Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error when creating VPC without any private subnets and has NAT gateways #1068

Open
aiell0 opened this issue Apr 16, 2024 · 3 comments
Open

Error when creating VPC without any private subnets and has NAT gateways #1068

aiell0 opened this issue Apr 16, 2024 · 3 comments

Comments

@aiell0
Copy link
Contributor

aiell0 commented Apr 16, 2024

Description

When creating a VPC with only public subnets and with one_nat_gateway_per_az configured, module fails with an error.

Versions

  • Module version [Required]: 5.7.1

  • Terraform version: 1.7.5

  • Provider version(s): 5.45.0

Reproduction Code [Required]

module "outbound_vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "~>5.0"

  name = "outbound"
  cidr = "192.168.16.0/21"

  azs            = ["us-east-1a", "us-east-1b", "us-east-1c", "us-east-1d", "us-east-1e", "us-east-1f"]
  public_subnets = ["192.168.16.0/23", "192.168.18.0/23", "192.168.20.0/24", "192.168.21.0/24", "192.168.22.0/24", "192.168.23.0/24"]

  enable_nat_gateway     = true
  single_nat_gateway     = false
  one_nat_gateway_per_az = true
}

Steps to reproduce the behavior:

Run a terraform plan or terraform apply.

Expected behavior

VPC creates without issues.

Actual behavior

Module errors out.

Terminal Output Screenshot(s)

│ Error: Error in function call
│ 
│   on .terraform/modules/outbound_vpc/main.tf line 1088, in resource "aws_route" "private_nat_gateway":
│ 1088:   route_table_id         = element(aws_route_table.private[*].id, count.index)
│     ├────────────────
│     │ while calling element(list, index)
│     │ aws_route_table.private is empty tuple
│     │ count.index is 0
│ 
│ Call to function "element" failed: cannot use element function with an empty list.

Additional context

This use case comes from AWS Prescriptive Guidance around setting up network architecture. In this case, an outbound VPC would only have NAT gateways. This VPC would then have routes to it via Transit Gateway connections to other VPCs which emulates the same functionality as private subnets. This module does not support that setup in the current form.
@laserpedro
Copy link

From my understanding you have to define private subnets in the egress vpc cf here ...

@aiell0
Copy link
Contributor Author

aiell0 commented Apr 20, 2024

@laserpedro not quite....the egress VPC can live in another account and has just public subnets with NAT gateways living in them. You can then use a Transit Gateway to link those subnets with private subnets in separate VPCs that live in separate accounts. By creating a VPC with just public subnets for the egress VPC, you can keep the IP space small (which is desirable because this will be an internet-facing VPC after all).

@laserpedro
Copy link

What about using non routable IPs for the private subnets in your egress VPC ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aiell0 @laserpedro