Skip to content

Resource: awsNetworkAclRule

Creates an entry (a rule) in a network ACL with the specified rule number.

\~> NOTE on Network ACLs and Network ACL Rules: Terraform currently provides both a standalone Network ACL Rule resource and a Network ACL resource with rules defined in-line. At this time you cannot use a Network ACL with in-line rules in conjunction with any Network ACL Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsNetworkAclBar = new aws.networkAcl.NetworkAcl(this, "bar", {
  vpcId: "${aws_vpc.foo.id}",
});
const awsNetworkAclRuleBar = new aws.networkAclRule.NetworkAclRule(
  this,
  "bar_1",
  {
    cidrBlock: "${aws_vpc.foo.cidr_block}",
    egress: false,
    fromPort: 22,
    networkAclId: awsNetworkAclBar.id,
    protocol: "tcp",
    ruleAction: "allow",
    ruleNumber: 200,
    toPort: 22,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsNetworkAclRuleBar.overrideLogicalId("bar");

\~> Note: One of either cidrBlock or ipv6CidrBlock is required.

Argument Reference

The following arguments are supported:

  • networkAclId - (Required) The ID of the network ACL.
  • ruleNumber - (Required) The rule number for the entry (for example, 100). ACL entries are processed in ascending order by rule number.
  • egress - (Optional, bool) Indicates whether this is an egress rule (rule is applied to traffic leaving the subnet). Default false.
  • protocol - (Required) The protocol. A value of -1 means all protocols.
  • ruleAction - (Required) Indicates whether to allow or deny the traffic that matches the rule. Accepted values: allow | deny
  • cidrBlock - (Optional) The network range to allow or deny, in CIDR notation (for example 172.16.0.0/24 ).
  • ipv6CidrBlock - (Optional) The IPv6 CIDR block to allow or deny.
  • fromPort - (Optional) The from port to match.
  • toPort - (Optional) The to port to match.
  • icmpType - (Optional) ICMP protocol: The ICMP type. Required if specifying ICMP for the protocolE.g., -1
  • icmpCode - (Optional) ICMP protocol: The ICMP code. Required if specifying ICMP for the protocolE.g., -1

\~> NOTE: If the value of protocol is 1 or all, the fromPort and toPort values will be ignored and the rule will apply to all ports.

\~> NOTE: If the value of icmpType is 1 (which results in a wildcard ICMP type), the icmpCode must also be set to 1 (wildcard ICMP code).

\~> Note: For more information on ICMP types and codes, see here: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The ID of the network ACL Rule

Import

Individual rules can be imported using NETWORK_ACL_ID:RULE_NUMBER:PROTOCOL:EGRESS, where protocol can be a decimal (e.g., 6) or string (e.g., tcp) value. If importing a rule previously provisioned by Terraform, the protocol must be the input value used at creation time. For more information on protocol numbers and keywords, see here: https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

For example, import a network ACL Rule with an argument like this:

$ terraform import aws_network_acl_rule.my_rule acl-7aaabd18:100:tcp:false

Or by the procotol's decimal value:

$ terraform import aws_network_acl_rule.my_rule acl-7aaabd18:100:6:false