diff --git a/builtin/providers/aws/resource_aws_network_acl_rule.go b/builtin/providers/aws/resource_aws_network_acl_rule.go index ad3f302a3..9064ddc27 100644 --- a/builtin/providers/aws/resource_aws_network_acl_rule.go +++ b/builtin/providers/aws/resource_aws_network_acl_rule.go @@ -21,54 +21,59 @@ func resourceAwsNetworkAclRule() *schema.Resource { Delete: resourceAwsNetworkAclRuleDelete, Schema: map[string]*schema.Schema{ - "network_acl_id": &schema.Schema{ + "network_acl_id": { Type: schema.TypeString, Required: true, ForceNew: true, }, - "rule_number": &schema.Schema{ + "rule_number": { Type: schema.TypeInt, Required: true, ForceNew: true, }, - "egress": &schema.Schema{ + "egress": { Type: schema.TypeBool, Optional: true, ForceNew: true, Default: false, }, - "protocol": &schema.Schema{ + "protocol": { Type: schema.TypeString, Required: true, ForceNew: true, }, - "rule_action": &schema.Schema{ + "rule_action": { Type: schema.TypeString, Required: true, ForceNew: true, }, - "cidr_block": &schema.Schema{ + "cidr_block": { Type: schema.TypeString, - Required: true, + Optional: true, ForceNew: true, }, - "from_port": &schema.Schema{ + "ipv6_cidr_block": { + Type: schema.TypeString, + Optional: true, + ForceNew: true, + }, + "from_port": { Type: schema.TypeInt, Optional: true, ForceNew: true, }, - "to_port": &schema.Schema{ + "to_port": { Type: schema.TypeInt, Optional: true, ForceNew: true, }, - "icmp_type": &schema.Schema{ + "icmp_type": { Type: schema.TypeString, Optional: true, ForceNew: true, ValidateFunc: validateICMPArgumentValue, }, - "icmp_code": &schema.Schema{ + "icmp_code": { Type: schema.TypeString, Optional: true, ForceNew: true, @@ -97,7 +102,6 @@ func resourceAwsNetworkAclRuleCreate(d *schema.ResourceData, meta interface{}) e Egress: aws.Bool(d.Get("egress").(bool)), RuleNumber: aws.Int64(int64(d.Get("rule_number").(int))), Protocol: aws.String(strconv.Itoa(p)), - CidrBlock: aws.String(d.Get("cidr_block").(string)), RuleAction: aws.String(d.Get("rule_action").(string)), PortRange: &ec2.PortRange{ From: aws.Int64(int64(d.Get("from_port").(int))), @@ -105,6 +109,14 @@ func resourceAwsNetworkAclRuleCreate(d *schema.ResourceData, meta interface{}) e }, } + if v, ok := d.GetOk("cidr_block"); ok { + params.CidrBlock = aws.String(v.(string)) + } + + if v, ok := d.GetOk("ipv6_cidr_block"); ok { + params.Ipv6CidrBlock = aws.String(v.(string)) + } + // Specify additional required fields for ICMP. For the list // of ICMP codes and types, see: http://www.nthelp.com/icmp.html if p == 1 { @@ -160,6 +172,7 @@ func resourceAwsNetworkAclRuleRead(d *schema.ResourceData, meta interface{}) err d.Set("rule_number", resp.RuleNumber) d.Set("cidr_block", resp.CidrBlock) + d.Set("ipv6_cidr_block", resp.Ipv6CidrBlock) d.Set("egress", resp.Egress) if resp.IcmpTypeCode != nil { d.Set("icmp_code", resp.IcmpTypeCode.Code) diff --git a/builtin/providers/aws/resource_aws_network_acl_rule_test.go b/builtin/providers/aws/resource_aws_network_acl_rule_test.go index 728b80208..b8bed27ca 100644 --- a/builtin/providers/aws/resource_aws_network_acl_rule_test.go +++ b/builtin/providers/aws/resource_aws_network_acl_rule_test.go @@ -20,7 +20,7 @@ func TestAccAWSNetworkAclRule_basic(t *testing.T) { Providers: testAccProviders, CheckDestroy: testAccCheckAWSNetworkAclRuleDestroy, Steps: []resource.TestStep{ - resource.TestStep{ + { Config: testAccAWSNetworkAclRuleBasicConfig, Check: resource.ComposeTestCheckFunc( testAccCheckAWSNetworkAclRuleExists("aws_network_acl_rule.baz", &networkAcl), @@ -32,6 +32,24 @@ func TestAccAWSNetworkAclRule_basic(t *testing.T) { }) } +func TestAccAWSNetworkAclRule_ipv6(t *testing.T) { + var networkAcl ec2.NetworkAcl + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSNetworkAclRuleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSNetworkAclRuleIpv6Config, + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSNetworkAclRuleExists("aws_network_acl_rule.baz", &networkAcl), + ), + }, + }, + }) +} + func TestResourceAWSNetworkAclRule_validateICMPArgumentValue(t *testing.T) { type testCases struct { Value string @@ -195,3 +213,23 @@ resource "aws_network_acl_rule" "wibble" { icmp_code = -1 } ` + +const testAccAWSNetworkAclRuleIpv6Config = ` +resource "aws_vpc" "foo" { + cidr_block = "10.3.0.0/16" +} +resource "aws_network_acl" "bar" { + vpc_id = "${aws_vpc.foo.id}" +} +resource "aws_network_acl_rule" "baz" { + network_acl_id = "${aws_network_acl.bar.id}" + rule_number = 150 + egress = false + protocol = "tcp" + rule_action = "allow" + ipv6_cidr_block = "::/0" + from_port = 22 + to_port = 22 +} + +` diff --git a/website/source/docs/providers/aws/r/network_acl_rule.html.markdown b/website/source/docs/providers/aws/r/network_acl_rule.html.markdown index 85a12afdb..cfd9eb6e6 100644 --- a/website/source/docs/providers/aws/r/network_acl_rule.html.markdown +++ b/website/source/docs/providers/aws/r/network_acl_rule.html.markdown @@ -38,7 +38,8 @@ The following arguments are supported: * `egress` - (Optional, bool) Indicates whether this is an egress rule (rule is applied to traffic leaving the subnet). Default `false`. * `protocol` - (Required) The protocol. A value of -1 means all protocols. * `rule_action` - (Required) Indicates whether to allow or deny the traffic that matches the rule. Accepted values: `allow` | `deny` -* `cidr_block` - (Required) The network range to allow or deny, in CIDR notation (for example 172.16.0.0/24 ). +* `cidr_block` - (Optional) The network range to allow or deny, in CIDR notation (for example 172.16.0.0/24 ). +* `ipv6_cidr_block` - (Optional) The IPv6 CIDR block to allow or deny. * `from_port` - (Optional) The from port to match. * `to_port` - (Optional) The to port to match. * `icmp_type` - (Optional) ICMP protocol: The ICMP type. Required if specifying ICMP for the protocol. e.g. -1