Fix nat_gateway_enabled=false InvalidNatGatewayId.Malformed error

examples/complete/fixtures.eu-west-1.tfvars

@@ -0,0 +1,13 @@
+region = "eu-west-1"
+
+namespace = "eg"
+
+stage = "test"
+
+name = "multi-az-subnets-no-nat"
+
+availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+
+cidr_block = "172.16.0.0/20"
+
+nat_gateway_enabled = false

examples/complete/fixtures.us-east-2.tfvars

@@ -4,8 +4,10 @@ namespace = "eg"
 
 stage = "test"
 
-name = "multi-az-subnets-only-private"
+name = "multi-az-subnets-public-private"
 
 availability_zones = ["us-east-2a", "us-east-2b", "us-east-2c"]
 
-cidr_block = "172.16.0.0/16"
+cidr_block = "172.16.0.0/16"
+
+nat_gateway_enabled = true

examples/complete/main.tf

@@ -24,7 +24,7 @@ module "public_subnets" {
   cidr_block          = local.public_cidr_block
   type                = "public"
   igw_id              = module.vpc.igw_id
-  nat_gateway_enabled = true
+  nat_gateway_enabled = var.nat_gateway_enabled
 
   context = module.this.context
 }
@@ -42,4 +42,3 @@ module "private_subnets" {
 
   context = module.this.context
 }
-

examples/complete/variables.tf

@@ -12,3 +12,8 @@ variable "availability_zones" {
   type        = list(string)
   description = "List of Availability Zones (e.g. `['us-east-1a', 'us-east-1b', 'us-east-1c']`)"
 }
+
+variable "nat_gateway_enabled" {
+  type        = bool
+  description = "Flag to enable/disable NAT Gateways creation in public subnets"
+}

outputs.tf

@@ -15,10 +15,7 @@ output "az_route_table_ids" {
 }
 
 output "az_ngw_ids" {
-  value = zipmap(
-    var.availability_zones,
-    coalescelist(aws_nat_gateway.public.*.id, local.dummy_az_ngw_ids),
-  )
+  value       = local.nat_gw_availability_zones_map
   description = "Map of AZ names to NAT Gateway IDs (only for public subnets)"
 }
 

private.tf

@@ -1,6 +1,6 @@
 locals {
-  private_count       = local.private_enabled ? length(var.availability_zones) : 0
-  private_route_count = length(var.az_ngw_ids)
+  private_count            = local.private_enabled ? length(var.availability_zones) : 0
+  nat_gateways_route_count = var.nat_gateway_enabled ? length(var.az_ngw_ids) : 0
 }
 
 module "private_label" {
@@ -93,7 +93,7 @@ resource "aws_route_table_association" "private" {
 }
 
 resource "aws_route" "default" {
-  count = local.private_route_count
+  count = local.nat_gateways_route_count
 
   route_table_id = zipmap(
     var.availability_zones,

public.tf

@@ -127,32 +127,9 @@ resource "aws_nat_gateway" "public" {
   )
 }
 
-# Dummy list of NAT Gateway IDs to use in the outputs for private subnets and when `nat_gateway_enabled=false` for public subnets
-# Needed due to Terraform limitation of not allowing using conditionals with maps and lists
 locals {
-  dummy_az_ngw_ids = slice(
-    [
-      "0",
-      "0",
-      "0",
-      "0",
-      "0",
-      "0",
-      "0",
-      "0",
-      "0",
-      "0",
-      "0",
-      "0",
-      "0",
-      "0",
-      "0",
-      "0",
-      "0",
-      "0",
-    ],
-    0,
-    length(var.availability_zones),
-  )
+  # Ensure zipmap has same number of elements
+  nat_gw_availability_zones     = slice(var.availability_zones, 0, local.public_nat_gateways_count)
+  nat_gw_availability_zones_map = zipmap(local.nat_gw_availability_zones, aws_nat_gateway.public.*.id)
 }
 

test/src/examples_complete_test.go

@@ -24,7 +24,8 @@ func assertValueStartsWith(t *testing.T, m map[string]string, rx interface{}) {
 
 // Test the Terraform module in examples/complete using Terratest.
 func TestExamplesComplete(t *testing.T) {
-	t.Parallel()
+	// Init phase module download fails when run in parallel
+	//t.Parallel()
 
 	terraformOptions := &terraform.Options{
 		// The path to where our Terraform code is located
@@ -40,35 +41,35 @@ func TestExamplesComplete(t *testing.T) {
 	// This will run `terraform init` and `terraform apply` and fail the test if there are any errors
 	terraform.InitAndApply(t, terraformOptions)
 
-/*
-   Outputs:
-
-   private_az_route_table_ids = {
-     "us-east-2a" = "rtb-0489137a5c668e49b"
-     "us-east-2b" = "rtb-083c0e942abb4b8a1"
-     "us-east-2c" = "rtb-0c36484693db5e774"
-   }
-   private_az_subnet_ids = {
-     "us-east-2a" = "subnet-0f56deccfe81c0ea0"
-     "us-east-2b" = "subnet-05861d30d45e7b675"
-     "us-east-2c" = "subnet-036d747a2b46857ae"
-   }
-   public_az_ngw_ids = {
-     "us-east-2a" = "nat-0f5057f09b8cd8ddc"
-     "us-east-2b" = "nat-0971b2505ea6d03f1"
-     "us-east-2c" = "nat-0dc1cdf91010be057"
-   }
-   public_az_route_table_ids = {
-     "us-east-2a" = "rtb-0642afb4401f1eef1"
-     "us-east-2b" = "rtb-04f511a28a2d5a6a2"
-     "us-east-2c" = "rtb-05f0ee4e831b05697"
-   }
-   public_az_subnet_ids = {
-     "us-east-2a" = "subnet-0dcb9e32f1f02a367"
-     "us-east-2b" = "subnet-0b432a6748ca40638"
-     "us-east-2c" = "subnet-00a9a6636ca722474"
-   }
- */
+	/*
+	   Outputs:
+
+	   private_az_route_table_ids = {
+	     "us-east-2a" = "rtb-0489137a5c668e49b"
+	     "us-east-2b" = "rtb-083c0e942abb4b8a1"
+	     "us-east-2c" = "rtb-0c36484693db5e774"
+	   }
+	   private_az_subnet_ids = {
+	     "us-east-2a" = "subnet-0f56deccfe81c0ea0"
+	     "us-east-2b" = "subnet-05861d30d45e7b675"
+	     "us-east-2c" = "subnet-036d747a2b46857ae"
+	   }
+	   public_az_ngw_ids = {
+	     "us-east-2a" = "nat-0f5057f09b8cd8ddc"
+	     "us-east-2b" = "nat-0971b2505ea6d03f1"
+	     "us-east-2c" = "nat-0dc1cdf91010be057"
+	   }
+	   public_az_route_table_ids = {
+	     "us-east-2a" = "rtb-0642afb4401f1eef1"
+	     "us-east-2b" = "rtb-04f511a28a2d5a6a2"
+	     "us-east-2c" = "rtb-05f0ee4e831b05697"
+	   }
+	   public_az_subnet_ids = {
+	     "us-east-2a" = "subnet-0dcb9e32f1f02a367"
+	     "us-east-2b" = "subnet-0b432a6748ca40638"
+	     "us-east-2c" = "subnet-00a9a6636ca722474"
+	   }
+	*/
 
 	// Run `terraform output` to get the value of an output variable
 	privateSubnetIds := terraform.OutputMap(t, terraformOptions, "private_az_subnet_ids")
@@ -94,3 +95,32 @@ func TestExamplesComplete(t *testing.T) {
 	assert.Equal(t, expectedAZs, getKeys(publicSubnetIds))
 	assertValueStartsWith(t, publicSubnetIds, "^subnet-.*")
 }
+
+func TestExamplesCompleteNoNatGateway(t *testing.T) {
+	// Init phase module download fails when run in parallel
+	//t.Parallel()
+
+	terraformOptions := &terraform.Options{
+		// The path to where our Terraform code is located
+		TerraformDir: "../../examples/complete",
+		Upgrade:      true,
+		// Variables to pass to our Terraform code using -var-file options
+		VarFiles: []string{"fixtures.eu-west-1.tfvars"},
+	}
+
+	// At the end of the test, run `terraform destroy` to clean up any resources that were created
+	defer terraform.Destroy(t, terraformOptions)
+
+	// This will run `terraform init` and `terraform apply` and fail the test if there are any errors
+	terraform.InitAndApply(t, terraformOptions)
+
+	privateRouteTableIds := terraform.OutputMap(t, terraformOptions, "private_az_route_table_ids")
+	publicNATGateWayIds := terraform.OutputMap(t, terraformOptions, "public_az_ngw_ids")
+	privateNATGateWayIds := terraform.OutputMap(t, terraformOptions, "private_az_ngw_ids")
+
+	expectedAZs := []string{"eu-west-1a", "eu-west-1b", "eu-west-1c"}
+	assert.Equal(t, expectedAZs, getKeys(privateRouteTableIds))
+	assertValueStartsWith(t, privateRouteTableIds, "^rtb-.*")
+	assert.Empty(t, publicNATGateWayIds)
+	assert.Empty(t, privateNATGateWayIds)
+}

variables.tf

@@ -113,7 +113,8 @@ variable "private_network_acl_ingress" {
 }
 
 variable "nat_gateway_enabled" {
+  type        = bool
   description = "Flag to enable/disable NAT Gateways creation in public subnets"
-  default     = "true"
+  default     = true
 }