Remove aws_network_acl_rule if not found. (#13608)

builtin/providers/aws/resource_aws_network_acl_rule.go

@@ -163,10 +163,14 @@ func resourceAwsNetworkAclRuleCreate(d *schema.ResourceData, meta interface{}) e
 	// API (see issue GH-4721). Retry the `findNetworkAclRule` function until it is
 	// visible (which in most cases is likely immediately).
 	err = resource.Retry(3*time.Minute, func() *resource.RetryError {
-		_, findErr := findNetworkAclRule(d, meta)
+		r, findErr := findNetworkAclRule(d, meta)
 		if findErr != nil {
 			return resource.RetryableError(findErr)
 		}
+		if r == nil {
+			err := fmt.Errorf("Network ACL rule (%s) not found", d.Id())
+			return resource.RetryableError(err)
+		}
 
 		return nil
 	})
@@ -182,6 +186,11 @@ func resourceAwsNetworkAclRuleRead(d *schema.ResourceData, meta interface{}) err
 	if err != nil {
 		return err
 	}
+	if resp == nil {
+		log.Printf("[DEBUG] Network ACL rule (%s) not found", d.Id())
+		d.SetId("")
+		return nil
+	}
 
 	d.Set("rule_number", resp.RuleNumber)
 	d.Set("cidr_block", resp.CidrBlock)
@@ -257,7 +266,11 @@ func findNetworkAclRule(d *schema.ResourceData, meta interface{}) (*ec2.NetworkA
 		return nil, fmt.Errorf("Error Finding Network Acl Rule %d: %s", d.Get("rule_number").(int), err.Error())
 	}
 
-	if resp == nil || len(resp.NetworkAcls) != 1 || resp.NetworkAcls[0] == nil {
+	if resp == nil || len(resp.NetworkAcls) == 0 || resp.NetworkAcls[0] == nil {
+		// Missing NACL rule.
+		return nil, nil
+	}
+	if len(resp.NetworkAcls) > 1 {
 		return nil, fmt.Errorf(
 			"Expected to find one Network ACL, got: %#v",
 			resp.NetworkAcls)

builtin/providers/aws/resource_aws_network_acl_rule_test.go

@@ -137,6 +137,26 @@ func TestResourceAWSNetworkAclRule_validateICMPArgumentValue(t *testing.T) {
 
 }
 
+func TestAccAWSNetworkAclRule_deleteRule(t *testing.T) {
+	var networkAcl ec2.NetworkAcl
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSNetworkAclRuleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSNetworkAclRuleBasicConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSNetworkAclRuleExists("aws_network_acl_rule.baz", &networkAcl),
+					testAccCheckAWSNetworkAclRuleDelete("aws_network_acl_rule.baz"),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
 func testAccCheckAWSNetworkAclRuleDestroy(s *terraform.State) error {
 
 	for _, rs := range s.RootModule().Resources {
@@ -179,7 +199,7 @@ func testAccCheckAWSNetworkAclRuleExists(n string, networkAcl *ec2.NetworkAcl) r
 		}
 
 		if rs.Primary.ID == "" {
-			return fmt.Errorf("No Network ACL Id is set")
+			return fmt.Errorf("No Network ACL Rule Id is set")
 		}
 
 		req := &ec2.DescribeNetworkAclsInput{
@@ -209,6 +229,40 @@ func testAccCheckAWSNetworkAclRuleExists(n string, networkAcl *ec2.NetworkAcl) r
 	}
 }
 
+func testAccCheckAWSNetworkAclRuleDelete(n string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Not found: %s", n)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No Network ACL Rule Id is set")
+		}
+
+		egress, err := strconv.ParseBool(rs.Primary.Attributes["egress"])
+		if err != nil {
+			return err
+		}
+		ruleNo, err := strconv.ParseInt(rs.Primary.Attributes["rule_number"], 10, 64)
+		if err != nil {
+			return err
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).ec2conn
+		_, err = conn.DeleteNetworkAclEntry(&ec2.DeleteNetworkAclEntryInput{
+			NetworkAclId: aws.String(rs.Primary.Attributes["network_acl_id"]),
+			RuleNumber:   aws.Int64(ruleNo),
+			Egress:       aws.Bool(egress),
+		})
+		if err != nil {
+			return fmt.Errorf("Error deleting Network ACL Rule (%s) in testAccCheckAWSNetworkAclRuleDelete: %s", rs.Primary.ID, err)
+		}
+
+		return nil
+	}
+}
+
 const testAccAWSNetworkAclRuleBasicConfig = `
 provider "aws" {
   region = "us-east-1"