» Resource: aws_network_acl_rule

Creates an entry (a rule) in a network ACL with the specified rule number.

NOTE on Network ACLs and Network ACL Rules: Terraform currently provides both a standalone Network ACL Rule resource and a Network ACL resource with rules defined in-line. At this time you cannot use a Network ACL with in-line rules in conjunction with any Network ACL Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.

» Example Usage

resource "aws_network_acl" "bar" {
  vpc_id = "${aws_vpc.foo.id}"
}

resource "aws_network_acl_rule" "bar" {
  network_acl_id = "${aws_network_acl.bar.id}"
  rule_number    = 200
  egress         = false
  protocol       = "tcp"
  rule_action    = "allow"
  # Opening to 0.0.0.0/0 can lead to security vulnerabilities.
  cidr_block = # add a CIDR block here
  from_port      = 22
  to_port        = 22
}

Note: One of either cidr_block or ipv6_cidr_block is required.

» Argument Reference

The following arguments are supported:

network_acl_id - (Required) The ID of the network ACL.
rule_number - (Required) The rule number for the entry (for example, 100). ACL entries are processed in ascending order by rule number.
egress - (Optional, bool) Indicates whether this is an egress rule (rule is applied to traffic leaving the subnet). Default false.
protocol - (Required) The protocol. A value of -1 means all protocols.
rule_action - (Required) Indicates whether to allow or deny the traffic that matches the rule. Accepted values: allow | deny
cidr_block - (Optional) The network range to allow or deny, in CIDR notation (for example 172.16.0.0/24 ).
ipv6_cidr_block - (Optional) The IPv6 CIDR block to allow or deny.
from_port - (Optional) The from port to match.
to_port - (Optional) The to port to match.
icmp_type - (Optional) ICMP protocol: The ICMP type. Required if specifying ICMP for the protocol. e.g. -1
icmp_code - (Optional) ICMP protocol: The ICMP code. Required if specifying ICMP for the protocol. e.g. -1

NOTE: If the value of protocol is -1 or all, the from_port and to_port values will be ignored and the rule will apply to all ports.

NOTE: If the value of icmp_type is -1 (which results in a wildcard ICMP type), the icmp_code must also be set to -1 (wildcard ICMP code).

Note: For more information on ICMP types and codes, see here: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml

» Attributes Reference

In addition to all arguments above, the following attributes are exported:

id - The ID of the network ACL Rule