Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problems managing ACL on default VPC #17

Closed
lawliet89 opened this issue Jul 31, 2018 · 2 comments
Closed

Problems managing ACL on default VPC #17

lawliet89 opened this issue Jul 31, 2018 · 2 comments
Assignees
@nozaq
Labels
enhancement New feature or request question Further information is requested

Comments

@lawliet89
Copy link
Contributor

lawliet89 commented Jul 31, 2018
edited
Loading

These lines prevent any rules from being defined on the default ACL.

At the same time, by reattaching the ACL with the default subnets, they prevent you from defining custom ACLs on those subnets.

Any ideas how we can work around this?

I think a better solution is to remove the subnet_ids line and add

  lifecycle {
    ignore_changes = ["subnet_ids"]
  }
@nozaq nozaq self-assigned this Aug 5, 2018
@nozaq nozaq added enhancement New feature or request question Further information is requested labels Aug 5, 2018
nozaq pushed a commit that referenced this issue Aug 5, 2018
fix: Change how to workaround the default ACL issue.
5c981b0 
Ignore "subnet_ids" changes instead of associating the default network ACL with the default subnet.
refs #17
@nozaq nozaq mentioned this issue Aug 5, 2018
Merged
@nozaq
Copy link
Owner

nozaq commented Aug 5, 2018
edited
Loading

@lawliet89

There's no specific needs to attach the default ACL to the default subet, so just ignoring changes of "subnet_ids" would be enough as you mentioned.
I've created a patch for this 👍

Regarding custom rules with the default network ACL, the only option I could come up with is enable/disable aws_default_network_acl resource depending on the input variable by using the count trick.
I would still recommend to create custom network ACLs and keep your default network ACL as "DENY ALL" setting, it will prevent the network from accidental misconfigurations.

@lawliet89
Copy link
Contributor Author

I agree with having DENY in the default ACL.

Thanks for the patch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nozaq nozaq

Labels
enhancement New feature or request question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lawliet89 @nozaq