Support New Resource and Data Source for EC2 Managed Prefix Lists

[ewbankkit]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Virtual Private Cloud (VPC) customers can now create and manage their own Prefix Lists to simplify VPC configurations.

New or Affected Resource(s)

New

• aws_ec2_managed_prefix_list

Affected

• aws_route_table
• aws_route

Potential Terraform Configuration

resource "aws_ec2_managed_prefix_list" "example" {
  address_family = "IPv4"
  max_entries    = 1
  
  entry {
    cidr        = "0.0.0.0/0"
    description = "Everywhere"
  }
}

References

Announcement.
User guide.

Requires AWS SDK v1.32.12:

• Update module aws/aws-sdk-go to v1.32.12 #13803

[roberth-k]

I'll work on a PR for this.

Additional affected resources:

aws_security_group
aws_security_group_rule

[ewbankkit]

@roberth-k Thanks for offering to tackle this.
I am working on some other fixes/enhancements for routes and route tables and can do the work to change destination_prefix_list_id from a Computed-only attribute to an Optional and Computed attribute.
Let us know if you need any assistance.

[roberth-k]

Thanks @ewbankkit -- if you could update destination_prefix_list_id in aws_route it would be helpful. This attribute should be added to the matching data resource as well. One of the vendor prefix lists such as com.amazonaws.eu-west-1.s3 (via data_source_aws_prefix_list) should work for acceptance testing.

[yermulnik]

Any idea re approx ETA for this feature release?

[forty]

Just a note that support could also be added to transit gateway route table resources https://aws.amazon.com/fr/about-aws/whats-new/2020/08/amazon-transit-gateway-customers-use-own-prefix-lists-simplify-ip-management/

[roshpr]

Any idea on the release this feature will be available?

[rryke]

also looking forward to this feature

[ewbankkit]

Blog post.

[Hany-Benz]

Hello here,

Any update regarding the release of this feature ?

[scott881994]

Will this feature also add an aws_managed_prefix_list data source as well?

[Tensho]

@scott881994 https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/prefix_list

[JosephHobbs]

Just for clarification, there are essentially two types of prefix lists in AWS: AWS managed and Customer Managed. The existing prefix_list data source @Tensho referenced uses the DescribePrefixLists API (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribePrefixLists.html) and will only return AWS managed prefix lists.

What I believe we're looking for is a data_source to reference Customer managed prefix lists which would need to call the DescribeManagedPrefixLists API (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeManagedPrefixLists.html). To take it one step further, I'd love to see the ability to also create/manage customer-managed prefix lists.

[roberth-k]

Hi @JosephHobbs; #14110 updates the aws_prefix_list data source such that it returns both AWS-managed and customer-managed prefix lists. The PR goes into detail about why, but in essence, the managed prefix list API-s are a superset, and the same is reflected in CloudFormation as well.

[JosephHobbs]

Hi @JosephHobbs; #14110 updates the aws_prefix_list data source such that it returns both AWS-managed and customer-managed prefix lists. The PR goes into detail about why, but in essence, the managed prefix list API-s are a superset, and the same is reflected in CloudFormation as well.

That's awesome. Thanks for the clarification/information! I can't wait until this feature is available...

[breathingdust]

Hi all! 👋 Just wanted to direct you to our public roadmap for this quarter (Nov-Jan) in which this item has been mentioned.

Due to the significant community interest in support for this feature, we will be looking at merging existing contributions soon.

We appreciate all the contributions and feedback thus far.

Look out for support in the provider soon!

[bflad]

To provide an update, this is now under active review and should be released within the next 3 weeks or so. Shout out to @roberth-k for the implementation efforts so far. 🎉

[bflad]

For housekeeping purposes, please note that this issue will be specifically for tracking the creation of the following (and I will update the title):

• New Data Source: aws_ec2_managed_prefix_list
• New Resource: aws_ec2_managed_prefix_list

For following EC2 Route and EC2 Route Table updates, please see: #15273

For following EC2 Transit Gateway Prefix List Reference updates, please see: #16572

If there is other functionality that should be updated as part of supporting EC2 Managed Prefix Lists, please create other new GitHub issues. 👍

[ahmgithubahm]

If there is other functionality that should be updated as part of supporting EC2 Managed Prefix Lists, please create other new GitHub issues. 👍

Just to clarify, if we wanted support for using user-managed prefix lists in ingress and egresss security group rules, that'd be under a new issue?

cheers

[bflad]

@ahmgithubahm great question, and yes please, create a separate issue to ensure we do not miss that!

[roberth-k]

@ahmgithubahm

Just to clarify, if we wanted support for using user-managed prefix lists in ingress and egresss security group rules, that'd be under a new issue?

cheers

AWS-managed and (customer) Managed Prefix Lists form a shared namespace, i.e. the prefix_list_ids of a security group rule should support both.

[ahmgithubahm]

I was half-way through raising the enhancement request, but thought I'd better check what happens if you try using the prefix_list_ids argument on an ingress rule in an aws_security_group_rule - and ... it just works. Obviously I hard-coded the pl-nnnn id, but the ingress rule was successfully created.

It seems that despite the documentation for prefix_list_ids in aws_security_group_rule saying it's for egress only, this is not actually enforced by Terraform (AWS provider 3.20.0), so can be successfully used for ingress as well, with any valid prefix list ids, even customer-managed.

I have not tested this in the aws_security_group resource, since I set all security group rules separately.

[bflad]

Support for the new aws_ec2_managed_prefix_list resource and data source has been merged in and will release with version 3.22.0 of the Terraform AWS Provider, likely tomorrow. Thank you to @roberth-k for the implementation work. 👍

For operators in AWS GovCloud (US) and potentially other partitions, please note that the EC2 API does not yet support this functionality.

Followup issues for tracking:

• EC2 Route and EC2 Route Table updates, please see: Add destination prefix list to route table #15273
• EC2 Transit Gateway Prefix List Reference updates, please see: Support Managing EC2 Transit Gateway Prefix List References #16572

[ghost]

This has been released in version 3.22.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!