Do not require NAT gateway IDs for private subnets (#51)

cloudposse · May 10, 2021 · dac8804 · dac8804
1 parent 0027646
commit dac8804
Show file tree

Hide file tree

Showing 8 changed files with 32 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -308,7 +308,7 @@ Available targets:
 | <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no |
 | <a name="input_attributes"></a> [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no |
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | List of Availability Zones (e.g. `['us-east-1a', 'us-east-1b', 'us-east-1c']`) | `list(string)` | n/a | yes |
-| <a name="input_az_ngw_ids"></a> [az\_ngw\_ids](#input\_az\_ngw\_ids) | Only for private subnets. Map of AZ names to NAT Gateway IDs that are used as default routes when creating private subnets | `map(string)` | `{}` | no |
+| <a name="input_az_ngw_ids"></a> [az\_ngw\_ids](#input\_az\_ngw\_ids) | Only for private subnets. Map of AZ names to NAT Gateway IDs that are used as default routes when creating private subnets.<br>You should either supply one NAT Gateway ID for each AZ in `var.availability_zones` or leave the map empty.<br>If empty, no default egress route will be created and you will have to create your own using `aws_route`. | `map(string)` | `{}` | no |
 | <a name="input_cidr_block"></a> [cidr\_block](#input\_cidr\_block) | Base CIDR block which is divided into subnet CIDR blocks (e.g. `10.0.0.0/16`) | `string` | n/a | yes |
 | <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br>  "additional_tag_map": {},<br>  "attributes": [],<br>  "delimiter": null,<br>  "enabled": true,<br>  "environment": null,<br>  "id_length_limit": null,<br>  "label_key_case": null,<br>  "label_order": [],<br>  "label_value_case": null,<br>  "name": null,<br>  "namespace": null,<br>  "regex_replace_chars": null,<br>  "stage": null,<br>  "tags": {}<br>}</pre> | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |

diff --git a/docs/terraform.md b/docs/terraform.md
@@ -46,7 +46,7 @@
 | <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no |
 | <a name="input_attributes"></a> [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no |
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | List of Availability Zones (e.g. `['us-east-1a', 'us-east-1b', 'us-east-1c']`) | `list(string)` | n/a | yes |
-| <a name="input_az_ngw_ids"></a> [az\_ngw\_ids](#input\_az\_ngw\_ids) | Only for private subnets. Map of AZ names to NAT Gateway IDs that are used as default routes when creating private subnets | `map(string)` | `{}` | no |
+| <a name="input_az_ngw_ids"></a> [az\_ngw\_ids](#input\_az\_ngw\_ids) | Only for private subnets. Map of AZ names to NAT Gateway IDs that are used as default routes when creating private subnets.<br>You should either supply one NAT Gateway ID for each AZ in `var.availability_zones` or leave the map empty.<br>If empty, no default egress route will be created and you will have to create your own using `aws_route`. | `map(string)` | `{}` | no |
 | <a name="input_cidr_block"></a> [cidr\_block](#input\_cidr\_block) | Base CIDR block which is divided into subnet CIDR blocks (e.g. `10.0.0.0/16`) | `string` | n/a | yes |
 | <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br>  "additional_tag_map": {},<br>  "attributes": [],<br>  "delimiter": null,<br>  "enabled": true,<br>  "environment": null,<br>  "id_length_limit": null,<br>  "label_key_case": null,<br>  "label_order": [],<br>  "label_value_case": null,<br>  "name": null,<br>  "namespace": null,<br>  "regex_replace_chars": null,<br>  "stage": null,<br>  "tags": {}<br>}</pre> | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |

diff --git a/examples/complete/fixtures.disabled.tfvars b/examples/complete/fixtures.disabled.tfvars
diff --git a/examples/complete/fixtures.enabled.tfvars b/examples/complete/fixtures.enabled.tfvars
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -3,9 +3,10 @@ provider "aws" {
 }
 
 locals {
-  public_cidr_block      = cidrsubnet(var.cidr_block, 2, 0)
-  public_only_cidr_block = cidrsubnet(var.cidr_block, 2, 1)
-  private_cidr_block     = cidrsubnet(var.cidr_block, 2, 2)
+  public_cidr_block       = cidrsubnet(var.cidr_block, 2, 0)
+  public_only_cidr_block  = cidrsubnet(var.cidr_block, 2, 1)
+  private_cidr_block      = cidrsubnet(var.cidr_block, 2, 2)
+  private_only_cidr_block = cidrsubnet(var.cidr_block, 2, 3)
 }
 
 module "vpc" {
@@ -20,7 +21,6 @@ module "vpc" {
 module "public_subnets" {
   source = "../../"
 
-  enabled             = var.enabled
   availability_zones  = var.availability_zones
   vpc_id              = module.vpc.vpc_id
   cidr_block          = local.public_cidr_block
@@ -34,7 +34,6 @@ module "public_subnets" {
 module "public_only_subnets" {
   source = "../../"
 
-  enabled             = var.enabled
   availability_zones  = var.availability_zones
   vpc_id              = module.vpc.vpc_id
   cidr_block          = local.public_only_cidr_block
@@ -48,7 +47,6 @@ module "public_only_subnets" {
 module "private_subnets" {
   source = "../../"
 
-  enabled            = var.enabled
   availability_zones = var.availability_zones
   vpc_id             = module.vpc.vpc_id
   cidr_block         = local.private_cidr_block
@@ -60,3 +58,17 @@ module "private_subnets" {
   context = module.this.context
 }
 
+module "private_only_subnets" {
+  source = "../../"
+
+  availability_zones = var.availability_zones
+  vpc_id             = module.vpc.vpc_id
+  cidr_block         = local.private_only_cidr_block
+  type               = "private"
+
+  # No NAT gateways supplied, should create subnets with empty route tables
+  # az_ngw_ids = module.public_subnets.az_ngw_ids
+
+  context = module.this.context
+}
+
diff --git a/private.tf b/private.tf
@@ -90,10 +90,10 @@ resource "aws_route_table_association" "private" {
 }
 
 resource "aws_route" "default" {
-  for_each = local.private_azs
+  for_each = var.az_ngw_ids
 
   route_table_id         = aws_route_table.private[each.key].id
-  nat_gateway_id         = var.az_ngw_ids[each.key]
+  nat_gateway_id         = each.value
   destination_cidr_block = "0.0.0.0/0"
   depends_on             = [aws_route_table.private]
 }
diff --git a/test/src/examples_complete_test.go b/test/src/examples_complete_test.go
@@ -121,7 +121,11 @@ func TestExamplesCompleteDisabledModule(t *testing.T) {
 		TerraformDir: "../../examples/complete",
 		Upgrade:      true,
 		// Variables to pass to our Terraform code using -var-file options
-		VarFiles: []string{"fixtures.us-east-2.tfvars", "fixtures.disabled.tfvars"},
+		VarFiles: []string{"fixtures.us-east-2.tfvars"},
+		Vars: map[string]interface{}{
+			"enabled": "false",
+		},
+
 	}
 
 	// At the end of the test, run `terraform destroy` to clean up any resources that were created

diff --git a/variables.tf b/variables.tf
@@ -32,7 +32,11 @@ variable "igw_id" {
 
 variable "az_ngw_ids" {
   type        = map(string)
-  description = "Only for private subnets. Map of AZ names to NAT Gateway IDs that are used as default routes when creating private subnets"
+  description = <<-EOT
+    Only for private subnets. Map of AZ names to NAT Gateway IDs that are used as default routes when creating private subnets.
+    You should either supply one NAT Gateway ID for each AZ in `var.availability_zones` or leave the map empty.
+    If empty, no default egress route will be created and you will have to create your own using `aws_route`.
+    EOT
   default     = {}
 }