Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error in function call when no private subnet specifed in vpc with only outpost subnets #1157

Open
FireballDWF opened this issue Jan 7, 2025 · 0 comments
Open

Error in function call when no private subnet specifed in vpc with only outpost subnets #1157

FireballDWF opened this issue Jan 7, 2025 · 0 comments

Comments

@FireballDWF
Copy link

FireballDWF commented Jan 7, 2025
edited
Loading

Description

Please provide a clear and concise description of the issue you are encountering, and a reproduction of your configuration (see the examples/* directory for references that you can copy+paste and tailor to match your configs if you are unable to copy your exact configuration). The reproduction MUST be executable by running terraform init && terraform apply without any further changes.

If your request is for a new feature, please use the Feature request template.

  • [Y] ✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

  1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
  2. Re-initialize the project root to pull down modules: terraform init
  3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

  • Module version [Required]: 5.17.0

  • Terraform version:
    OpenTofu v1.8.8 on darwin_amd64

  • provider registry.opentofu.org/hashicorp/aws v5.82.2

Reproduction Code [Required]

module "ot_vpc" { #tfsec:ignore:aws-ec2-no-excessive-port-access tfsec:ignore:aws-ec2-no-public-ingress-acl tfsec:ignore:aws-ec2-require-vpc-flow-logs-for-all-vpcs is false positive, see https://github.com/aquasecurity/tfsec/issues/2024
  source  = "terraform-aws-modules/vpc/aws"
  version = "5.17.0"
  name = "OT"
  cidr = var.ot_vpc_cidr
  enable_nat_gateway   = false

  outpost_arn       = data.aws_outposts_outpost.outpost.arn
  outpost_subnets   = [cidrsubnet(var.ot_vpc_cidr, 8, 0)]
  outpost_az        = data.aws_outposts_outpost.outpost.availability_zone
  map_customer_owned_ip_on_launch = false
  customer_owned_ipv4_pool = "" # minor issue, this should not be required when the above is false (and the Outpost LGWRT mode=direct-vpc-routing)

}

Steps to reproduce the behavior:

tofu apply -auto-approve

Expected behavior

VPC created with single subnet which is created on the Outpost

Actual behavior

Plan: 5 to add, 0 to change, 0 to destroy.
╷
│ Error: Error in function call
│ 
│   on .terraform/modules/ot_vpc/main.tf line 953, in resource "aws_route_table_association" "outpost":
│  953:   route_table_id = element(
│  954:     aws_route_table.private[*].id,
│  955:     var.single_nat_gateway ? 0 : count.index,
│  956:   )
│     ├────────────────
│     │ while calling element(list, index)
│     │ aws_route_table.private is empty tuple
│     │ count.index is 0
│     │ var.single_nat_gateway is false
│ 
│ Call to function "element" failed: cannot use element function with an empty list.

Terminal Output Screenshot(s)

Additional context

Use case for VPCs with subnets only on Outposts is for building https://aws.amazon.com/blogs/compute/implementing-network-traffic-inspection-on-aws-outposts-rack/ and other use cases where no in region subnets are needed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@FireballDWF