hashicorp · takahiro9 · Jun 29, 2017 · Jul 1, 2017 · Jul 9, 2017 · Aug 27, 2017
diff --git a/aws/provider.go b/aws/provider.go
@@ -387,6 +387,7 @@ func Provider() terraform.ResourceProvider {
  "aws_main_route_table_association": resourceAwsMainRouteTableAssociation(),
  "aws_nat_gateway": resourceAwsNatGateway(),
  "aws_network_acl": resourceAwsNetworkAcl(),
+ "aws_network_acl_association": resourceAwsNetworkAclAssociation(),
  "aws_default_network_acl": resourceAwsDefaultNetworkAcl(),
  "aws_network_acl_rule": resourceAwsNetworkAclRule(),
  "aws_network_interface": resourceAwsNetworkInterface(),

diff --git a/aws/resource_aws_network_acl_association.go b/aws/resource_aws_network_acl_association.go
@@ -0,0 +1,164 @@
+package aws
+
+import (
+ "fmt"
+ "log"
+ "time"
+
+ "github.com/aws/aws-sdk-go/aws"
+ "github.com/aws/aws-sdk-go/aws/awserr"
+ "github.com/aws/aws-sdk-go/service/ec2"
+ "github.com/hashicorp/terraform/helper/resource"
+ "github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAwsNetworkAclAssociation() *schema.Resource {
+ return &schema.Resource{
+ Create: resourceAwsNetworkAclAssociationCreate,
+ Read: resourceAwsNetworkAclAssociationRead,
+ Update: resourceAwsNetworkAclAssociationUpdate,
+ Delete: resourceAwsNetworkAclAssociationDelete,
+
+ Schema: map[string]*schema.Schema{
+ "subnet_id": {
+ Type: schema.TypeString,
+ Required: true,
+ },
+
+ "network_acl_id": {
+ Type: schema.TypeString,
+ Required: true,
+ },
+ },
+ }
+}
+
+func resourceAwsNetworkAclAssociationCreate(d *schema.ResourceData, meta interface{}) error {
+ conn := meta.(*AWSClient).ec2conn
+
+ naclId := d.Get("network_acl_id").(string)
+ subnetId := d.Get("subnet_id").(string)
+
+ association, errAssociation := findNetworkAclAssociation(subnetId, conn)
+ if errAssociation != nil {
+ return fmt.Errorf("Failed to find association for subnet %s: %s", subnetId, errAssociation)
+ }
+
+ associationOpts := ec2.ReplaceNetworkAclAssociationInput{
+ AssociationId: association.NetworkAclAssociationId,
+ NetworkAclId: aws.String(naclId),
+ }
+
+ log.Printf("[DEBUG] Creating Network ACL association: %#v", associationOpts)
+
+ var err error
+ err = resource.Retry(5*time.Minute, func() *resource.RetryError {
+ _, err = conn.ReplaceNetworkAclAssociation(&associationOpts)
+ if err != nil {
+ if awsErr, ok := err.(awserr.Error); ok {
+ if awsErr != nil {
+ return resource.RetryableError(awsErr)
+ }
+ }
+ return resource.NonRetryableError(err)
+ }
+ return nil
+ })
+ if err != nil {
+ return err
+ }
+
+ return resourceAwsNetworkAclAssociationRead(d, meta)
+}
+
+func resourceAwsNetworkAclAssociationRead(d *schema.ResourceData, meta interface{}) error {
+ conn := meta.(*AWSClient).ec2conn
+
+ // Inspect that the association exists
+ subnetId := d.Get("subnet_id").(string)
+ _, errAssociation := findNetworkAclAssociation(subnetId, conn)
+ if errAssociation != nil {
+ log.Printf("[WARN] Association for subnet %s was not found, removing from state", subnetId)
+ d.SetId("")
+ return nil
+ }
+
+ return nil
+}
+
+func resourceAwsNetworkAclAssociationUpdate(d *schema.ResourceData, meta interface{}) error {
+ conn := meta.(*AWSClient).ec2conn
+
+ naclId := d.Get("network_acl_id").(string)
+ subnetId := d.Get("subnet_id").(string)
+
+ association, errAssociation := findNetworkAclAssociation(subnetId, conn)
+ if errAssociation != nil {
+ return fmt.Errorf("Failed to find association for subnet %s: %s", subnetId, errAssociation)
+ }
+
+ associationOpts := ec2.ReplaceNetworkAclAssociationInput{
+ AssociationId: association.NetworkAclAssociationId,
+ NetworkAclId: aws.String(naclId),
+ }
+
+ _, err := conn.ReplaceNetworkAclAssociation(&associationOpts)
+
+ log.Printf("[DEBUG] Updating Network ACL association: %#v", associationOpts)
+
+ if err != nil {
+ ec2err, ok := err.(awserr.Error)
+ if ok && ec2err.Code() == "InvalidAssociationID.NotFound" {
+ // Not found, so just create a new one
+ return resourceAwsNetworkAclAssociationCreate(d, meta)
+ }
+
+ return err
+ }
+
+ return resourceAwsNetworkAclAssociationRead(d, meta)
+}
+
+func resourceAwsNetworkAclAssociationDelete(d *schema.ResourceData, meta interface{}) error {
+
+ conn := meta.(*AWSClient).ec2conn
+
+ subnetId := d.Get("subnet_id").(string)
+
+ association, errAssociation := findNetworkAclAssociation(subnetId, conn)
+ if errAssociation != nil {
+ return fmt.Errorf("Failed to find association for subnet %s: %s", subnetId, errAssociation)
+ }
+
+ defaultAcl, err := getDefaultNetworkAcl(d.Get("vpc_id").(string), conn)
+
+ if err != nil {
+ return fmt.Errorf("Failed to get networkAcl : %s", err)
+ }
+
+ associationOpts := ec2.ReplaceNetworkAclAssociationInput{
+ AssociationId: association.NetworkAclAssociationId,
+ NetworkAclId: defaultAcl.NetworkAclId,
+ }
+
+ log.Printf("[DEBUG] Replacing Network ACL association: %#v", associationOpts)
+
+ err = resource.Retry(5*time.Minute, func() *resource.RetryError {
+ _, err = conn.ReplaceNetworkAclAssociation(&associationOpts)
+ if err != nil {
+ if awsErr, ok := err.(awserr.Error); ok {
+ if awsErr != nil {
+ return resource.RetryableError(awsErr)
+ }
+ }
+ return resource.NonRetryableError(err)
+ }
+ return nil
+ })
+ if err != nil {
+ return err
+ }
+
+ d.SetId("")
+ return nil
+}
diff --git a/aws/resource_aws_network_acl_association_test.go b/aws/resource_aws_network_acl_association_test.go
@@ -0,0 +1,55 @@
+package aws
+
+import (
+ "testing"
+
+ "github.com/hashicorp/terraform/helper/resource"
+)
+
+func TestAccAWSNetworkAclAssociation(t *testing.T) {
+
+ resource.Test(t, resource.TestCase{
+ PreCheck: func() { testAccPreCheck(t) },
+ IDRefreshName: "aws_network_acl.acl_a",
+ Providers: testAccProviders,
+ CheckDestroy: testAccCheckAWSNetworkAclDestroy,
+ Steps: []resource.TestStep{
+ {
+ Config: testAccAWSNetworkAclAssoc,
+ Check: resource.ComposeAggregateTestCheckFunc(
+ testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.acl_a", "aws_subnet.sunet_a"),
+ ),
+ },
+ },
+ })
+}
+
+const testAccAWSNetworkAclAssoc = `
+resource "aws_vpc" "testespvpc" {
+ cidr_block = "10.1.0.0/16"
+ tags {
+ Name = "testAccAWSNetworkAclEsp"
+ }
+}
+
+ resource "aws_network_acl" "acl_a" {
+ vpc_id = "${aws_vpc.testespvpc.id}"
+
+ tags {
+ Name = "terraform test"
+ }
+ }
+
+ resource "aws_subnet" "sunet_a" {
+ vpc_id = "${aws_vpc.testespvpc.id}"
+ cidr_block = "10.0.33.0/24"
+ tags {
+ Name = "terraform test"
+ }
+ }
+
+ resource "aws_network_acl_association" "test" {
+ network_acl_id = "${aws_network_acl.acl_a.id}"
+ subnet_id = "${aws_subnet.subnet_a.id}"
+ }
+}`
diff --git a/website/aws.erb b/website/aws.erb
@@ -1500,6 +1500,10 @@
  <a href="/docs/providers/aws/r/network_acl.html">aws_network_acl</a>
  </li>
 
+ <li<%= sidebar_current("docs-aws-resource-network-acl-association") %>>
+ <a href="/docs/providers/aws/r/network_acl_association.html">aws_network_acl_association</a>
+ </li>
+
  <li<%= sidebar_current("docs-aws-resource-network-acl-rule") %>>
  <a href="/docs/providers/aws/r/network_acl_rule.html">aws_network_acl_rule</a>
  </li>

diff --git a/website/docs/r/network_acl_assoc.html.markdown b/website/docs/r/network_acl_assoc.html.markdown
@@ -0,0 +1,33 @@
+---
+layout: "aws"
+page_title: "AWS: aws_network_acl_association"
+sidebar_current: "docs-aws-resource-network-acl-association"
+description: |-
+ Provides an network ACL association resource.
+---
+
+Provides an network ACL association resource. You might set up network ACLs associate to your subnet.
+
+## Example Usage
+
+```hcl
+resource "aws_network_acl_association" "main" {
+ network_acl_id = "${aws_network_acl.main.id}"
+ subnet_id = "${aws_subnet.main.id}"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `network_acl_id` - (Required) The ID of the network acl .
+* `subnet_id` - (Required) The ID of the associated Subnet.
+
+## Attributes Reference
+
+The following attributes are exported:
+
+* `id` - The ID of the network ACL
+* `network_acl_id` - The ID of the network ACL
+* `subnet_id` - The ID of the subnet id