From d14049c8ad32a52c3d53f5eb4f48cc908b3ce644 Mon Sep 17 00:00:00 2001 From: Christopher Tiwald Date: Wed, 6 May 2015 09:10:44 -0400 Subject: [PATCH] aws: Don't try to modify or delete the untouchable network_acl rules. AWS includes default rules with all network ACL resources which cannot be modified by the user. Don't attempt to store them locally or change them remotely if they are already stored -- it'll consistently result in hashing problems. --- builtin/providers/aws/resource_aws_network_acl.go | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/builtin/providers/aws/resource_aws_network_acl.go b/builtin/providers/aws/resource_aws_network_acl.go index c166aa6d84..4635bec3fc 100644 --- a/builtin/providers/aws/resource_aws_network_acl.go +++ b/builtin/providers/aws/resource_aws_network_acl.go @@ -151,6 +151,12 @@ func resourceAwsNetworkAclRead(d *schema.ResourceData, meta interface{}) error { // separate the ingress and egress rules for _, e := range networkAcl.Entries { + // Skip the default rules added by AWS. They can be neither + // configured or deleted by users. + if *e.RuleNumber == 32767 { + continue + } + if *e.Egress == true { egressEntries = append(egressEntries, e) } else { @@ -235,6 +241,15 @@ func updateNetworkAclEntries(d *schema.ResourceData, entryType string, conn *ec2 return err } for _, remove := range toBeDeleted { + + // AWS includes default rules with all network ACLs that can be + // neither modified nor destroyed. They have a custom rule + // number that is out of bounds for any other rule. If we + // encounter it, just continue. There's no work to be done. + if *remove.RuleNumber == 32767 { + continue + } + // Delete old Acl _, err := conn.DeleteNetworkACLEntry(&ec2.DeleteNetworkACLEntryInput{ NetworkACLID: aws.String(d.Id()),