diff --git a/upup/pkg/fi/cloudup/awstasks/routetable.go b/upup/pkg/fi/cloudup/awstasks/routetable.go
index 4c90b8f0ed92f..309f0a2ba58d4 100644
--- a/upup/pkg/fi/cloudup/awstasks/routetable.go
+++ b/upup/pkg/fi/cloudup/awstasks/routetable.go
@@ -195,8 +195,12 @@ type terraformRouteTable struct {
 }
 
 func (_ *RouteTable) RenderTerraform(t *terraform.TerraformTarget, a, e, changes *RouteTable) error {
-	if err := t.AddOutputVariable("route_table_"+*e.Name+"_id", e.TerraformLink()); err != nil {
-		return err
+	// We use the role tag as a concise and stable identifier
+	tag := e.Tags[awsup.TagNameKopsRole]
+	if tag != "" {
+		if err := t.AddOutputVariable("route_table_"+tag+"_id", e.TerraformLink()); err != nil {
+			return err
+		}
 	}
 
 	tf := &terraformRouteTable{
diff --git a/upup/pkg/fi/cloudup/awstasks/subnet.go b/upup/pkg/fi/cloudup/awstasks/subnet.go
index ba9c0c72d43f3..c19f08f93d99a 100644
--- a/upup/pkg/fi/cloudup/awstasks/subnet.go
+++ b/upup/pkg/fi/cloudup/awstasks/subnet.go
@@ -18,6 +18,7 @@ package awstasks
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/golang/glog"
@@ -214,6 +215,17 @@ type terraformSubnet struct {
 }
 
 func (_ *Subnet) RenderTerraform(t *terraform.TerraformTarget, a, e, changes *Subnet) error {
+	if fi.StringValue(e.AvailabilityZone) != "" {
+		name := fi.StringValue(e.AvailabilityZone)
+		if e.Tags["SubnetType"] != "" {
+			name += "-" + strings.ToLower(e.Tags["SubnetType"])
+		}
+
+		if err := t.AddOutputVariable("subnet_"+name+"_id", e.TerraformLink()); err != nil {
+			return err
+		}
+	}
+
 	shared := fi.BoolValue(e.Shared)
 	if shared {
 		// Not terraform owned / managed
@@ -225,10 +237,6 @@ func (_ *Subnet) RenderTerraform(t *terraform.TerraformTarget, a, e, changes *Su
 		return t.AddOutputVariableArray("subnet_ids", terraform.LiteralFromStringValue(*e.ID))
 	}
 
-	if err := t.AddOutputVariable("subnet_"+*e.Name+"_id", e.TerraformLink()); err != nil {
-		return err
-	}
-
 	tf := &terraformSubnet{
 		VPCID:            e.VPC.TerraformLink(),
 		CIDR:             e.CIDR,
diff --git a/upup/pkg/fi/cloudup/awstasks/vpc.go b/upup/pkg/fi/cloudup/awstasks/vpc.go
index 4317c4d14f4d4..dd4b65684aab0 100644
--- a/upup/pkg/fi/cloudup/awstasks/vpc.go
+++ b/upup/pkg/fi/cloudup/awstasks/vpc.go
@@ -216,10 +216,6 @@ func (_ *VPC) RenderTerraform(t *terraform.TerraformTarget, a, e, changes *VPC)
 		return err
 	}
 
-	if err := t.AddOutputVariable("vpc_cidr_block", terraform.LiteralProperty("aws_vpc", *e.Name, "cidr_block")); err != nil {
-		return err
-	}
-
 	shared := fi.BoolValue(e.Shared)
 	if shared {
 		// Not terraform owned / managed
@@ -227,6 +223,11 @@ func (_ *VPC) RenderTerraform(t *terraform.TerraformTarget, a, e, changes *VPC)
 		return nil
 	}
 
+	if err := t.AddOutputVariable("vpc_cidr_block", terraform.LiteralProperty("aws_vpc", *e.Name, "cidr_block")); err != nil {
+		// TODO: Should we try to output vpc_cidr_block for shared vpcs?
+		return err
+	}
+
 	if len(e.AdditionalCIDR) != 0 {
 		// https://github.com/terraform-providers/terraform-provider-aws/issues/3403
 		return fmt.Errorf("terraform does not support AdditionalCIDRs on VPCs")