-
-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow network ACL management exclusion for given subnets #898
Comments
This module already supports NACLs so you would just update the NACL rules - or am I missing something? |
But how would I have a custom NACL only for 1 subnet like in the diagram above? |
If you want it specifically for one subnet, I think the route you show above is the correct route (where you provide the NACL and associate it with the subnet(s) of interest). I don't think adding this into the module makes a lot of sense at this time |
What I showed above is not what is implemented, but a suggestion of what I'd like. |
Understood - and I am suggesting that this is an implementation detail left to users, not the module |
The part that needs to be part of the module is this one: private_acl_excluded_subnets = ["subnet-123456789"] |
This issue has been automatically marked as stale because it has been open 30 days |
This issue was automatically closed because of stale in 10 days |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Is your request related to a new offering from AWS?
Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.
Is your request related to a problem? Please describe.
We would like to test an AZ failure for Business Continuity Plan (BCP) or Chaos engineering.
To simulate an AZ failure, a solution is to flip the network ACL for all the subnets in an AZ and set
DENY
traffic to all.Describe the solution you'd like.
We could introduce an input variable to exclude network ACL management for some given subnets.
Describe alternatives you've considered.
I don't see any other alternative.
Additional context
Current:
![Page 1](https://user-images.githubusercontent.com/1516171/221573107-a7dbd79f-3f73-42d9-8929-d90f6e75a071.png)
BCP test with one AZ failure simulation:
![BPC](https://user-images.githubusercontent.com/1516171/221573165-6aa9b5bd-6e76-4382-a436-79988eebb4ab.png)
The text was updated successfully, but these errors were encountered: