smite subnet_id, improve docs

hashicorp · Apr 18, 2016 · 78cd903 · 78cd903
1 parent af367a4
commit 78cd903
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 7 deletions.
diff --git a/builtin/providers/aws/resource_aws_default_network_acl.go b/builtin/providers/aws/resource_aws_default_network_acl.go
@@ -34,13 +34,6 @@ func resourceAwsDefaultNetworkAcl() *schema.Resource {
 				ForceNew: true,
 				Computed: false,
 			},
-			// subnet_id is a deprecated value in aws_network_acl, so we don't support
-			// using it here. We do re-use aws_network_acl's READ method which will
-			// attempt to set this value, so we include it here
-			"subnet_id": &schema.Schema{
-				Type:     schema.TypeString,
-				Computed: true,
-			},
 			// We want explicit management of Subnets here, so we do not allow them to be
 			// computed. Instead, an empty config will enforce just that; removal of the
 			// any Subnets that have been assigned to the Default Network ACL. Because we

diff --git a/website/source/docs/providers/aws/r/default_network_acl.html.markdown b/website/source/docs/providers/aws/r/default_network_acl.html.markdown
@@ -30,6 +30,10 @@ For more information about Network ACLs, see the AWS Documentation on
 
 ## Basic Example Usage, with default rules
 
+The following config gives the Default Network ACL the same rules that AWS 
+includes, but pulls the resource under management by Terraform. This means that 
+any ACL rules added or changed will be detected as drift.
+
 ```
 resource "aws_vpc" "mainvpc" {
   cidr_block = "10.1.0.0/16"
@@ -60,6 +64,9 @@ resource "aws_default_network_acl" "default" {
 
 ## Example config to deny all Egress traffic, allowing Ingress
 
+The following denies all Egress traffic by omitting any `egress` rules, while
+including the default `ingress` rule to allow all traffic.
+
 ```
 resource "aws_vpc" "mainvpc" {
   cidr_block = "10.1.0.0/16"
@@ -79,6 +86,24 @@ resource "aws_default_network_acl" "default" {
 
 }
 ```
+
+## Example config to deny all traffic to any Subnet in the Default Network ACL:
+
+This config denies all traffic in the Default ACL. This can be useful if you 
+want a locked down default to force all resources in the VPC to assign a 
+non-default ACL.
+
+```
+resource "aws_vpc" "mainvpc" {
+  cidr_block = "10.1.0.0/16"
+}
+
+resource "aws_default_network_acl" "default" {
+  default_network_acl_id = "${aws_vpc.mainvpc.default_network_acl_id}"
+  # no rules defined, deny all traffic in this ACL
+}
+```
+
 ## Argument Reference
 
 The following arguments are supported: