provider/aws: Default Network ACL resource

[catsby]

Provides a resource to manage the default AWS Network ACL. This resource is VPC Only.

The aws_default_network_acl behaves differently from normal resources, in that
Terraform does not create this resource, but instead attempts to "adopt" it
into management. We can do this because each VPC created has a Default Network
ACL that cannot be destroyed, and is created with a known set of default rules.

When Terraform first adopts the Default Network ACL, it immeidately removes all
rules in the ACL. It then proceeds to create any rules specified in the
configuration. This step is required so that only the rules specificed in the
configuration are created.

Example: Default Network ACL, with default rules in place:

resource "aws_vpc" "mainvpc" {
  cidr_block = "10.1.0.0/16"
}

resource "aws_default_network_acl" "default" {
  default_network_acl_id = "${aws_vpc.mainvpc.default_network_acl_id}"

  ingress {
    protocol   = -1
    rule_no    = 100
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = 0
    to_port    = 0
  }

  egress {
    protocol   = -1
    rule_no    = 100
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = 0
    to_port    = 0
  }
}

Example: Default Network ACL, denying all traffic:

resource "aws_vpc" "mainvpc" {
  cidr_block = "10.1.0.0/16"
}

resource "aws_default_network_acl" "default" {
  default_network_acl_id = "${aws_vpc.mainvpc.default_network_acl_id}"
}

For more information about Network ACLs, including the default, see the AWS Documentation on Network ACLs.

Fixes #5971

[catsby]

cc @clstokes

[clstokes]

Related to #6093.

[phinze]

This is a new resource - why are we starting w/ a deprecated field? Perhaps just a leftover from basing this on the network_acl resource?

[catsby]

A bit of a leftover. It was Computed when I was "inheriting" the schema. I missed re-adding that change when I went to fully copying it over.

We're re-using resourceAwsNetworkAclRead though, so it needs to be present. I'll mark it as Computed

[phinze]

Can you lift this number up into a constant.

[phinze]

Just took a read through Read (ha!) on network ACL and didn't see the subnet_id field mentioned there. Looks like it's only referenced in Delete and Update, nether of which we borrow. So I think that means we can drop this without consequence?

[catsby]

Smote in 78cd903

[phinze]

Ok last pass complete - just those docs Qs and the subnet_id Q

[phinze]

LGTM!

[catsby]

Passing acceptance tests, merging

$ make testacc TEST=./builtin/providers/aws TESTARGS="-run=TestAccAWSDefaultNetworkAcl_"
==> Checking that code complies with gofmt requirements...
/Users/clint/Projects/Go/bin/stringer
go generate $(go list ./... | grep -v /vendor/)
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSDefaultNetworkAcl_ -timeout 120m
=== RUN   TestAccAWSDefaultNetworkAcl_basic
--- PASS: TestAccAWSDefaultNetworkAcl_basic (13.59s)
=== RUN   TestAccAWSDefaultNetworkAcl_deny_ingress
--- PASS: TestAccAWSDefaultNetworkAcl_deny_ingress (13.60s)
=== RUN   TestAccAWSDefaultNetworkAcl_SubnetRemoval
--- PASS: TestAccAWSDefaultNetworkAcl_SubnetRemoval (24.94s)
=== RUN   TestAccAWSDefaultNetworkAcl_SubnetReassign
--- PASS: TestAccAWSDefaultNetworkAcl_SubnetReassign (30.86s)
PASS
ok      github.com/hashicorp/terraform/builtin/providers/aws    83.008s

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.