From 8634bcda8fd2e9696f5e7b319eb10677fa88ca31 Mon Sep 17 00:00:00 2001 From: Jeremy Ciak <51718240+jeremyciak@users.noreply.github.com> Date: Wed, 21 Oct 2020 13:09:49 -0400 Subject: [PATCH] fix: Resource aws_default_network_acl orphaned subnet_ids (#530) --- examples/network-acls/main.tf | 5 +++-- main.tf | 21 +++++++++++++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/examples/network-acls/main.tf b/examples/network-acls/main.tf index aae541f10..8677bf2b6 100644 --- a/examples/network-acls/main.tf +++ b/examples/network-acls/main.tf @@ -28,9 +28,11 @@ module "vpc" { local.network_acls["elasticache_outbound"], ) - private_dedicated_network_acl = true + private_dedicated_network_acl = false elasticache_dedicated_network_acl = true + manage_default_network_acl = true + enable_ipv6 = true enable_nat_gateway = false @@ -200,4 +202,3 @@ locals { ] } } - diff --git a/main.tf b/main.tf index e25caa530..e83ad6137 100644 --- a/main.tf +++ b/main.tf @@ -534,6 +534,27 @@ resource "aws_default_network_acl" "this" { default_network_acl_id = element(concat(aws_vpc.this.*.default_network_acl_id, [""]), 0) + # The value of subnet_ids should be any subnet IDs that are not set as subnet_ids + # for any of the non-default network ACLs + subnet_ids = setsubtract( + compact(flatten([ + aws_subnet.public.*.id, + aws_subnet.private.*.id, + aws_subnet.intra.*.id, + aws_subnet.database.*.id, + aws_subnet.redshift.*.id, + aws_subnet.elasticache.*.id, + ])), + compact(flatten([ + aws_network_acl.public.*.subnet_ids, + aws_network_acl.private.*.subnet_ids, + aws_network_acl.intra.*.subnet_ids, + aws_network_acl.database.*.subnet_ids, + aws_network_acl.redshift.*.subnet_ids, + aws_network_acl.elasticache.*.subnet_ids, + ])) + ) + dynamic "ingress" { for_each = var.default_network_acl_ingress content {