search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.11k stars 56 forks source link

AWS::EC2::NetworkAclEntry - PrefixListId #812

Closed rhbecker closed 1 year ago

rhbecker commented 3 years ago

Scope of request

I'm seeking support for a new attribute (PrefixListId) for an existing resource (AWS::EC2::NetworkAclEntry).

I believe the backing services would need to be enhanced before cloudformation could support the functionality.

Expected behavior

According to the VPC service's Prefix lists documentation, a prefix list may be referenced when specifying ...

  1. a VPC security group's ingress and egress rules,
  2. a subnet route table's entries, and
  3. a transit gateway route table's entries.

It's unexpected (to me, at least) that they cannot be used when specifying a Network ACL's ingress and egress rules.

The attribute would operate in a fashion that parallels how a prefix list may be referenced when specifying a VPC security group's ingress and egress rules, which is already supported by the service and via cloudformation.

Helpful Links to speed up research and evaluation

Category tags

sbwrege2z commented 3 years ago

I would also like prefix lists to be able to be referenced by network acls if possible.

At a minimum it would be nice if a route could reference DestinationPrefixListId the same as a security group (which is already available through CLI and the console, but not through a cloud formation template).

rhbecker commented 3 years ago

Issue #572 seems to be about that. I suppose that's the more likely to receive CloudFormation support, given the functionality is already supported by the underlying service.

rhbecker commented 3 years ago

@sbwrege2z: Would you mind adding your 👍 to the first post? That seems to be how the team tracks interest.

sbwrege2z commented 3 years ago

Done. Do you have any ideas what the issues with adding prefix list support to the network ACL's? Is it harder because they are hardware devices? I mostly use security groups, but the ability to Deny traffic through the ACL's can't easily be replicated with Security Groups. Being able to define a region-wide blacklist that every VPC's network ACL could use would be very nice.

rhbecker commented 3 years ago

Done.

Thanks!

Do you have any ideas what the issues with adding prefix list support to the network ACL's? Is it harder because they are hardware devices?

I don't know, and I'm curious as well. AWS engineers are a clever bunch, so I assume the lack of support is not due to the idea never occurring to them.

sabya08 commented 1 year ago

NetworkAcls (NACL) today does not support PrefixListIds in the NACL entries. So this is not a coverage issue or a bug in CloudFormation resource AWS::EC2::NetworkAclEntry and instead this is a feature request for NACLs.

rhbecker commented 1 year ago

The announcement that issue #572 has been shipped (great news) reminded me to revisit this issue. I'm surprised to see it also has been marked as Shipped. Was the intention to close it as "won't fix"?

NetworkAcls (NACL) today does not support PrefixListIds in the NACL entries. So this is not a coverage issue or a bug in CloudFormation resource AWS::EC2::NetworkAclEntry and instead this is a feature request for NACLs.

This is my understanding as well. Does anyone know a method for requesting this NACL feature that will reach the right 👀 on the right team at AWS?