diff --git a/builtin/providers/cloudstack/resource_cloudstack_network_acl_rule.go b/builtin/providers/cloudstack/resource_cloudstack_network_acl_rule.go
index 80484540a..80a7d807a 100644
--- a/builtin/providers/cloudstack/resource_cloudstack_network_acl_rule.go
+++ b/builtin/providers/cloudstack/resource_cloudstack_network_acl_rule.go
@@ -455,12 +455,27 @@ func resourceCloudStackNetworkACLRuleDeleteRule(
 func resourceCloudStackNetworkACLRuleHash(v interface{}) int {
 	var buf bytes.Buffer
 	m := v.(map[string]interface{})
+
+	// This is a little ugly, but it's needed because these arguments have
+	// a default value that needs to be part of the string to hash
+	var action, trafficType string
+	if a, ok := m["action"]; ok {
+		action = a.(string)
+	} else {
+		action = "allow"
+	}
+	if t, ok := m["traffic_type"]; ok {
+		trafficType = t.(string)
+	} else {
+		trafficType = "ingress"
+	}
+
 	buf.WriteString(fmt.Sprintf(
 		"%s-%s-%s-%s-",
-		m["action"].(string),
+		action,
 		m["source_cidr"].(string),
 		m["protocol"].(string),
-		m["traffic_type"].(string)))
+		trafficType))
 
 	if v, ok := m["icmp_type"]; ok {
 		buf.WriteString(fmt.Sprintf("%d-", v.(int)))
diff --git a/builtin/providers/cloudstack/resource_cloudstack_network_acl_rule_test.go b/builtin/providers/cloudstack/resource_cloudstack_network_acl_rule_test.go
index 6e8f0d207..037b9d10b 100644
--- a/builtin/providers/cloudstack/resource_cloudstack_network_acl_rule_test.go
+++ b/builtin/providers/cloudstack/resource_cloudstack_network_acl_rule_test.go
@@ -190,7 +190,6 @@ resource "cloudstack_network_acl_rule" "foo" {
   aclid = "${cloudstack_network_acl.foo.id}"
 
   rule {
-	  action = "allow"
     source_cidr = "172.16.100.0/24"
     protocol = "tcp"
     ports = ["80", "443"]