associating subnets with NACLs

[throwawayacctfo...@gmail.com]

Hello, 

I am attempting to associate public subnets with a public NACL.

According to the documentation, this should work: 

resource "aws_subnet" "public" {

  vpc_id                    = "${aws_vpc.test.id}"

  cidr_block                = "${element(var.public_subnets, count.index)}"

  availability_zone         = "${element(var.availability_zones, count.index)}"

  count                     = "${length(var.public_subnets)}"

  map_public_ip_on_launch   = true 

  tags {

    Name  = "${var.vpc_name}-${var.subnet_types[1]}-${element(var.zone_identifier, count.index)}"

    Environment = "${var.vpc_name}"

  }

}

resource "aws_network_acl" "public_nacl" {
  vpc_id = "${aws_vpc.test.id}"
  subnet_ids = "${var.public_subnets}"




  /** Allow inbound http traffic from internet */
  ingress = {
    protocol = "tcp"
    rule_no = 200
    action = "allow"
    cidr_block = "0.0.0.0/0"
    from_port = 80
    to_port = 80
  }


  /** Allow outbound http traffic to internet */
  egress = {
    protocol = "tcp"
    rule_no = 200
    action = "allow"
    cidr_block = "0.0.0.0/0"
    from_port = 80
    to_port = 80
  }
 
  /** Allow inbound https traffic from internet */
  ingress = {
    protocol = "tcp"
    rule_no = 300
    action = "allow"
    cidr_block = "0.0.0.0/0"
    from_port = 443
    to_port = 443
  }


  /** Allow outbound https traffic to internet */
  egress = {
    protocol = "tcp"
    rule_no = 300
    action = "allow"
    cidr_block = "0.0.0.0/0"
    from_port = 443
    to_port = 443
  }    
}

When I run `terraform plan`, I get this output: 

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.


aws_vpc.test: Refreshing state... (ID: vpc-2b9e9442)
aws_internet_gateway.Test-IGW: Refreshing state... (ID: igw-e225688b)
aws_network_acl.public_nacl: Refreshing state... (ID: acl-24fb1a4c)
aws_subnet.public[2]: Refreshing state... (ID: subnet-3602987b)
aws_subnet.public[0]: Refreshing state... (ID: subnet-44e0fb2d)
aws_subnet.public[1]: Refreshing state... (ID: subnet-bd247cc6)
aws_route_table.PublicRouteTable: Refreshing state... (ID: rtb-5e6e9b36)


------------------------------------------------------------------------


An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place


Terraform will perform the following actions:


  ~ module.test.aws_network_acl.public_nacl
      subnet_ids.#:         "0" => "1"
      subnet_ids.785809992: "" => "aws_subnet.public"




Plan: 0 to add, 1 to change, 0 to destroy.


------------------------------------------------------------------------

Yet when I run `terraform apply`, i get this error: 

aws_vpc.test: Refreshing state... (ID: vpc-2b9e9442)
aws_network_acl.public_nacl: Refreshing state... (ID: acl-24fb1a4c)
aws_internet_gateway.Test-IGW: Refreshing state... (ID: igw-e225688b)
aws_subnet.public[0]: Refreshing state... (ID: subnet-44e0fb2d)
aws_subnet.public[1]: Refreshing state... (ID: subnet-bd247cc6)
aws_subnet.public[2]: Refreshing state... (ID: subnet-3602987b)
aws_route_table.PublicRouteTable: Refreshing state... (ID: rtb-5e6e9b36)
module.test.aws_network_acl.public_nacl: Modifying... (ID: acl-24fb1a4c)
  subnet_ids.#:         "0" => "1"
  subnet_ids.785809992: "" => "aws_subnet.public"
Error applying plan:


1 error(s) occurred:


* module.test.aws_network_acl.public_nacl: 1 error(s) occurred:


* aws_network_acl.public_nacl: Failed to find acl association: acl acl-24fb1a4c with subnet aws_subnet.public: could not find association for subnet: aws_subnet.public

I am not sure why this happening but I think it might have to do with the subnets being created before the NACL. I am not sure. Would really appreciate some feed back. 

[throwawayacctfo...@gmail.com]

Resolved issue. 

Error was due to wrong interpolation of subnet_ids. I had this: 

subnet_ids = "${var.public_subnets}"

While it should have been this: 

 subnet_ids        = ["${element(aws_subnet.public.*.id, count.index)}"]

[throwawayacctfo...@gmail.com]

Actually, correct syntax is this: 

subnet_ids        = ["${aws_subnet.public.*.id}"]

I was using count previously because I thought I had to iterate but turns out that count creates multiple NACLs (one for each subnet in public domain) while I only need one NACL. Therefore remove count function to create one NACL  associated with all public subnets. 

[Ajay Kumar]

tried your syntax ["${aws_subnet.public.*.id}"]

but ended up with below error

Inappropriate value for attribute "subnet_ids": element 0: string required.

used below and it worked

"${aws_subnet.public_subnet.*.id}"