Skip to content

Managed Prefix Lists

Create or Reference and Existing Managed Prefix List

The example below will create a managed prefix list named test-prefix-list and reference a built-in managed prefix list named route53-healthchecks. The key in the map object is the name that will be used to reference the prefix list in other parts of the tfvars configuration. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
prefix_list = {
    "route53-healthchecks" = {
        id = "pl-0068613c321dee54b" // reference existing managed prefix list by ID
    }
    "test-prefix-list" = {
        address_family = "IPv4"
        max_entries   = 10
        entry = {
            entry1 = {
                cidr = "10.0.0.0/24"
            }
        }
    }
}

Reference a Managed Prefix List in a Security Group Rule

The example below will create security group ingress rule named Test_Existing_Prefix_List_Allow_Ping that allows ICMP traffic from the existing managed prefix list route53-healthchecks and another security group rule named Test_New_Prefix_List_Allow_Ping that allows ICMP traffic from the newly created managed prefix list test-prefix-list.

Note: This example does not represent a complete configuration, only the relevant portion for referencing managed prefix lists in security group rules. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
vpcs = {
    SharedInfra = {
        security_groups = {
            KuiperSG = {
                ingress = {
                    Test_Existing_Prefix_List_Allow_Ping = {
                        from_port = -1
                        to_port = -1
                        ip_protocol = "icmp"
                        prefix_list = "route53-healthchecks"
                    },
                    Test_New_Prefix_List_Allow_Ping = {
                        from_port = -1
                        to_port = -1
                        ip_protocol = "icmp"
                        prefix_list = "test-prefix-list"
                    }
                }
            }
        }
    }
}

Import an existing Managed Prefix List and Entries

When importing a populated prefix_list, you will also need to import each individual prefix_list_entry. The examples below show the import block and the related resource code.

Resource configuration 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
prefix_list = {
    "existing-prefix-list-name" = {
        address_family = "IPv4"
        max_entries    = 5
        entry = {
            namedEntry1 = {
                cidr = "10.8.0.0/16"
            }
            namedEntry2 = {
                cidr = "10.10.0.0/16"
            }
        }
    }
}

Import block

Note the following:

  • The pl-* id is the same in both the managed_prefix_list and managed_prefix_list_entry import blocks.
    • In the managed_prefix_list_entry, that id is suffixed with ,cidr
  • In the managed_prefix_list_entry, you will use the prefix_list key name + the entry subkey name. E.g., existing-prefix-list-name.namedEntry1
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
import {
    to = module.ec2_managed_prefix_list.aws_ec2_managed_prefix_list.ec2_managed_prefix_list["existing-prefix-list-name"]
    id = "pl-036f188756020ca44"
}

import {
    to = module.ec2_managed_prefix_list_entry.aws_ec2_managed_prefix_list_entry.ec2_managed_prefix_list_entry["existing-prefix-list-name.namedEntry1"]
    id = "pl-036f188756020ca44,10.8.0.0/16"
}

import {
    to = module.ec2_managed_prefix_list_entry.aws_ec2_managed_prefix_list_entry.ec2_managed_prefix_list_entry["existing-prefix-list-name.namedEntry2"]
    id = "pl-036f188756020ca44,10.10.0.0/16"
}