action - (Required) The action to take.
  • protocol - (Required) The protocol to match. If using the -1 'all' protocol, you must specify a from and to port of 0.
  • cidrBlock - (Optional) The CIDR block to match. This must be a valid network mask.
  • ipv6CidrBlock - (Optional) The IPv6 CIDR block.
  • icmpType - (Optional) The ICMP type to be used. Default 0.
  • icmpCode - (Optional) The ICMP type code to be used. Default 0.

\~> Note: For more information on ICMP types and codes, see here: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The ID of the network ACL
  • arn - The ARN of the network ACL
  • ownerId - The ID of the AWS account that owns the network ACL.
  • tagsAll - A map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

Import

Network ACLs can be imported using the id, e.g.,

$ terraform import aws_network_acl.main acl-7aaabd18