Deleting or modifying the existing Network ACL Rule

[VenkatH]

What happened?

I have tried to modify the existing rule of Network ACL. I tried a few options but had no luck. Referred to a code snippet and got NetworkAclEntryAlreadyExists error

Example

import pulumi
import pulumi_aws as aws

# Replace these variables with appropriate values.
acl_id = "acl-abcdefgh"  # The ID of the Network ACL
rule_number = 100        # The number of the rule you want to replace

# Note: AWS does not allow modification of an existing NetworkAclEntry
# Therefore, you should first delete the existing one and then create a new one.
# This is an example of removing an ingress rule;
# for egress, you would set the `egress` parameter to True.

# Delete the existing Network ACL rule
existing_rule = aws.ec2.NetworkAclRule("existing-rule",
                                       network_acl_id=acl_id,
                                       rule_number=rule_number,
                                       egress=False,
                                       opts=pulumi.ResourceOptions(delete_before_replace=True))

# Create a new Network ACL rule
new_rule = aws.ec2.NetworkAclRule("new-rule",
                                  network_acl_id=acl_id,
                                  rule_number=rule_number, # This can be the same as the deleted rule if desired
                                  egress=False,
                                  protocol="tcp",         # Example for TCP; modify as needed
                                  from_port=80,           # Example port; modify as needed
                                  to_port=80,             # Example port; modify as needed
                                  rule_action="allow",    # Can be "allow" or "deny"
                                  cidr_block="0.0.0.0/0", # Modify with your CIDR block
                                  opts=pulumi.ResourceOptions(depends_on=[existing_rule]))

# Export the ID of the new Network ACL rule
pulumi.export('new_rule_id', new_rule.id)

Output of pulumi about

Version v3.100.0

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[iwahbe]

Hey @VenkatH. It sounds like:

• You have an existing aws.ec2.NetworkAclRule in Pulumi, and would like to change a some property on that rule.
• When you run pulumi up on that change, you get NetworkAclEntryAlreadyExists.

If I understand the problem correctly, then I think you should only declare one resource in your Pulumi program. From the example you gave:

import pulumi
import pulumi_aws as aws

# Replace these variables with appropriate values.
acl_id = "acl-abcdefgh"  # The ID of the Network ACL
rule_number = 100        # The number of the rule you want to replace

# This is the only NetworkAclRule that you need to declare
existing_rule = aws.ec2.NetworkAclRule("existing-rule",
                                       network_acl_id=acl_id,
                                       rule_number=rule_number,
                                       egress=False,
                                       opts=pulumi.ResourceOptions(delete_before_replace=True, replace_on_changes=["*"]))

replace_on_changes=["*"] means that the resource will replace (delete the old rule, then create a new rule) on any property change.

Let me know if that helps.

[VenkatH]

Thanks for the reply @iwahbe

I intend to delete the existing rule and add a new rule, and the snippet below doesn’t achieve it.

   	 # Getting the existing network acls id
     vpc_network_acl = aws.ec2.get_network_acls(
                vpc_id=mws_customer_vpc.vpc_id,
            ).ids[0]


	 # Trying to delete the existing egress rule
    delete_rule = aws.ec2.NetworkAclRule(
        resource_name=pulumi_resource_name,
        opts=ResourceOptions(delete_before_replace=True, replace_on_changes=["*"]),
        network_acl_id=network_acl_id,
        cidr_block="0.0.0.0/0",
        egress=True,
        protocol="all",
        rule_action="allow",
        rule_number=100,
    )
	 aws.ec2.NetworkAclRule(
        resource_name=pulumi_resource_name,
        opts=ResourceOptions(depends_on=[vpc]),
        network_acl_id=network_acl_id,
        cidr_block="0.0.0.0/0",
        egress=True,
        from_port=XXX,
        to_port=XXX,
        protocol="all",
        rule_action="allow",
        rule_number=99,
    )

So, I tried to delete the rule alone. I initially tried to avoid passing CIDR and rule_action values, but it’s very strange that it forces us to provide those values even though they are declared by default None in the NetworkAclRule.

	 # Getting the existing network acls id
     vpc_network_acl = aws.ec2.get_network_acls(
                vpc_id=mws_customer_vpc.vpc_id,
            ).ids[0]

	 # Trying to delete the existing egress rule
    delete_rule = aws.ec2.NetworkAclRule(
        resource_name=pulumi_resource_name,
        opts=ResourceOptions(delete_before_replace=True, replace_on_changes=["*"]),
        network_acl_id=network_acl_id,
        cidr_block="0.0.0.0/0",
        egress=True,
        protocol="all",
        rule_action="allow",
        rule_number=100,
    )
		

[iwahbe]

I'm not 100% sure if I understand what your trying to do now, so let me know if what I'm saying doesn't make sense or isn't applicable:

Pulumi is declarative. If you just want to delete a rule, you only need to remove the rule declaration from your python code and run pulumi up. Pulumi will see that the rule is no longer there, and delete it.

If you declare two rules, pulumi will ensure that both of them exist (creating them if they don't).

Does that help?

[VenkatH]

My bad; I should have been clear in my initial message. I created VPC using awsx, which makes network ACL part of it with default egress and ingress rule allowing all traffic for 0.0.0.0/0.

As my deployment doesn’t require all traffic egress rules, I have to remove the default egress rule set as part of VPC creation and add the necessary egress rules for the deployment.

@iwahbe, please let me know if it makes sense; if not, I can provide more details. Again thanks for your help.

[iwahbe]

Sorry for being slow to reply. This issue fell through the cracks of my GH mailbox. You are trying to move a resource outside of a awsx component? but then you end up creating the ACL twice in your code, which errors with NetworkAclEntryAlreadyExists. I'm not 100% sure, but I think the problem isn't with AWS, but some combination of your program and AWSx.

I'm going to move this issue to AWSx, since they might be more familiar with the problem.

[mjeffryes]

Hi @VenkatH IIUC it sounds like you need to modify the VPC created by awsx to replace the egress rules? You should be able to accomplish that by using transformations | Resource Options | Pulumi Docs on the VPC to modify the egress rule it creates.