provider/aws: Support multiple subnets in Network ACL

[catsby]

Ref #1717

The AWS API allows Network ACLs to be applied to multiple subnets, but Terraform is currently limited to 1-to-1. With this PR we introduce subnet_ids and deprecate subnet_id, so you can a single ACL to multiple subnets.

Subnets in a VPC must be assigned an ACL, so, if we remove a subnet from this ACL, that subnet gets associated to the Default ACL. This needs to be documented because it could have weird behavior.

Usage:

provider "aws" {
  region = "us-west-2"
}

resource "aws_vpc" "foo" {
    cidr_block = "10.1.0.0/16"
    tags {
        Name = "acl-subnets-test"
    }
}
resource "aws_subnet" "one" {
    cidr_block = "10.1.111.0/24"
    vpc_id = "${aws_vpc.foo.id}"
}
resource "aws_subnet" "two" {
    cidr_block = "10.1.1.0/24"
    vpc_id = "${aws_vpc.foo.id}"
}
resource "aws_subnet" "three" {
    cidr_block = "10.1.2.0/24"
    vpc_id = "${aws_vpc.foo.id}"
}
resource "aws_network_acl" "bar" {
    vpc_id = "${aws_vpc.foo.id}"
    subnet_ids = [
    "${aws_subnet.one.id}",
    "${aws_subnet.two.id}",
    "${aws_subnet.three.id}",
  ]
}

State generated: (things omitted)

aws_network_acl.bar:
  id = acl-f6bd3393
  egress.# = 0
  ingress.# = 0
  subnet_ids.# = 3
  subnet_ids.0 = subnet-123456
  subnet_ids.1 = subnet-789123
  subnet_ids.2 = subnet-456789
  tags.# = 0
  vpc_id = vpc-25c64440

Needs:

• docs
• ~~plan keeps wanting to change the sorting. I'm calling sort.Strings here, but the sorting is still not correct. This may be because I didn't sort them in the config(?). Not sure what to do about that.. ~~ fixed by making it a TypeSet from TypeList

[mzupan]

just tested this out and it works well 👍

[phinze]

Can you add another step to this test to exercise the update functionality?

[catsby]

I can, but the test doesn't pass ATM b/c plan isn't empty (sorting issue mentioned above)

[phinze]

Two nits - LGTM generally!

[catsby]

@phinze applied feedback, thanks!
I need help with the sorting stuff. Do I need to covert subnet_ids to TypeSet?

[phinze]

I need help with the sorting stuff. Do I need to covert subnet_ids to TypeSet?

Ah yes - this is a great candidate for TypeSet:

"subnet_ids": schema.Schema{
  Type: TypeSet,
  Elem: TypeString,
  Set: func(v interface{}) int {
    return hashcode.String(v.(string))
  }
}

[catsby]

@phinze updated tests, take a look when you can

[phinze]

Solid solid - LGTM!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.