Resource: awsNetworkAclRule
Creates an entry (a rule) in a network ACL with the specified rule number.
\~> NOTE on Network ACLs and Network ACL Rules: Terraform currently provides both a standalone Network ACL Rule resource and a Network ACL resource with rules defined in-line. At this time you cannot use a Network ACL with in-line rules in conjunction with any Network ACL Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsNetworkAclBar = new aws.networkAcl.NetworkAcl(this, "bar", {
vpcId: "${aws_vpc.foo.id}",
});
const awsNetworkAclRuleBar = new aws.networkAclRule.NetworkAclRule(
this,
"bar_1",
{
cidrBlock: "${aws_vpc.foo.cidr_block}",
egress: false,
fromPort: 22,
networkAclId: awsNetworkAclBar.id,
protocol: "tcp",
ruleAction: "allow",
ruleNumber: 200,
toPort: 22,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsNetworkAclRuleBar.overrideLogicalId("bar");
\~> Note: One of either cidrBlock
or ipv6CidrBlock
is required.
Argument Reference
The following arguments are supported:
networkAclId
- (Required) The ID of the network ACL.ruleNumber
- (Required) The rule number for the entry (for example, 100). ACL entries are processed in ascending order by rule number.egress
- (Optional, bool) Indicates whether this is an egress rule (rule is applied to traffic leaving the subnet). Defaultfalse
.protocol
- (Required) The protocol. A value of -1 means all protocols.ruleAction
- (Required) Indicates whether to allow or deny the traffic that matches the rule. Accepted values:allow
|deny
cidrBlock
- (Optional) The network range to allow or deny, in CIDR notation (for example 172.16.0.0/24 ).ipv6CidrBlock
- (Optional) The IPv6 CIDR block to allow or deny.fromPort
- (Optional) The from port to match.toPort
- (Optional) The to port to match.icmpType
- (Optional) ICMP protocol: The ICMP type. Required if specifying ICMP for the protocolE.g., -1icmpCode
- (Optional) ICMP protocol: The ICMP code. Required if specifying ICMP for the protocolE.g., -1
\~> NOTE: If the value of protocol
is 1
or all
, the fromPort
and toPort
values will be ignored and the rule will apply to all ports.
\~> NOTE: If the value of icmpType
is 1
(which results in a wildcard ICMP type), the icmpCode
must also be set to 1
(wildcard ICMP code).
\~> Note: For more information on ICMP types and codes, see here: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
Attributes Reference
In addition to all arguments above, the following attributes are exported:
id
- The ID of the network ACL Rule
Import
Individual rules can be imported using NETWORK_ACL_ID:RULE_NUMBER:PROTOCOL:EGRESS
, where protocol
can be a decimal (e.g., 6) or string (e.g., tcp) value. If importing a rule previously provisioned by Terraform, the protocol
must be the input value used at creation time. For more information on protocol numbers and keywords, see here: https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
For example, import a network ACL Rule with an argument like this:
Or by the procotol's decimal value: