aws-ia / terraform-aws-vpc Goto Github PK
View Code? Open in Web Editor NEWAWS VPC Module
Home Page: https://registry.terraform.io/modules/aws-ia/vpc/aws/latest
License: Apache License 2.0
AWS VPC Module
Home Page: https://registry.terraform.io/modules/aws-ia/vpc/aws/latest
License: Apache License 2.0
terraform-aws-vpc/providers.tf
Line 7 in 92211f3
Hi AWS Integration and Automation π
There are several concerns over the modules being developed under AWS-IA vs Terraform AWS Modules
https://www.youtube.com/watch?v=h21sd7-hQoc&t=911s
https://registry.terraform.io/namespaces/terraform-aws-modules
https://twitter.com/andrewbrown/status/1442915716177350657
Due to:
It's drawing lots of speculation in the AWS Terraform community and there is fear of negative impact to the community and reasons why.
My recommendation to AWS is to clearly define the goals of these modules and how they will be different from Terraform AWS Modules. Here are reasons why you want to develop your own modules:
AWS does not have to but it's appreciated to include community members in their OSS efforts who have grown the AWS Terraform space for the last 5 years to see if there is inclusion or collaboration or at least acknowledge the existence of these other projects to date.
AWS track record with OSS projects has been spotty, we (the community) understand AWS is a company with self-interests and sometimes they end up eating other people's lunch as of course of business, no different than the whale sifting the sea of phytoplankton.
https://news.ycombinator.com/item?id=24802924
It's just how you go about it.
β Andrew Brown (AWS Community Hero)
For the private subnet
connect_to_public_natgw = false
or
connect_to_public_natgw = null
or
connect_to_public_natgw = true
has same result. The route to NATGW is created.
Only way to prevent route to NATGW is to remove the key
#connect_to_public_natgw = false
The expectation is that for connect_to_public_natgw = false
or connect_to_public_natgw = null
the route to NATGW is not created
β Error: Reference to undeclared input variable
β
β on main.tf line 14, in provider "aws":
β 14: region = var.region
β
β An input variable with the name "region" has not been declared. This
β variable can be declared with a variable "region" {} block.
module "vpc" {
source = "aws-ia/vpc/aws"
version = ">= 1.0.0"
name = "tgw"
cidr_block = "10.0.0.0/16"
az_count = 2
subnets = {
public = {
netmask = 24
nat_gateway_configuration = "single_az"
route_to_core_network = ["10.0.0.0/8"]
}
private = {
netmask = 24
route_to_nat = true
route_to_core_network = ["10.0.0.0/8"]
}
core_network = {
netmask = 28
core_network_id = awscc_networkmanager_core_network.example.id
route_to_nat = false
ipv6_support = true
}
}
}
I am expecting that tags specified at each subnet level are applied to the specified subnets, merged with the tags specified at the VPC level.
The outcome is that only VPC level tags are applied. Subnet level tags are ignored.
Add configurable parameters to root module
take advantage of new defaults for type object()
. replace defaults.tf with new feature
Problem statement:
I have a resource (RDS custom for Oracle) in a private subnet that needs to communicate with S3 via a Gateway endpoint. During the termination of the instance, the instance will pull scripts from S3 to execute on the instance prior to shutting down. When operating terraform destroy, the Terraform engine tears down the route table associations early in the lifecycle, and the RDS instance is not able to connect to the S3 Gateway endpoint.
To be able to explicitly add a depends_on to the route table association, I would like to request the route table associations be exported.
I also welcome other suggestions regarding the route table associations.
Add Module outputs
public
and transit_gateway
are reserved keywords for those subnet types and all other keys used in var.subnets.<> are assumed to be type private.terraform state mv
commands. see below.route_to_nat
has been changed to connect_to_public_natgw
to clarify the nat is in the public subnet & to diverge from the route_to
nomenclature which expects a route destination like input.route_to_transit_gateway
argument. Previously was a list of CIDRs that could only accept 1 item.public_
, tgw_
, and private_
. Since you can have several private subnet declarations we group based on the name scheme <your_key_name>/az
.For help upgrading see our upgrading guide
I found an issue with terraform-aws-vpc module.
When using TGW
resource aws_route.public_to_tgw and resource aws_route.private_to_tgw may sometime fail with error that tgw does not exist.
I suspect it happens because
resource aws_ec2_transit_gateway_vpc_attachment.tgw and resource aws_ec2_transit_gateway_route_table_association.tgw are not yet complete.
I think, if aws_routes in question wait for these the TGW VPC attachments and TGW route table association, these errors can be avoided
So even if I do not make any changes to terraform code and expect to see 0 diffs I get this for every resource created by the module.
I must be doing something wrong because I'm sure someone would have complained by now, but can't seem to figure it out.
It looks like the Key vs Value pairs just get rotated around in the list of tags.
Here is how I pass common tags in:
module "vpc" {
source = "registry.terraform.io/aws-ia/vpc/aws"
version = "= 3.2.1"
name = "${var.name}-vpc"
tags = local.common_tags
cidr_block = var.cidr_block
az_count = var.az_count
...
}
And here is how they are defined (merged with top level tags):
locals {
common_tags = merge(var.common_tags, {
environment = var.name
})
}
and the top level module passes these tags in:
locals {
common_tags = {
managed_by = "terraform"
terraform_project = "core_infra"
}
}
Any help is appreciated here.
Error: Unsupported attribute
β
β on outputs.tf line 22, in output "nat_eip_3":
β 22: value = module.aws-ia_vpc.nat_eip_3
β βββββββββββββββββ
β β module.aws-ia_vpc is a object, known only after apply
β
β This object does not have an attribute named "nat_eip_3".
Update required version to 1.X
I am trying to create a VPC with IPAM:
module "vpc" {
source = "aws-ia/vpc/aws"
version = ">= 1.0.0"
name = var.network_map["example"].suffix
az_count = 2
vpc_ipv4_ipam_pool_id = module.create_ipam.pools_level_2[var.network_map["example"].ipam_region].id
vpc_ipv4_netmask_length = var.network_map["example"].netmask_length
subnets = {
public = {
netmask = 24
nat_gateway_configuration = "all_azs"
}
private = {
netmask = 24
route_to_nat = true
}
}
}
And the first pass would fail with the following error:
β Error: AWS SDK Go Service Operation Incomplete
β
β with module.vpc.awscc_ec2_route_table.public["item"],
β on .terraform/modules/vpc/main.tf line 47, in resource "awscc_ec2_route_table" "public":
β 47: resource "awscc_ec2_route_table" "public" {
β Waiting for Cloud Control API service CreateResource operation completion returned: waiter state transitioned to FAILED. StatusMessage: The
β 'vpc-XXXXXXXXXXXXXXXXXXX' does not exist (Service: Ec2, Status Code: 400, Request ID: ....
When I tried to rerun it (making no changes) the script would try to destroy the VPC which would fail because of the dependencies. It was trying to destroy the VPC because the first pass already created a VPC which assigned a cidr range and the 2nd pass would have a difference cidr range. I tried to resolve the initial failure by replacing all the vpc_id calls to the following, but it didn't do any good:
vpc_id = local.create_vpc ? aws_vpc.main[0].id : local.vpc.id
I also tried putting depends-on statements for various resources thinking it might just need time, but that didn't help. It keeps throwing the same error even when its done toward the end of execution. I even put a data command in to check the VPC existed and that works without issue. The VPC does exist when I go look at it in the console so I'm unsure how to resolve this.
Hello!
Getting below error when trying to use the module from TF v1.3.2
Github Issue
module "vpc" {
source = "aws-ia/vpc/aws"
version = "3.0.0"
name = "vpc"
cidr_block = "10.0.0.0/20"
az_count = 3
subnets = {
public = {
netmask = 24
nat_gateway_configuration = "all_azs" # options: "single_az", "none"
}
private = {
netmask = 24
connect_to_public_natgw = true
}
}
vpc_flow_logs = {
log_destination_type = "cloud-watch-logs"
retention_in_days = 180
traffic_type = "REJECT"
}
}
The current version constraint for the AWS provider in the module is set to >=3.73.0
however the module uses resources that do not exist in this version of the provider specifically aws_networkmanager_vpc_attachment
and aws_networkmanager_attachment_accepter
. These resources were added in v4.27.0
.
If the resolved/matched version of the provider in a child module is below v4.27 the following is thrown:
β Error: Invalid resource type
β
β on .terraform\modules\vpc\main.tf line 351, in resource "aws_networkmanager_vpc_attachment" "cwan":
β 351: resource "aws_networkmanager_vpc_attachment" "cwan" {
β
β The provider hashicorp/aws does not support resource type "aws_networkmanager_vpc_attachment".
β΅
β·
β Error: Invalid resource type
β
β on .terraform\modules\vpc\main.tf line 369, in resource "aws_networkmanager_attachment_accepter" "cwan":
β 369: resource "aws_networkmanager_attachment_accepter" "cwan" {
β
β The provider hashicorp/aws does not support resource type "aws_networkmanager_attachment_accepter".
Further the submodule modules/flow_logs/modules/s3_log_bucket
uses the aws_s3_bucket_server_side_encryption_configuration
and aws_s3_bucket_lifecycle_configuration
resources introduced in v4.0.0
however the version constraint is set to ">= 3.72.0"
Error: Invalid resource type
β
β on .terraform\modules\vpc\modules\flow_logs\modules\s3_log_bucket\main.tf line 17, in resource "aws_s3_bucket_server_side_encryption_configuration" "flow_logs":
β 17: resource "aws_s3_bucket_server_side_encryption_configuration" "flow_logs" {
β
β The provider hashicorp/aws does not support resource type "aws_s3_bucket_server_side_encryption_configuration".
β΅
β·
β Error: Invalid resource type
β
β on .terraform\modules\vpc\modules\flow_logs\modules\s3_log_bucket\main.tf line 27, in resource "aws_s3_bucket_lifecycle_configuration" "flow_logs":
β 27: resource "aws_s3_bucket_lifecycle_configuration" "flow_logs" {
β
β The provider hashicorp/aws does not support resource type "aws_s3_bucket_lifecycle_configuration".
It's not always immediately obvious how to get specific data out of outputs. for example: how to get a list of subnet_ids
example configuration:
module "vpc" {
source = "aws-ia/vpc/aws"
version = ">= 1.0.0"
name = "multi-az-vpc"
cidr_block = "10.0.0.0/20"
az_count = 3
subnets = {
private = { netmask = 24 }
}
}
list of private subnet_ids
> [ for _, value in module.vpc.private_subnet_attributes_by_az: value.id]
[
"subnet-04a86315c4839b519",
"subnet-02a7249c8652a7136",
"subnet-09af79b5329b3681f",
]
map of subnet_ids by az
> { for key, value in module.vpc.private_subnet_attributes_by_az: key => value.id}
{
"us-east-1a" = "subnet-04a86315c4839b519"
"us-east-1b" = "subnet-02a7249c8652a7136"
"us-east-1c" = "subnet-09af79b5329b3681f"
}
Subnet tags with VPC name (not descriptive)
We should have an optional argument to enable VPC flow logs. To enable flow logs we will need to take a log group name and iam role as inputs, or create them dynamically.
We are seeing an error recently. Our use of the module looks like this:
module "vpc" {
source = "aws-ia/vpc/aws"
version = ">= 1.0.0"
...
And we're seeing this now in the terraform output:
Error: Unsupported argument
on .terraform/modules/vpc/data.tf line 68, in module "tags":
68: tags = var.tags
An argument named "tags" is not expected here.
Hmm. Any ideas? Thanks!
Hi,
Going through the transit gateway example here , I saw the way we can add routes pointing to TGW inside the subnet route tables. However, how can we manage the VPC association with the TGW route table and the propogations?
When I call the modules to create the VPC and pass it IPAM and rerun the terraform, because the CIDR assigned by ipam changes every time you run the terraform. This appears to be caused by the data call:
data "aws_vpc_ipam_preview_next_cidr" "main" {
count = var.vpc_ipv4_ipam_pool_id == null ? 0 : 1
ipam_pool_id = var.vpc_ipv4_ipam_pool_id
netmask_length = var.vpc_ipv4_netmask_length
}
If you rerun the module after creating a VPC, it gets a new CIDR and tries to destroy the VPC and all resources because the VPC cidr "changed".
variable "network_map" {
description = "map of network modules, check variable details on modules/network"
type = map(any)
default = {
"ci" = {
suffix = "ci_vpc"
ipam_region = "us-west-2/non_prod"
netmask_length = 22
},
}
}
module "create_ipam" {
source = "github.com/aws-ia/terraform-aws-ipam"
top_cidr = ["10.0.0.0/8"]
top_name = "Global ipam"
pool_configurations = {
us-west-2 = {
description = "2nd level, locale us-west-2 pool"
cidr = ["10.0.0.0/14"]
locale = "us-west-2"
sub_pools = {
non_prod = {
name = "non_prod_ipam"
cidr = ["10.0.0.0/16"]
}
prod = {
name = "prod_ipam"
cidr = ["10.1.0.0/16"]
}
}
},
}
}
module "vpc" {
source = "aws-ia/vpc/aws"
version = ">= 1.4.1"
for_each = var.network_map
name = each.value.suffix
az_count = 2
vpc_ipv4_ipam_pool_id = module.create_ipam.pools_level_2[each.value.ipam_region].id
vpc_ipv4_netmask_length = each.value.netmask_length
subnets = {
public = {
netmask = 24
nat_gateway_configuration = "all_azs"
}
private = {
netmask = 24
route_to_nat = true
}
}
}
Because it uses the data command, if a ipam pool is "full" even the destroy command will fail because it tries to acquire a new ipam and it throws that there isn't enough room in ipam given the netmask.
The data command also becomes an issue when you try to spool ipam and VPC in the same module (for the multi-account setup I'm building with the ipam and VPC stuff in a central "networking" account). It throws the following error:
β Error: Invalid count argument
β
β on .terraform/modules/vpc/data.tf line 41, in data "aws_vpc_ipam_preview_next_cidr" "main":
β 41: count = var.vpc_ipv4_ipam_pool_id == null ? 0 : 1
β
β The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to first apply only the resources that the count depends on.
Issue Details:
Enabled the AKL local zone for Sydney region, after re-run a terraform plan, itβs going to recreate the resources in the new subnets and all resources.
Also local zones can only have limit services, no TGW support, no Nat gateway support, it will break the desired network configuration and topology.
Further investigation:
calculate_subnets
module are using data resources to fetch from AWS.
so before data.aws_availability_zones.current
returns:
βap-southeast-2aβ,
βap-southeast-2bβ,
βap-southeast-2cβ,
but post-enabled local zones:
it returns:
βap-southeast-2-akl-1aβ,
βap-southeast-2aβ,
βap-southeast-2bβ,
βap-southeast-2cβ,
the current logics slice the first x (based on the az_count)
so it and destroy and create resources for those azs.
βap-southeast-2-akl-1aβ,
βap-southeast-2aβ,
βap-southeast-2bβ,
Suggest add aws-ia/vpc/aws
to allow explicit specify configuration for az for VPC
module "vpc" {
source = "aws-ia/vpc/aws"
version = "= 4.2.1"
name = "demo-vpc"
cidr_block = "10.0.0.0/20"
az_count = 3
azs = ["ap-southeast-2a", "ap-southeast-2b", "ap-southeast-2c"]
To prevent the similar issues in the future.
β Error: Invalid variable validation result
β
β on .terraform/modules/vpcs/variables.tf line 197, in variable "subnets":
β 197: condition = try(var.subnets.private.route_to_nat, false) ? try(var.subnets.private.route_to_transit_gateway[0] != "0.0.0.0/0", true) : null
β βββββββββββββββββ
β β var.subnets.private is object with 3 attributes
β β var.subnets.private.route_to_nat is false
β
β Validation condition expression must return either true or false, not null.
its possible we could allow users to pass a list of local-zone ids instead of a az_count
. I can think of 2 primary considerations:
local.azs
to be a list of LZs if providedProposed idea: do not enforce naming conventions on subnet types (private
, public
, transit_gateway
, etc). This will allow users to create arbitrary subnet amounts. For example, currently, users can only create 1 grouping of private subnets.
Idea 1: create abstract module concepts for each and allow users to specify in the map itself:
Pros/Cons:
-
breaking change+
allows for defining subnet types in modules that are easier to understandsubnets = {
myprivate = {
type = "private"
netmask = 24
route_to_nat = "publicsubnets"
}
publicsubnets = {
type = "public"
netmask = 24
nat_gateway_configuration = "all_azs" # options: "single_az", "none"
}
}
Idea 2: create generic subnet module and allow any variable to be passed:
Pros/Cons:
+
likely non breaking change-
code inside new module subnet
would be complexsubnets = {
myprivate = {
netmask = 24
route_to_nat = "publicsubnets"
routes = [{
subnet = "tgw"
cidr = "10.0.0.0/8"
},
{
subnet = "nat"
cidr = "0.0.0.0/0"
}]]
}
publicsubnets = {
type = "public"
netmask = 24
nat_gateway_configuration = "all_azs" # options: "single_az", "none"
routes = [{
subnet = "tgw"
cidr = "10.0.0.0/8"
},
{
subnet = "igw"
cidr = "0.0.0.0/0"
}]
}
idea 2 open questions:
replace aws_subnet with awscc_ec2_subnet
add prefix list to each subnet type
I notice public subnets have the prefix "public}-" with a brace. I wonder if there is an extra closing brace here:
https://github.com/aws-ia/terraform-aws-vpc/blob/main/main.tf#L58
Thanks!
Replace these resources:
Make sure tags are still working
Determine if we should remove calls to the label module
updates have been requested:
subnets = {
public = {
netmask = 24
# "0.0.0.0/0" is explicitly blocked for map to tgw
route_to_transit_gateway = ["10.0.0.0/8"]
}
private = {
netmask = 24
# if route_to_nat = true
# route_to_transit_gateway != 0.0.0.0/0
route_to_nat = true
route_to_transit_gateway = ["0.0.0.0/0"]
}
transit_gateway = {
netmask = 24
transit_gateway_id = aws_ec2_transit_gateway.example.id
route_to_nat = true # default false
transit_gateway_default_route_table_association = true
transit_gateway_default_route_table_propagation = true
}
}
Related resource: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpclattice_service_network_vpc_association
Will need to include the variable "service_network_identifier" in the VPC definition. This association only requires Security Groups, and it's agnostic of the number of AZs used.
Some users have reported confusion about the output methodology of the module. Showing examples of how to use the terraform console
to explore the outputs may help highlight the merits of the design.
For some type of VPCs (Inspection VPCs), appliance mode is needed to not drop packets when the response traffic comes from a different AZ. By default, this value is "disable", so having the possibility to change it when defining the transit_gateway subnets will enable the configuration.
Proposed add-on in transit_gateway subnets:
subnets = {
transit_gateway = {
netmask = 24
transit_gateway_id = aws_ec2_transit_gateway.example.id
route_to_nat = false
transit_gateway_default_route_table_association = true
transit_gateway_default_route_table_propagation = true
appliance_mode_support = "enable"
}
}
Adding the following in main.tf with the variable defined in variables.tf will allow us to create the VPC conditionally similar to while calling from deploy directory.
create_vpc = var.create_vpc
transit_gateway = {
netmask = 28
transit_gateway_id = aws_ec2_transit_gateway.example.id
route_to_nat = false
transit_gateway_default_route_table_association = true
transit_gateway_default_route_table_propagation = true
route_to_tgw = [""]
}
(association to rt)
If I create secondary cidr as below
module "secondary" {
source = "aws-ia/vpc/aws"
version = ">= 2.0.0"
name = "secondary-cidr"
cidr_block = "10.2.0.0/16"
vpc_secondary_cidr = true
vpc_id = module.vpc.vpc_attributes.id
az_count = 2
subnets = {
eks = {
name_prefix = "vpce"
cidrs = ["10.2.0.0/18", "10.2.64.0/18"]
connect_to_public_natgw = true
#route_to_transit_gateway = "pl-"
#tags = var.vpc_shared_svc_vpce_subnet_tags
}
}
}
it breaks with following error
on .terraform\modules\secondary\main.tf line 172, in resource "aws_route" "private_to_nat":
β 172: nat_gateway_id = try(aws_nat_gateway.main[split("/", each.key)[1]].id, aws_nat_gateway.main[local.nat_configuration[0]].id)
β βββββββββββββββββ
β β aws_nat_gateway.main is object with no attributes
β β each.key is "eks/us-east-1a"
β β local.nat_configuration is empty tuple
β
β Call to function "try" failed: no expression succeeded:
β - Invalid index (at .terraform\modules\secondary\main.tf:172,44-69)
β The given key does not identify an element in this collection value.
β - Invalid index (at .terraform\modules\secondary\main.tf:172,118-121)
β The given key does not identify an element in this collection value: the collection has no elements.
β
β At least one expression must produce a successful result.
Because aws_nat_gateway.main
is not available in module.secondary
.
without connect_to_public_natgw = true
, it works but route to NATGW is missing in the subnet route tables of the secondary
awscc_ec2_internet_gateway has no way to attach yet, missing AWS::EC2::VPCGatewayAttachment
resource
Attempting to setup a multaccount transit network where the spoke account can route through the transit gateway and get to the internet. Created two new fresh aws accounts to apply this terraform and let it setup all of the attachments, route tables, subnets,etc. but I can't seem to get to the internet from the spoke. The instance sitting in the spoke can ping things in the network account but can't get to the internet.
- Core Network Account - - Spoke Account -
<igw>--<publicsubnet>--<natgw>--<privatesubnet>--<tgw_attachment>--<tgw>--<tgw_attachment>--<privatesubnet>--<instance>
main.tf
resource "aws_ec2_transit_gateway" "network_tgw" {
provider = aws.core_prod_network
amazon_side_asn = 65412
auto_accept_shared_attachments = "enable"
dns_support = "enable"
description = "Core Prod Network Transit Gateway"
}
resource "aws_ram_resource_share" "core_prod_network" {
provider = aws.core_prod_network
name = "Transit Gateway Resource Share"
allow_external_principals = true
tags = {
Name = "core-prod-network-tgw-resource-share"
}
}
# Share the transit gateway...
resource "aws_ram_resource_association" "core_prod_network" {
provider = aws.core_prod_network
resource_arn = aws_ec2_transit_gateway.network_tgw.arn
resource_share_arn = aws_ram_resource_share.core_prod_network.id
}
#### For every Spoke Account, add this to attach tgw
## ..with the core_prod_devops account
resource "aws_ram_principal_association" "core_prod_devops" {
provider = aws.core_prod_network
principal = var.vega_accounts.core_prod_devops.id
resource_share_arn = aws_ram_resource_share.core_prod_network.id
}
## core_prod_network
module "core_prod_network_vpc" {
providers = {
aws = aws.core_prod_network
awscc = awscc.core_prod_network
}
source = "aws-ia/vpc/aws"
name = "core-prod-network-vpc"
cidr_block = "10.3.0.0/16"
az_count = 2
subnets = {
public = {
name_prefix = "core-prod-network-public"
netmask = 24
nat_gateway_configuration = "all_azs"
route_to_transit_gateway = ["10.0.0.0/8"]
}
private = {
name_prefix = "core-prod-network-private"
netmask = 24
route_to_nat = true
route_to_transit_gateway = ["10.0.0.0/8"]
}
transit_gateway = {
name_prefix = "core-prod-network-transit"
netmask = 28
transit_gateway_id = aws_ec2_transit_gateway.network_tgw.id
route_to_nat = false
transit_gateway_default_route_table_association = true
transit_gateway_default_route_table_propagation = true
}
}
}
### Output Block we need after every VPC creation
output "core_prod_network_vpc_id" {
value = module.core_prod_network_vpc.vpc_attributes.id
}
output "core_prod_network_vpc_info" {
value = module.core_prod_network_vpc
}
## core_prod_devops
module "core_prod_devops_vpc" {
providers = {
aws = aws.core_prod_devops
awscc = awscc.core_prod_devops
}
source = "aws-ia/vpc/aws"
name = "core-prod-devops-vpc"
cidr_block = "10.7.0.0/16"
az_count = 2
subnets = {
private = {
name_prefix = "core-prod-devops-private"
netmask = 24
route_to_nat = false
route_to_transit_gateway = ["0.0.0.0/0"]
}
transit_gateway = {
name_prefix = "core-prod-devops-transit"
netmask = 28
transit_gateway_id = aws_ec2_transit_gateway.network_tgw.id
route_to_nat = false
transit_gateway_default_route_table_association = true
transit_gateway_default_route_table_propagation = true
}
}
}
I don't know if this is something that you guys have to add to the routing tables in the terraform to account for this use case but something is missing from routing.
For the public subnet
nat_gateway_configuration = "none"
or
nat_gateway_configuration = null
or
#nat_gateway_configuration = "none"
Gives following error
Error: Error in function call
β
β on .terraform\modules\shared_services_vpc\data.tf line 53, in locals:
β 53: { for az in local.azs : az => { id : try(aws_nat_gateway.main[az].id, aws_nat_gateway.main[local.nat_configuration[0]].id) } }
β βββββββββββββββββ
β β aws_nat_gateway.main is object with no attributes
β β local.nat_configuration is empty tuple
β
β Call to function "try" failed: no expression succeeded:
β - Invalid index (at .terraform\modules\shared_services_vpc\data.tf:53,66-70)
β The given key does not identify an element in this collection value.
β - Invalid index (at .terraform\modules\shared_services_vpc\data.tf:53,119-122)
β The given key does not identify an element in this collection value: the collection has no elements.
β
β At least one expression must produce a successful result.
for the above conditions local.nat_configuration
is []
therefore local.nat_configuration[0]
fails.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.