aws_network_acl_rule ignores specified ports when protocol = -1

[hashibot]

This issue was originally opened by @flamingspaz as hashicorp/terraform#6130. It was migrated here as part of the provider split. The original body of the issue is below.

---

Terraform Version

0.6.14

Affected Resource(s)

• aws_network_acl_rule

Terraform Configuration Files

resource "aws_network_acl_rule" "apps-production-allowserffromstaging" {
    network_acl_id = "${aws_vpc.apps-production-vpc.default_network_acl_id}"
    rule_number    = 30
    egress         = false
    protocol       = "-1"
    rule_action    = "allow"
    cidr_block     = "${aws_vpc.apps-staging-vpc.cidr_block}"
    from_port      = 8300
    to_port        = 8302
}

Debug Output

Let me know if you need the full debug output for this but I'm not sure its needed
https://gist.github.com/flamingspaz/d020c524852563405be7c89abf9c1bc9

Expected Behavior

1. Terraform should return an error stating from_port and to_port must be 0 when protocol = "-1"

2. Documentation should be updated to indicate that the from_port and to_port values are ignored when protocol = "-1". I'm sending a PR to add a note if this is what you'd prefer.

Actual Behavior

Steps to Reproduce

1. terraform apply

[radeksimko]

Marking as duplicate of hashicorp/terraform#13012

This was resolved in hashicorp/terraform#13049 which was released as part of 0.9.2 (March 28, 2017). The resource should not show up in the diff if protocol = -1 anymore (I just verified using the example above).

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!