Option to delete default ACLs on VPC creation.

[clstokes]

AWS VPCs come with a default set of network ACLs that allow all inbound and outbound traffic. There's no way to then manage these ACLs directly. ACLs with higher priority can be inserted, but the defaults remain unless manually removed.

I propose a new option on aws_vpc to remove default network ACLs. Maybe it could be a generic option to remove all default network resources for future proofing?

Test Config

resource "aws_vpc" "main" {
  cidr_block = "10.0.0.0/16"

  tags {
    Name = "acl-test"
  }
}

Default ACLs

Related

This is similar to the Terraform's behavior for security groups, where Terraform removes the default egress rule on initial creation (see NOTE on Egress rules note on security_group).

[clstokes]

This is true for the security group that's created when a VPC is initially created. AWS does not all the group to be removed, but Terraform is also not able to manage its rules.

Will this be implemented as a default flag that can remove this as well? Or should I open another issue to track the default SG rules option?

[kamaltherocky]

In General, there are few default objects which gets created when a VPC is created in AWS. The following are the defaults objects

• Security Group
• Network ACL
• Route Table

There are scenario where we need to update the default ones, since AWS does not allow deletion of some of the default objects.

Since we want to automate the whole infrastructure creation with Terraform, it would be good to have a mechanism in Terraform to update the default objects which were created by AWS duirng the VPC creation.

[ljankowski]

+1

That's the problem we facing as well. Default AWS rules are too widely open.
Temporary workaround we use for NACL's is to add new deny rule with rule_number=1.

resource "aws_network_acl_rule" "default_ingress" {
    network_acl_id = "${aws_vpc.vpc.default_network_acl_id}"
    rule_number = 1
    egress = false
    protocol = "all"
    rule_action = "deny"
    cidr_block = "0.0.0.0/0"
    from_port = 0
    to_port = 0
}

resource "aws_network_acl_rule" "default_egress" {
    network_acl_id = "${aws_vpc.vpc.default_network_acl_id}"
    rule_number = 1
    egress = true
    protocol = "all"
    rule_action = "deny"
    cidr_block = "0.0.0.0/0"
    from_port = 0
    to_port = 0
}

However Security Groups are still an issue, which currently I have no workaround for...
I am keen to see this implemented in the near feature.

[bacoboy]

The real issue is you can't overwrite/remove the rule 100 that comes by default since TF didn't create it.

resource "aws_network_acl_rule" "http_in" {
    network_acl_id = "${aws_vpc.main.default_network_acl_id}"
    rule_number = 100
    egress = false
    protocol = "tcp"
    rule_action = "allow"
    cidr_block = "0.0.0.0/0"
    from_port = 80
    to_port = 80
}

Results in this:

Error applying plan:

2 error(s) occurred:

* aws_network_acl_rule.http_in: Error Creating Network Acl Rule: NetworkAclEntryAlreadyExists: The network acl entry identified by 100 already exists.
    status code: 400, request id:

I assume this is a general problem with things created automatically (like tags: #1296).

Clearly the workaround is to just create your own items and relink everything, but smells bad...

If this gets fixed, it might solve this too: #5392

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.