Menu
If I declare the following resource in a CloudFormation template,
"CoolVpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.10.0.0/16",
"Tags": [
{"Key": "Name", "Value": "cool-vpc"},
]
}
}
... CloudFormation will dutifully comply and create my VPC, and as part of the process it will automatically create a default network ACL to go along with it. I could easily reference that ACL using the GetAtt function, like:
"TestSubnetAcl": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"NetworkAclId": {"Fn::GetAtt" : ["CoolVpc" , "DefaultNetworkAcl"]},
"SubnetId": {"Ref": "TestSubnet"}
}
}
or
"AclRule100": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"CidrBlock": "0.0.0.0/0",
"Egress": "true",
"Protocol": "-1",
"RuleAction": "allow",
"RuleNumber": "100",
"NetworkAclId": {"Fn::GetAtt" : ["CoolVpc" , "DefaultNetworkAcl"]}
}
}
... but what if I wanted to edit the default network ACL itself? (Yes, I know the only thing that can be changed there are the Tags, but that's exactly what I want to edit.)
I've tried adding a new NetworkAcl to the template and only using that, but the unnamed default keeps hanging around and it bugs me that I don't have a way to assign tags to it that make it clear what its purpose is.
380
Short answer is : "you can't"
Cloud formation is designed to manage and maintain resources declared in the template. Resources that are not part of the template cannot be changed/deleted.
As a consequence, you can add nACLs rule(s) in the default nACL, but with a RuleNumber that is not 100.
Rgds
106
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
