secondary_cidr_blocks not allowed to be empty but is default

[etwillbefine]

terraform-aws-atlantis uses this module to do all VPC related stuff.
The atlantis module does not pass in the secondary_cidr_blocks. The default is set to an empty list.

Resulting in the following error:

Error: module.atlantis.module.vpc.aws_vpc_ipv4_cidr_block_association.this: 1 error(s) occurred:
* module.atlantis.module.vpc.aws_vpc_ipv4_cidr_block_association.this: element: element() may not be used with an empty list in:

${element(var.secondary_cidr_blocks, count.index)}

https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/main.tf#L33

Related terraform issue:
hashicorp/terraform#11210
hashicorp/terraform#15605

Running these versions:
Terraform v0.11.10 (new HCL will be available in Terraform 0.12.)

• provider.aws v1.58.0

https://www.hashicorp.com/blog/terraform-0-1-2-preview
We do not run the preview version

[antonbabenko]

Tim, line 29 has count which will disable the association of secondary CIDR block if it is empty.

You can see how it is used in examples.

If you think the problem is with the Atlantis module then open an issue there and provide a list of arguments you are using for it.

[etwillbefine]

The atlantis module does not pass in the argument. The default is an empty list.
According to this: hashicorp/terraform#11210 (comment) the expression gets evaluated anyway, even if the count is 0. Thats how I understand it.

I dont see an issue on the atlantis side: https://github.com/terraform-aws-modules/terraform-aws-atlantis/blob/master/main.tf#L115

[antonbabenko]

The issue you are referring to is different.

[sam-myers]

@etwillbefine I encountered the same problem with Atlantis.

Eliding terraform-aws- from module names for readability.

In my case, I had a module with both vpc and atlantis. Atlantis was receiving the VPC id, subnets, etc. from vpc:

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  ...
}

module "atlantis" {
  vpc_id             = "${module.vpc.vpc_id}"
  private_subnet_ids = ["${module.vpc.private_subnets}"]
  public_subnet_ids  = ["${module.vpc.public_subnets}"]
  ...
}

However, atlantis also references the vpc module. See the atlantis module:

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  ...
  create_vpc = "${var.vpc_id == ""}"
}

So what's happening is that during the planning phase, the VPC does not exist (outermost module hasn't created it yet), but Atlantis' VPC module's logic runs and fails.

I believe it is still unexpected behavior that create_vpc will fail if the VPC doesn't exist yet. I was able to circumvent the problem by having atlantis create the VPC for me.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.