Creates an entry (a rule) in a network ACL with the specified rule number.

Example Usage

resource "aws_network_acl" "bar" {
    vpc_id = "${}"
resource "aws_network_acl_rule" "bar" {
    network_acl_id = "${}"
    rule_number = 200
    egress = false
    protocol = "tcp"
    rule_action = "allow"
    cidr_block = ""
    from_port = 22
    to_port = 22

Argument Reference

The following arguments are supported:

  • network_acl_id - (Required) The ID of the network ACL.
  • rule_number - (Required) The rule number for the entry (for example, 100). ACL entries are processed in ascending order by rule number.
  • egress - (Optional, bool) Indicates whether this is an egress rule (rule is applied to traffic leaving the subnet). Default false.
  • protocol - (Required) The protocol. A value of -1 means all protocols.
  • rule_action - (Required) Indicates whether to allow or deny the traffic that matches the rule. Accepted values: allow | deny
  • cidr_block - (Required) The network range to allow or deny, in CIDR notation (for example ).
  • from_port - (Optional) The from port to match.
  • to_port - (Optional) The to port to match.
  • icmp_type - (Optional) ICMP protocol: The ICMP type. Required if specifying ICMP for the protocol. e.g. -1
  • icmp_code - (Optional) ICMP protocol: The ICMP code. Required if specifying ICMP for the protocol. e.g. -1

~> NOTE: If the value of protocol is -1 or all, the from_port and to_port values will be ignored and the rule will apply to all ports.

~> NOTE: If the value of icmp_type is -1 (which results in a wildcard ICMP type), the icmp_code must also be set to -1 (wildcard ICMP code).

~> Note: For more information on ICMP types and codes, see here:

Attributes Reference

The following attributes are exported:

  • id - The ID of the network ACL Rule