Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for "ipv6_cidr_block" to "aws_default_network_acl" and "aws_default_security_group" resources #1096

Closed
tylert opened this issue Jul 10, 2017 · 4 comments · Fixed by #1113
Closed

Add support for "ipv6_cidr_block" to "aws_default_network_acl" and "aws_default_security_group" resources #1096

tylert opened this issue Jul 10, 2017 · 4 comments · Fixed by #1113
Assignees
@stack72
Labels
enhancement Requests to existing resources that expand the functionality or scope.

Comments

@tylert
Copy link

tylert commented Jul 10, 2017
edited
Loading

I'm just starting out using Terraform and am very happy with it.

Lots of lovely IPv6 support was added to the "aws_network_acl" and "aws_security_group" resources in v0.9.9.

However, the "aws_default_network_acl" and "aws_default_security_group" resources still do not have support for the "ipv6_cidr_block" arguments (at least, not according to the https://www.terraform.io/docs/providers/aws/r/default_network_acl.html and https://www.terraform.io/docs/providers/aws/r/default_security_group.html pages).

Terraform Version

v0.9.11

Affected Resource(s)

  • aws_default_network_acl
  • aws_default_security_group

Terraform Configuration Files

Make sure you created a VPC with "assign_generated_ipv6_cidr_block = true" and then try to tag the default acl and security groups that got created...

...
# Just tag the default network acl but also replace the rules that got cleared out automatically

resource "aws_default_network_acl" "default_acl" {
  default_network_acl_id = "${aws_vpc.main.default_network_acl_id}"

  ingress {
    from_port  = 0
    to_port    = 0
    protocol   = -1
    cidr_block = "0.0.0.0/0"
    rule_no    = 100
    action     = "allow"
  }

  /* XXX FIXME XXX Not supported yet
  ingress {
    from_port       = 0
    to_port         = 0
    protocol        = -1
    ipv6_cidr_block = "::/0"
    rule_no         = 101
    action          = "allow"
  }
  */

  egress {
    from_port  = 0
    to_port    = 0
    protocol   = -1
    cidr_block = "0.0.0.0/0"
    rule_no    = 100
    action     = "allow"
  }

  /* XXX FIXME XXX Not supported yet
  egress {
    from_port       = 0
    to_port         = 0
    protocol        = -1
    ipv6_cidr_block = "::/0"
    rule_no         = 101
    action          = "allow"
  }
  */

  tags = {
    Name        = "${var.basename}_def_acl"
    Environment = "${var.environment}"
  }
}
...
# Just tag the default sg but also replace the rules that got cleared out automatically

resource "aws_default_security_group" "default" {
  vpc_id = "${aws_vpc.main.id}"

  ingress {
    from_port = 0
    to_port   = 0
    protocol  = -1
    self      = true
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  /* XXX FIXME XXX Not supported yet
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    ipv6_cidr_blocks = ["::/0"]
  }
  */

  tags = {
    Name        = "${var.basename}_def_sg"
    Environment = "${var.environment}"
  }
}
...

Debug Output

N/A; enhancement

Panic Output

N/A; enhancement

Expected Behavior

It would be really swell if the "aws_default_network_acl" and "aws_default_security_group" resources supported the same set of arguments as their corresponding counterparts; "aws_network_acl" and "aws_security_group", respectively.

Actual Behavior

At the moment, if you choose to tag your default ACL and SG, you'll lose the default allow rules for "::/0".

Steps to Reproduce

N/A; enhancement

Important Factoids

N/A; enhancement

References

N/A; enhancement
@tylert tylert changed the title Add support for "ipv6_cidr_block" to aws_default_network_acl and aws_default_security_group resources Add support for "ipv6_cidr_block" to "aws_default_network_acl" and "aws_default_security_group" resources Jul 10, 2017
@stack72 stack72 added the enhancement Requests to existing resources that expand the functionality or scope. label Jul 11, 2017
@stack72 stack72 self-assigned this Jul 11, 2017
stack72 added a commit that referenced this issue Jul 11, 2017
@stack72
resource/default_network_acl: Add support for ipv6_cidr_block
0da2d59 
Fixes: #1096

default_security_group already has support for ipv6_cidr_block.

```
% make testacc TEST=./aws TESTARGS='-run=TestAccAWSDefaultNetworkAcl_withIpv6Ingress'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -run=TestAccAWSDefaultNetworkAcl_withIpv6Ingress -timeout 120m
=== RUN   TestAccAWSDefaultNetworkAcl_withIpv6Ingress
--- PASS: TestAccAWSDefaultNetworkAcl_withIpv6Ingress (53.45s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	53.511s
```
@stack72 stack72 mentioned this issue Jul 11, 2017
Merged
stack72 added a commit that referenced this issue Jul 11, 2017
@stack72
resource/default_network_acl: Add support for ipv6_cidr_block (#1113)
e53da01 
Fixes: #1096

default_security_group already has support for ipv6_cidr_block.

```
% make testacc TEST=./aws TESTARGS='-run=TestAccAWSDefaultNetworkAcl_withIpv6Ingress'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -run=TestAccAWSDefaultNetworkAcl_withIpv6Ingress -timeout 120m
=== RUN   TestAccAWSDefaultNetworkAcl_withIpv6Ingress
--- PASS: TestAccAWSDefaultNetworkAcl_withIpv6Ingress (53.45s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	53.511s
```
@tylert
Copy link
Author

tylert commented Jul 11, 2017
edited
Loading

@stack72 🥇 Is this a candidate for inclusion in 0.1.3?

@stack72
Copy link
Contributor

stack72 commented Jul 11, 2017 via email

@tylert
Copy link
Author

tylert commented Jul 11, 2017

@stack72 not a problem. Thankfully, this isn't a blocker for me at the moment so I don't need to worry about building my own yet. Thanks for the quick turn-around 👍 .

@ghost
Copy link

ghost commented Apr 11, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 11, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@stack72 stack72

Labels
enhancement Requests to existing resources that expand the functionality or scope.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

resource/default_network_acl: Add support for ipv6_cidr_block hashicorp/terraform-provider-aws
2 participants
@tylert @stack72