Nat gateway cannot be created due to depends on subnet creation.

[djcldcvr]

│ Error: Invalid for_each argument
│
│ on terraform-azurerm-nat-gateway/r-nat-gateway.tf line 42, in resource "azurerm_subnet_nat_gateway_association" "subnet_assoc":
│ 42: for_each = toset(var.subnet_ids)
│ ├────────────────
│ │ var.subnet_ids is list of string with 1 element
│
│ The "for_each" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many
│ instances will be created. To work around this, use the -target argument to first apply only the resources that the for_each
│ depends on.

[BzSpi]

Hello @djcldcvr,

This issue is a common one and is due to a Terraform limitation, see hashicorp/terraform#4149.

Can you please provide your code that leads to this issue ? We may be able to provide a workaround.

[djcldcvr]

Hi @BzSpi

Thanks for your prompt response. Please refer to the below given code that leads to reported issue.

########################
# Location
########################

module "azure-region" {
  source  = "claranet/regions/azurerm"
  azure_region = var.location
}

########################
# Resouce Group
########################

module "rg" {
  source  = "claranet/rg/azurerm"
  location    = module.azure-region.location
  client_name = var.client_name
  environment = var.environment
  stack       = var.stack
}

########################
# Vnet
########################

module "azure-virtual-network" {
  source  = "claranet/vnet/azurerm"
  
  environment         = var.environment
  location            = var.location
  resource_group_name = module.rg.resource_group_name
  client_name         = var.client_name
  location_short      = module.azure-region.location_short
  stack               = var.stack

  custom_vnet_name = "${var.environment}-${var.alias}-vnet"
  vnet_cidr        = [var.vnet_cidr]
  dns_servers      = ["10.0.0.4", "10.0.0.5"] # Can be empty if not used
}

###################################
# Subnet
###################################
locals {
  network_security_group_names = ["nsg1", "nsg2", "nsg3"]

  vnet_cidr = "10.1.0.0/24"

  subnets = [
    {
      name              = "subnet1"
      cidr              = ["10.1.0.0/20"]
      service_endpoints = ["Microsoft.Storage", "Microsoft.KeyVault", "Microsoft.ServiceBus", "Microsoft.Web"]
      nsg_name          = local.network_security_group_names[0]
      vnet_name         = module.azure-virtual-network.virtual_network_name

    },
    {
      name              = "subnet2"
      cidr              = ["10.1.64.0/20"]
      service_endpoints = ["Microsoft.Storage", "Microsoft.KeyVault", "Microsoft.ServiceBus", "Microsoft.Web"]
      nsg_name          = local.network_security_group_names[2]
      vnet_name         = module.azure-virtual-network.virtual_network_name
    }
  ]
}

module "azure-network-route-table" {
  source  = "claranet/route-table/azurerm"

  client_name         = var.client_name
  environment         = var.environment
  stack               = var.stack
  resource_group_name = module.rg.resource_group_name
  location            = module.azure-region.location
  location_short      = module.azure-region.location_short
}

module "azure-network-security-group" {
  for_each = toset(local.network_security_group_names)
  source   = "claranet/nsg/azurerm"

  client_name         = var.client_name
  environment         = var.environment
  location            = module.azure-region.location
  location_short      = module.azure-region.location_short
  resource_group_name = module.rg.resource_group_name
  stack               = var.stack

  custom_network_security_group_name = each.key
}

module "azure-network-subnet" {
  source  = "claranet/subnet/azurerm"

  for_each = { for subnet in local.subnets : subnet.name => subnet }

  environment         = var.environment
  location_short      = module.azure-region.location_short
  client_name         = var.client_name
  stack               = var.stack
  custom_subnet_name  = each.key

  resource_group_name  = module.rg.resource_group_name
  virtual_network_name = each.value.vnet_name
  subnet_cidr_list     = each.value.cidr
  subnet_delegation    = { 
    app-service-plan = [
      {
        name    = "Microsoft.Web/serverFarms"
        actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
      }
    ]
  }

  route_table_name = module.azure-network-route-table.route_table_name

  network_security_group_name = each.value.nsg_name

  service_endpoints = each.value.service_endpoints
}

module "nat-gateway" {
  source  = "claranet/nat-gateway/azurerm"

  client_name         = var.client_name
  environment         = var.environment
  location            = module.azure-region.location
  location_short      = module.azure-region.location_short
  resource_group_name = module.rg.resource_group_name
  stack               = var.stack
  subnet_ids          = [module.azure-network-subnet["subnet2"].subnet_id]

}

[Shr3ps]

Hi @djcldcvr, like @BzSpi said, that's a Terraform bug.
The only way to pass the issue is by setting first
subnet_ids = []
apply your code to create all the resources

and then, update the code with
subnet_ids = [module.azure-network-subnet["subnet2"].subnet_id]

and apply again to update subnets associated to the NAT GW.

(or you can apply with -target option like Terraform suggests in order to apply first the Subnet creation, and then another global apply)

[rossifumax]

Hello !

Original issue hashicorp/terraform#4149 has been closed and replaced by a new one hashicorp/terraform#30937.

No answers since november 2021, i'll close this issue.

Don't hesitate to reply here and we'll re-open it if needed.

Thanks for your issue !