From 3c464cdddb5869071eaa0d3c06374553f629a972 Mon Sep 17 00:00:00 2001
From: Jeremy Ciak <jeremy.ciak@aderant.com>
Date: Tue, 20 Oct 2020 13:24:30 -0400
Subject: [PATCH 1/3] Adding mechanism to set subnet_ids on default network ACL
 to prevent orphaning

---
 main.tf | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/main.tf b/main.tf
index e25caa530..e83ad6137 100644
--- a/main.tf
+++ b/main.tf
@@ -534,6 +534,27 @@ resource "aws_default_network_acl" "this" {
 
   default_network_acl_id = element(concat(aws_vpc.this.*.default_network_acl_id, [""]), 0)
 
+  # The value of subnet_ids should be any subnet IDs that are not set as subnet_ids
+  #   for any of the non-default network ACLs
+  subnet_ids = setsubtract(
+    compact(flatten([
+      aws_subnet.public.*.id,
+      aws_subnet.private.*.id,
+      aws_subnet.intra.*.id,
+      aws_subnet.database.*.id,
+      aws_subnet.redshift.*.id,
+      aws_subnet.elasticache.*.id,
+    ])),
+    compact(flatten([
+      aws_network_acl.public.*.subnet_ids,
+      aws_network_acl.private.*.subnet_ids,
+      aws_network_acl.intra.*.subnet_ids,
+      aws_network_acl.database.*.subnet_ids,
+      aws_network_acl.redshift.*.subnet_ids,
+      aws_network_acl.elasticache.*.subnet_ids,
+    ]))
+  )
+
   dynamic "ingress" {
     for_each = var.default_network_acl_ingress
     content {

From 6b8c2a30489667d211b9223ec3b05d0f3efb3a69 Mon Sep 17 00:00:00 2001
From: Jeremy Ciak <jeremy.ciak@aderant.com>
Date: Tue, 20 Oct 2020 13:25:11 -0400
Subject: [PATCH 2/3] Adding manage_default_network_acl specified as true to
 network_acls example

---
 examples/network-acls/main.tf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/examples/network-acls/main.tf b/examples/network-acls/main.tf
index aae541f10..ebe32f0bc 100644
--- a/examples/network-acls/main.tf
+++ b/examples/network-acls/main.tf
@@ -31,6 +31,8 @@ module "vpc" {
   private_dedicated_network_acl     = true
   elasticache_dedicated_network_acl = true
 
+  manage_default_network_acl = true
+
   enable_ipv6 = true
 
   enable_nat_gateway = false
@@ -200,4 +202,3 @@ locals {
     ]
   }
 }
-

From a628509c2162dd0fc6f243e1cf9c2c6a0500eb13 Mon Sep 17 00:00:00 2001
From: Anton Babenko <anton@antonbabenko.com>
Date: Wed, 21 Oct 2020 19:08:41 +0200
Subject: [PATCH 3/3] Updated example a bit

---
 examples/network-acls/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/network-acls/main.tf b/examples/network-acls/main.tf
index ebe32f0bc..8677bf2b6 100644
--- a/examples/network-acls/main.tf
+++ b/examples/network-acls/main.tf
@@ -28,7 +28,7 @@ module "vpc" {
     local.network_acls["elasticache_outbound"],
   )
 
-  private_dedicated_network_acl     = true
+  private_dedicated_network_acl     = false
   elasticache_dedicated_network_acl = true
 
   manage_default_network_acl = true