Getting a string in the `subnet_id` parameter with the AWS TF VPC Module

Hello everyone!

Iā€™m using the terraform-aws-vpc TF Module to deploy my network in AWS.

It has an output pre-configured that outputs all the private subnet ids.

I need those subnet ids in order for me to create my aws_ec2_client_vpn_network_association resource.

resource "aws_ec2_client_vpn_network_association" "client_vpn_network_association" {
  count                  = terraform.workspace == "prod" ? 2 : 0
  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.client_vpn_endpoint[0].id
  subnet_id              = module.vpc.private_subnets
  security_groups = [
    aws_security_group.vpn_access[0].id,
    aws_security_group.icmp[0].id
  ]
}

However, I get the following error with that:

ā”‚ Error: Incorrect attribute value type
ā”‚ 
ā”‚   on client-vpn.tf line 44, in resource "aws_ec2_client_vpn_network_association" "client_vpn_network_association":
ā”‚   44:   subnet_id              = module.vpc.private_subnets
ā”‚     ā”œā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€
ā”‚     ā”‚ module.vpc.private_subnets is tuple with 3 elements
ā”‚ 
ā”‚ Inappropriate value for attribute "subnet_id": string required.

If I convert module.vpc.private_subnets to a string (jsonencode(module.vpc.private_subnets), terraform plan works. But when applying the changes I get these errors:

aws_ec2_client_vpn_network_association.client_vpn_network_association[1]: Creating...
aws_ec2_client_vpn_network_association.client_vpn_network_association[0]: Creating...
ā•·
ā”‚ Error: Error creating Client VPN network association: InvalidSubnetId.Malformed: Invalid id: ["subnet-0b5e56dd93f4d6019","subnet-00c11c79caa59d2e0","subnet-0cb7a9e624bff9cc3"]
ā”‚       status code: 400, request id: 66f6893d-5695-43b4-958f-4d5813cebb23
ā”‚ 
ā”‚   with aws_ec2_client_vpn_network_association.client_vpn_network_association[0],
ā”‚   on client-vpn.tf line 41, in resource "aws_ec2_client_vpn_network_association" "client_vpn_network_association":
ā”‚   41: resource "aws_ec2_client_vpn_network_association" "client_vpn_network_association" {
ā”‚ 
ā•µ
ā•·
ā”‚ Error: Error creating Client VPN network association: InvalidSubnetId.Malformed: Invalid id: ["subnet-0b5e56dd93f4d6019","subnet-00c11c79caa59d2e0","subnet-0cb7a9e624bff9cc3"]
ā”‚       status code: 400, request id: c11a9321-8692-4bb2-8cf5-91d462f49aae
ā”‚ 
ā”‚   with aws_ec2_client_vpn_network_association.client_vpn_network_association[1],
ā”‚   on client-vpn.tf line 41, in resource "aws_ec2_client_vpn_network_association" "client_vpn_network_association":
ā”‚   41: resource "aws_ec2_client_vpn_network_association" "client_vpn_network_association" {

What am I missing here?

Thanks!

Hi @lpossamai,

Each aws_ec2_client_vpn_network_association is for only one subnet, so there will be no way to directly use this module.vpc.private_subnets value to populate it.

It sounds like you might want to create one aws_ec2_client_vpn_network_association per subnet, in which case a good start might be to set count to be the length of that private_subnets tuple and then look up individual subnets with count.index:

resource "aws_ec2_client_vpn_network_association" "client_vpn_network_association" {
  count = length(module.vpc.private_subnets)

  # ...
  subnet_id = module.vpc.private_subnets[count.index]
}

With that said, Iā€™m not really familiar with either this module or this resource type, so maybe something different would be better here. Hopefully this example is a good starting point which you can adapt into something appropriate for what you need, or at least to help you say more about what your goal is so we could try some different ideas instead.

1 Like