NetworkAclRule

Creates an entry (a rule) in a network ACL with the specified rule number.

NOTE on Network ACLs and Network ACL Rules: This provider currently provides both a standalone Network ACL Rule resource and a Network ACL resource with rules defined in-line. At this time you cannot use a Network ACL with in-line rules in conjunction with any Network ACL Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var barNetworkAcl = new Aws.Ec2.NetworkAcl("barNetworkAcl", new Aws.Ec2.NetworkAclArgs
        {
            VpcId = aws_vpc.Foo.Id,
        });
        var barNetworkAclRule = new Aws.Ec2.NetworkAclRule("barNetworkAclRule", new Aws.Ec2.NetworkAclRuleArgs
        {
            NetworkAclId = barNetworkAcl.Id,
            RuleNumber = 200,
            Egress = false,
            Protocol = "tcp",
            RuleAction = "allow",
            CidrBlock = aws_vpc.Foo.Cidr_block,
            FromPort = 22,
            ToPort = 22,
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/ec2"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		barNetworkAcl, err := ec2.NewNetworkAcl(ctx, "barNetworkAcl", &ec2.NetworkAclArgs{
			VpcId: pulumi.Any(aws_vpc.Foo.Id),
		})
		if err != nil {
			return err
		}
		_, err = ec2.NewNetworkAclRule(ctx, "barNetworkAclRule", &ec2.NetworkAclRuleArgs{
			NetworkAclId: barNetworkAcl.ID(),
			RuleNumber:   pulumi.Int(200),
			Egress:       pulumi.Bool(false),
			Protocol:     pulumi.String("tcp"),
			RuleAction:   pulumi.String("allow"),
			CidrBlock:    pulumi.Any(aws_vpc.Foo.Cidr_block),
			FromPort:     pulumi.Int(22),
			ToPort:       pulumi.Int(22),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import pulumi_aws as aws

bar_network_acl = aws.ec2.NetworkAcl("barNetworkAcl", vpc_id=aws_vpc["foo"]["id"])
bar_network_acl_rule = aws.ec2.NetworkAclRule("barNetworkAclRule",
    network_acl_id=bar_network_acl.id,
    rule_number=200,
    egress=False,
    protocol="tcp",
    rule_action="allow",
    cidr_block=aws_vpc["foo"]["cidr_block"],
    from_port=22,
    to_port=22)
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const barNetworkAcl = new aws.ec2.NetworkAcl("barNetworkAcl", {vpcId: aws_vpc.foo.id});
const barNetworkAclRule = new aws.ec2.NetworkAclRule("barNetworkAclRule", {
    networkAclId: barNetworkAcl.id,
    ruleNumber: 200,
    egress: false,
    protocol: "tcp",
    ruleAction: "allow",
    cidrBlock: aws_vpc.foo.cidr_block,
    fromPort: 22,
    toPort: 22,
});

Create a NetworkAclRule Resource

new NetworkAclRule(name: string, args: NetworkAclRuleArgs, opts?: CustomResourceOptions);
@overload
def NetworkAclRule(resource_name: str,
                   opts: Optional[ResourceOptions] = None,
                   cidr_block: Optional[str] = None,
                   egress: Optional[bool] = None,
                   from_port: Optional[int] = None,
                   icmp_code: Optional[str] = None,
                   icmp_type: Optional[str] = None,
                   ipv6_cidr_block: Optional[str] = None,
                   network_acl_id: Optional[str] = None,
                   protocol: Optional[str] = None,
                   rule_action: Optional[str] = None,
                   rule_number: Optional[int] = None,
                   to_port: Optional[int] = None)
@overload
def NetworkAclRule(resource_name: str,
                   args: NetworkAclRuleArgs,
                   opts: Optional[ResourceOptions] = None)
func NewNetworkAclRule(ctx *Context, name string, args NetworkAclRuleArgs, opts ...ResourceOption) (*NetworkAclRule, error)
public NetworkAclRule(string name, NetworkAclRuleArgs args, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args NetworkAclRuleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args NetworkAclRuleArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args NetworkAclRuleArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args NetworkAclRuleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

NetworkAclRule Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The NetworkAclRule resource accepts the following input properties:

NetworkAclId string
The ID of the network ACL.
Protocol string
The protocol. A value of -1 means all protocols.
RuleAction string
Indicates whether to allow or deny the traffic that matches the rule. Accepted values: allow | deny
RuleNumber int
The rule number for the entry (for example, 100). ACL entries are processed in ascending order by rule number.
CidrBlock string
The network range to allow or deny, in CIDR notation (for example 172.16.0.0/24 ).
Egress bool
Indicates whether this is an egress rule (rule is applied to traffic leaving the subnet). Default false.
FromPort int
The from port to match.
IcmpCode string
ICMP protocol: The ICMP code. Required if specifying ICMP for the protocol. e.g. -1
IcmpType string
ICMP protocol: The ICMP type. Required if specifying ICMP for the protocol. e.g. -1
Ipv6CidrBlock string
The IPv6 CIDR block to allow or deny.
ToPort int
The to port to match.
NetworkAclId string
The ID of the network ACL.
Protocol string
The protocol. A value of -1 means all protocols.
RuleAction string
Indicates whether to allow or deny the traffic that matches the rule. Accepted values: allow | deny
RuleNumber int
The rule number for the entry (for example, 100). ACL entries are processed in ascending order by rule number.
CidrBlock string
The network range to allow or deny, in CIDR notation (for example 172.16.0.0/24 ).
Egress bool
Indicates whether this is an egress rule (rule is applied to traffic leaving the subnet). Default false.
FromPort int
The from port to match.
IcmpCode string
ICMP protocol: The ICMP code. Required if specifying ICMP for the protocol. e.g. -1
IcmpType string
ICMP protocol: The ICMP type. Required if specifying ICMP for the protocol. e.g. -1
Ipv6CidrBlock string
The IPv6 CIDR block to allow or deny.
ToPort int
The to port to match.
networkAclId string
The ID of the network ACL.
protocol string
The protocol. A value of -1 means all protocols.
ruleAction string
Indicates whether to allow or deny the traffic that matches the rule. Accepted values: allow | deny
ruleNumber number
The rule number for the entry (for example, 100). ACL entries are processed in ascending order by rule number.
cidrBlock string
The network range to allow or deny, in CIDR notation (for example 172.16.0.0/24 ).
egress boolean
Indicates whether this is an egress rule (rule is applied to traffic leaving the subnet). Default false.
fromPort number
The from port to match.
icmpCode string
ICMP protocol: The ICMP code. Required if specifying ICMP for the protocol. e.g. -1
icmpType string
ICMP protocol: The ICMP type. Required if specifying ICMP for the protocol. e.g. -1
ipv6CidrBlock string
The IPv6 CIDR block to allow or deny.
toPort number
The to port to match.
network_acl_id str
The ID of the network ACL.
protocol str
The protocol. A value of -1 means all protocols.
rule_action str
Indicates whether to allow or deny the traffic that matches the rule. Accepted values: allow | deny
rule_number int
The rule number for the entry (for example, 100). ACL entries are processed in ascending order by rule number.
cidr_block str
The network range to allow or deny, in CIDR notation (for example 172.16.0.0/24 ).
egress bool
Indicates whether this is an egress rule (rule is applied to traffic leaving the subnet). Default false.
from_port int
The from port to match.
icmp_code str
ICMP protocol: The ICMP code. Required if specifying ICMP for the protocol. e.g. -1
icmp_type str
ICMP protocol: The ICMP type. Required if specifying ICMP for the protocol. e.g. -1
ipv6_cidr_block str
The IPv6 CIDR block to allow or deny.
to_port int
The to port to match.

Outputs

All input properties are implicitly available as output properties. Additionally, the NetworkAclRule resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
Id string
The provider-assigned unique ID for this managed resource.
id string
The provider-assigned unique ID for this managed resource.
id str
The provider-assigned unique ID for this managed resource.

Look up an Existing NetworkAclRule Resource

Get an existing NetworkAclRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: NetworkAclRuleState, opts?: CustomResourceOptions): NetworkAclRule
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        cidr_block: Optional[str] = None,
        egress: Optional[bool] = None,
        from_port: Optional[int] = None,
        icmp_code: Optional[str] = None,
        icmp_type: Optional[str] = None,
        ipv6_cidr_block: Optional[str] = None,
        network_acl_id: Optional[str] = None,
        protocol: Optional[str] = None,
        rule_action: Optional[str] = None,
        rule_number: Optional[int] = None,
        to_port: Optional[int] = None) -> NetworkAclRule
func GetNetworkAclRule(ctx *Context, name string, id IDInput, state *NetworkAclRuleState, opts ...ResourceOption) (*NetworkAclRule, error)
public static NetworkAclRule Get(string name, Input<string> id, NetworkAclRuleState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

CidrBlock string
The network range to allow or deny, in CIDR notation (for example 172.16.0.0/24 ).
Egress bool
Indicates whether this is an egress rule (rule is applied to traffic leaving the subnet). Default false.
FromPort int
The from port to match.
IcmpCode string
ICMP protocol: The ICMP code. Required if specifying ICMP for the protocol. e.g. -1
IcmpType string
ICMP protocol: The ICMP type. Required if specifying ICMP for the protocol. e.g. -1
Ipv6CidrBlock string
The IPv6 CIDR block to allow or deny.
NetworkAclId string
The ID of the network ACL.
Protocol string
The protocol. A value of -1 means all protocols.
RuleAction string
Indicates whether to allow or deny the traffic that matches the rule. Accepted values: allow | deny
RuleNumber int
The rule number for the entry (for example, 100). ACL entries are processed in ascending order by rule number.
ToPort int
The to port to match.
CidrBlock string
The network range to allow or deny, in CIDR notation (for example 172.16.0.0/24 ).
Egress bool
Indicates whether this is an egress rule (rule is applied to traffic leaving the subnet). Default false.
FromPort int
The from port to match.
IcmpCode string
ICMP protocol: The ICMP code. Required if specifying ICMP for the protocol. e.g. -1
IcmpType string
ICMP protocol: The ICMP type. Required if specifying ICMP for the protocol. e.g. -1
Ipv6CidrBlock string
The IPv6 CIDR block to allow or deny.
NetworkAclId string
The ID of the network ACL.
Protocol string
The protocol. A value of -1 means all protocols.
RuleAction string
Indicates whether to allow or deny the traffic that matches the rule. Accepted values: allow | deny
RuleNumber int
The rule number for the entry (for example, 100). ACL entries are processed in ascending order by rule number.
ToPort int
The to port to match.
cidrBlock string
The network range to allow or deny, in CIDR notation (for example 172.16.0.0/24 ).
egress boolean
Indicates whether this is an egress rule (rule is applied to traffic leaving the subnet). Default false.
fromPort number
The from port to match.
icmpCode string
ICMP protocol: The ICMP code. Required if specifying ICMP for the protocol. e.g. -1
icmpType string
ICMP protocol: The ICMP type. Required if specifying ICMP for the protocol. e.g. -1
ipv6CidrBlock string
The IPv6 CIDR block to allow or deny.
networkAclId string
The ID of the network ACL.
protocol string
The protocol. A value of -1 means all protocols.
ruleAction string
Indicates whether to allow or deny the traffic that matches the rule. Accepted values: allow | deny
ruleNumber number
The rule number for the entry (for example, 100). ACL entries are processed in ascending order by rule number.
toPort number
The to port to match.
cidr_block str
The network range to allow or deny, in CIDR notation (for example 172.16.0.0/24 ).
egress bool
Indicates whether this is an egress rule (rule is applied to traffic leaving the subnet). Default false.
from_port int
The from port to match.
icmp_code str
ICMP protocol: The ICMP code. Required if specifying ICMP for the protocol. e.g. -1
icmp_type str
ICMP protocol: The ICMP type. Required if specifying ICMP for the protocol. e.g. -1
ipv6_cidr_block str
The IPv6 CIDR block to allow or deny.
network_acl_id str
The ID of the network ACL.
protocol str
The protocol. A value of -1 means all protocols.
rule_action str
Indicates whether to allow or deny the traffic that matches the rule. Accepted values: allow | deny
rule_number int
The rule number for the entry (for example, 100). ACL entries are processed in ascending order by rule number.
to_port int
The to port to match.

Import

Individual rules can be imported using NETWORK_ACL_ID:RULE_NUMBER:PROTOCOL:EGRESS, where PROTOCOL can be a decimal (e.g. 6) or string (e.g. tcp) value. If importing a rule previously provisioned by the provider, the PROTOCOL must be the input value used at creation time. For more information on protocol numbers and keywords, see herehttps://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml For example, import a network ACL Rule with an argument like thisconsole

 $ pulumi import aws:ec2/networkAclRule:NetworkAclRule my_rule acl-7aaabd18:100:tcp:false

Or by the procotol’s decimal valueconsole

 $ pulumi import aws:ec2/networkAclRule:NetworkAclRule my_rule acl-7aaabd18:100:6:false

Package Details

Repository
https://github.com/pulumi/pulumi-aws
License
Apache-2.0
Notes
This Pulumi package is based on the aws Terraform Provider.