Fix nat_gateway_enabled=false Invalid index error

examples/complete/fixtures.nat_gw_disabled.tfvars

@@ -0,0 +1 @@
+nat_gateway_enabled = "false"

examples/complete/fixtures.nat_gw_enabled.tfvars

@@ -0,0 +1 @@
+nat_gateway_enabled = "true"

examples/complete/main.tf

@@ -25,7 +25,7 @@ module "public_subnets" {
   cidr_block          = local.public_cidr_block
   type                = "public"
   igw_id              = module.vpc.igw_id
-  nat_gateway_enabled = true
+  nat_gateway_enabled = var.nat_gateway_enabled
 
   context = module.this.context
 }

examples/complete/variables.tf

@@ -12,3 +12,7 @@ variable "availability_zones" {
   type        = list(string)
   description = "List of Availability Zones (e.g. `['us-east-1a', 'us-east-1b', 'us-east-1c']`)"
 }
+
+variable "nat_gateway_enabled" {
+  description = "Flag to enable/disable NAT Gateways creation in public subnets"
+}

main.tf

@@ -1,15 +1,20 @@
 locals {
   enabled = module.this.enabled
 
-  public_enabled     = local.enabled && var.type == "public"
-  private_enabled    = local.enabled && var.type == "private"
-  availability_zones = local.enabled ? var.availability_zones : []
+  public_enabled      = local.enabled && var.type == "public"
+  private_enabled     = local.enabled && var.type == "private"
+  availability_zones  = local.enabled ? var.availability_zones : []
+  nat_gateway_enabled = local.enabled && var.nat_gateway_enabled
 
   output_map = { for az in(local.enabled ? var.availability_zones : []) : az => {
     subnet_id      = local.public_enabled ? aws_subnet.public[az].id : aws_subnet.private[az].id
     subnet_arn     = local.public_enabled ? aws_subnet.public[az].arn : aws_subnet.private[az].arn
     route_table_id = local.public_enabled ? aws_route_table.public[az].id : aws_route_table.private[az].id
-    ngw_id         = local.public_enabled ? aws_nat_gateway.public[az].id : null
+    }
+  }
+  # Only relevant for public subnets. Output is empty map for private subnets or when nat gateway is disabled
+  output_ngw_id = { for az in(local.public_enabled && local.nat_gateway_enabled ? var.availability_zones : []) : az => {
+    ngw_id = local.public_enabled ? try(aws_nat_gateway.public[az].id, null) : null
     }
   }
 }

outputs.tf

@@ -15,7 +15,7 @@ output "az_route_table_ids" {
 
 output "az_ngw_ids" {
   # No ellipsis needed since this module makes either public or private subnets. See the TF 0.15 one function
-  value       = { for az, m in local.output_map : az => m.ngw_id }
+  value       = { for az, m in local.output_ngw_id : az => m.ngw_id }
   description = "Map of AZ names to NAT Gateway IDs (only for public subnets)"
 }
 

private.tf

@@ -1,5 +1,6 @@
 locals {
   private_azs = local.private_enabled ? { for idx, az in var.availability_zones : az => idx } : {}
+  az_ngw_ids  = local.nat_gateway_enabled ? var.az_ngw_ids : {}
 }
 
 module "private_label" {
@@ -90,10 +91,10 @@ resource "aws_route_table_association" "private" {
 }
 
 resource "aws_route" "default" {
-  for_each = local.private_azs
+  for_each = local.az_ngw_ids
 
   route_table_id         = aws_route_table.private[each.key].id
-  nat_gateway_id         = var.az_ngw_ids[each.key]
+  nat_gateway_id         = each.value
   destination_cidr_block = "0.0.0.0/0"
   depends_on             = [aws_route_table.private]
 }

test/src/examples_complete_test.go

@@ -32,7 +32,7 @@ func TestExamplesComplete(t *testing.T) {
 		TerraformDir: "../../examples/complete",
 		Upgrade:      true,
 		// Variables to pass to our Terraform code using -var-file options
-		VarFiles: []string{"fixtures.us-east-2.tfvars"},
+		VarFiles: []string{"fixtures.us-east-2.tfvars", "fixtures.nat_gw_enabled.tfvars"},
 	}
 
 	// At the end of the test, run `terraform destroy` to clean up any resources that were created
@@ -105,7 +105,7 @@ func TestExamplesCompleteDisabledModule(t *testing.T) {
 		TerraformDir: "../../examples/complete",
 		Upgrade:      true,
 		// Variables to pass to our Terraform code using -var-file options
-		VarFiles: []string{"fixtures.us-east-2.tfvars", "fixtures.disabled.tfvars"},
+		VarFiles: []string{"fixtures.us-east-2.tfvars", "fixtures.nat_gw_enabled.tfvars", "fixtures.disabled.tfvars"},
 	}
 
 	// At the end of the test, run `terraform destroy` to clean up any resources that were created
@@ -128,3 +128,32 @@ func TestExamplesCompleteDisabledModule(t *testing.T) {
 	assert.Empty(t, publicSubnetIds)
 	assert.Empty(t, publicRouteTableIds)
 }
+
+func TestExamplesCompleteNoNatGateway(t *testing.T) {
+	// Init phase module download fails when run in parallel
+	//t.Parallel()
+
+	terraformOptions := &terraform.Options{
+		// The path to where our Terraform code is located
+		TerraformDir: "../../examples/complete",
+		Upgrade:      true,
+		// Variables to pass to our Terraform code using -var-file options
+		VarFiles: []string{"fixtures.us-east-2.tfvars", "fixtures.nat_gw_disabled.tfvars"},
+	}
+
+	// At the end of the test, run `terraform destroy` to clean up any resources that were created
+	defer terraform.Destroy(t, terraformOptions)
+
+	// This will run `terraform init` and `terraform apply` and fail the test if there are any errors
+	terraform.InitAndApply(t, terraformOptions)
+
+	privateRouteTableIds := terraform.OutputMap(t, terraformOptions, "private_az_route_table_ids")
+	publicNATGateWayIds := terraform.OutputMap(t, terraformOptions, "public_az_ngw_ids")
+	privateNATGateWayIds := terraform.OutputMap(t, terraformOptions, "private_az_ngw_ids")
+
+	expectedAZs := []string{"us-east-2a", "us-east-2b", "us-east-2c"}
+	assert.Equal(t, expectedAZs, getKeys(privateRouteTableIds))
+	assertValueStartsWith(t, privateRouteTableIds, "^rtb-.*")
+	assert.Empty(t, publicNATGateWayIds)
+	assert.Empty(t, privateNATGateWayIds)
+}