fix: Addresses persistent diff with manage_default_network_acl (#737)

lorengordon · web-flow · commit d247d8e44728 · 2022-01-28T16:59:04.000+01:00
diff --git a/examples/complete-vpc/README.md b/examples/complete-vpc/README.md
@@ -46,7 +46,6 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | [aws_iam_policy_document.dynamodb_endpoint_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.generic_endpoint_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
-| [aws_vpc_endpoint.dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint) | data source |
 
 ## Inputs
 
diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf
@@ -187,12 +187,6 @@ data "aws_security_group" "default" {
   vpc_id = module.vpc.vpc_id
 }
 
-# Data source used to avoid race condition
-data "aws_vpc_endpoint" "dynamodb" {
-  vpc_id       = module.vpc.vpc_id
-  service_name = "com.amazonaws.${local.region}.dynamodb"
-}
-
 data "aws_iam_policy_document" "dynamodb_endpoint_policy" {
   statement {
     effect    = "Deny"
@@ -208,7 +202,7 @@ data "aws_iam_policy_document" "dynamodb_endpoint_policy" {
       test     = "StringNotEquals"
       variable = "aws:sourceVpce"
 
-      values = [data.vpc.vpc_id]
+      values = [module.vpc.vpc_id]
     }
   }
 }
diff --git a/main.tf b/main.tf
@@ -587,28 +587,9 @@ resource "aws_default_network_acl" "this" {
 
   default_network_acl_id = aws_vpc.this[0].default_network_acl_id
 
-  # The value of subnet_ids should be any subnet IDs that are not set as subnet_ids
-  #   for any of the non-default network ACLs
-  subnet_ids = setsubtract(
-    compact(flatten([
-      aws_subnet.public[*].id,
-      aws_subnet.private[*].id,
-      aws_subnet.intra[*].id,
-      aws_subnet.database[*].id,
-      aws_subnet.redshift[*].id,
-      aws_subnet.elasticache[*].id,
-      aws_subnet.outpost[*].id,
-    ])),
-    compact(flatten([
-      aws_network_acl.public[*].subnet_ids,
-      aws_network_acl.private[*].subnet_ids,
-      aws_network_acl.intra[*].subnet_ids,
-      aws_network_acl.database[*].subnet_ids,
-      aws_network_acl.redshift[*].subnet_ids,
-      aws_network_acl.elasticache[*].subnet_ids,
-      aws_network_acl.outpost[*].subnet_ids,
-    ]))
-  )
+  # subnet_ids is using lifecycle ignore_changes, so it is not necessary to list
+  # any explicitly. See https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/736.
+  subnet_ids = null
 
   dynamic "ingress" {
     for_each = var.default_network_acl_ingress
@@ -644,6 +625,10 @@ resource "aws_default_network_acl" "this" {
     var.tags,
     var.default_network_acl_tags,
   )
+
+  lifecycle {
+    ignore_changes = [subnet_ids]
+  }
 }
 
 ################################################################################

Original file line number	Diff line number	Diff line change
`@@ -187,12 +187,6 @@ data "aws_security_group" "default" {`
`187`	`187`	`vpc_id = module.vpc.vpc_id`
`188`	`188`	`}`
`189`	`189`
`190`		`-# Data source used to avoid race condition`
`191`		`-data "aws_vpc_endpoint" "dynamodb" {`
`192`		`- vpc_id = module.vpc.vpc_id`
`193`		`- service_name = "com.amazonaws.${local.region}.dynamodb"`
`194`		`-}`
`195`		`-`
`196`	`190`	`data "aws_iam_policy_document" "dynamodb_endpoint_policy" {`
`197`	`191`	`statement {`
`198`	`192`	`effect = "Deny"`
`@@ -208,7 +202,7 @@ data "aws_iam_policy_document" "dynamodb_endpoint_policy" {`
`208`	`202`	`test = "StringNotEquals"`
`209`	`203`	`variable = "aws:sourceVpce"`
`210`	`204`
`211`		`- values = [data.vpc.vpc_id]`
	`205`	`+ values = [module.vpc.vpc_id]`
`212`	`206`	`}`
`213`	`207`	`}`
`214`	`208`	`}`