Second run of destroy failed when VPC Flow log is enabled and full module output is set

[air3ijai]

Description

When we use VPC Flow logs and full output of the module, we got an error on second run of the destroy command.

Versions

• Module version: 3.16.0
• Terraform version: Terraform v1.3.2 on darwin_arm64
• Provider version(s): hashicorp/aws v4.34.0

Reproduction code

# VPC
module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "3.16.0"

  # Main
  cidr = "10.0.0.0/16"

  # Flow logs
  enable_flow_log                      = true
  create_flow_log_cloudwatch_iam_role  = true
  create_flow_log_cloudwatch_log_group = true
}

# Output
output "vpc" {
  value = module.vpc
}

Steps to reproduce the behavior:

1. Authenticate on AWS
2. vi main.tf
3. Add sample code from the block above
4. terraform init
5. terraform apply
6. terraform destroy
7. terraform destroy

Expected behavior

We should not get an error on destroy run, after destroy was performed.

Actual behavior

We get the following error

╷
│ Error: Invalid index
│
│   on .terraform/modules/vpc/vpc-flow-logs.tf line 8, in locals:
│    8:   flow_log_destination_arn = local.create_flow_log_cloudwatch_log_group ? aws_cloudwatch_log_group.flow_log[0].arn : var.flow_log_destination_arn
│     ├────────────────
│     │ aws_cloudwatch_log_group.flow_log is empty tuple
│
│ The given key does not identify an element in this collection value: the collection has no elements.
╵
╷
│ Error: Invalid index
│
│   on .terraform/modules/vpc/vpc-flow-logs.tf line 9, in locals:
│    9:   flow_log_iam_role_arn    = var.flow_log_destination_type != "s3" && local.create_flow_log_cloudwatch_iam_role ? aws_iam_role.vpc_flow_log_cloudwatch[0].arn : var.flow_log_cloudwatch_iam_role_arn
│     ├────────────────
│     │ aws_iam_role.vpc_flow_log_cloudwatch is empty tuple
│
│ The given key does not identify an element in this collection value: the collection has no elements.
╵

Terminal Output Screenshot(s)

[antonbabenko]

This is a rather special request/case to make it without mistakes.

What would you expect Terraform to delete? Currently, based on your output, after the first "terraform destroy", everything is removed.

module.vpc.data... are shown there because they are data sources, but all resources are successfully gone after the first "terraform destroy" already.

There is nothing to do in this module.

[air3ijai]

We can use try function to check if "data source" have a value an if not, return the null.

It solve the issue for all next destroy run

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.