Terraform-provider-aws: Cannot count subnets before route table association.

Created on 27 Nov 2018 · 5Comments · Source: hashicorp/terraform-provider-aws

_This issue was originally opened by @results-may-vary as hashicorp/terraform#19480. It was migrated here as a result of the provider split. The original body of the issue is below._

Terraform v0.11.10

I'd like your assistance with a count problem when I’m trying to get the number of specific subnets labeled "public", so I'm running:

data "aws_subnet_ids" "public" {
vpc_id = "${aws_vpc.main.id}"
tags {
Tier = "Public"
}
}

Then, based on this query I'm trying to count them so I can perform the aws_route_table_association:

resource "aws_route_table_association" "Public_rtb_association" {
count = "${length(data.aws_subnet_ids.public.ids)}"
subnet_id = "${element(data.aws_subnet_ids.public.id, count.index)}"
route_table_id = "${aws_route_table.Public_route_table.id}"
}

The error I'm getting:
"aws_route_table_association.Public_rtb_association: value of 'count' cannot be computed".

Any ideas or workarounds would be appreciated.
Thanks.

bug servicec2

Source

hashibot[bot]

Most helpful comment

I second that, however on version 0.11.11.

Here I'm just trying to create one subnet per availability zone and then associate the route table with each one of them:

locals {
  aws_region = "${var.aws_regions[var.profile]}"
  base_name = "${var.product}-${local.aws_region}"
  aws_avzones = {
    pro = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
    dev = ["eu-west-2a", "eu-west-2b", "eu-west-2c"]
  }
}

# ---

# Create VPC
resource "aws_vpc" "default" {
  cidr_block = "${var.vpc_cidr_block}"

  tags = {
    Name = "${local.base_name}-vpc"
  }
}

# ---

# Create public subnets - each in a different AZ
resource "aws_subnet" "public" {
  count                   = "${length(local.aws_avzones[var.profile])}"
  vpc_id                  = "${aws_vpc.default.id}"
  cidr_block              = "${cidrsubnet(var.vpc_cidr_block, 8, count.index)}"
  availability_zone       = "${element(local.aws_avzones[var.profile], count.index)}"
  map_public_ip_on_launch = 1

  tags = {
    "Name" = "Public subnet - ${element(local.aws_avzones[var.profile], count.index)}"
  }
}

# ---

# Create Internet gateway for inbound-outbound connections
resource "aws_internet_gateway" "default" {
  vpc_id = "${aws_vpc.default.id}"

  tags = {
    "Name" = "${local.base_name}-igw"
  }
}

# ---

# Create Internet gateway routes table
resource "aws_route_table" "pub" {
  vpc_id = "${aws_vpc.default.id}"

  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = "${aws_internet_gateway.default.id}"
  }

  tags = {
    Name = "${local.base_name}-rtb-igw"
  }
}

# ---

# Associate public subnets with the public route table
resource "aws_route_table_association" "pub" {
  count          = "${length(aws_subnet.public.*.id)}"
  subnet_id      = "${element(aws_subnet.public.*.id, count.index)}"
  route_table_id = "${aws_route_table.pub.id}"

  depends_on = ["aws_subnet.public"]
}

Error is the same:

aws_route_table_association.pub: aws_route_table_association.pub: value of 'count' cannot be computed

Currently my workaround is to comment out all the aws_route_table_association blocks, then terraform apply, uncomment and finish the job. Obviously this is very far from ideal.

One important note though. Terraform didn't complain when the infra. was up and running. I discovered this issue only after the destruction when attempting to to recreate the infra. Fortunately for me I was playing on the dev infra., so I had time to find my workarounds. But it potentially may be deadly for the admins relying on Terraform for the recovery from the disaster situations.

narun4sk on 19 Dec 2018

👍2

All 5 comments

@results-may-vary Try:

subnet_id = "${data.aws_subnet_ids.public.*.id[count.index]}"

ewbankkit on 27 Nov 2018

@ewbankkit
Thanks, the problem was, and still is, in the count, meaning that the error I'm getting now is "no matching subnet found for vpc with id vpc-xxxxxx". Which is pretty odd, given that I'm querying for subnets, not VPC ID. It's as if the output is cached in some manner, because the same code worked when I deployed previously. No changes made, I destroyed and run it again, I get the error above.
To make things even more puzzling, when I switch to a different workspace, with the same code, I still get the error in my original post.

results-may-vary on 2 Dec 2018

The value of 'count' cannot be computed error is due to how count currently works in Terraform core (as of 0.11.10): https://github.com/hashicorp/terraform/issues/17421

I believe a potential workaround might be applying the data source first (e.g. terraform apply -target=data.aws_subnet_ids.public), but that workaround may not work since its a data source, which are refreshed every Terraform plan/apply.

The no matching subnet found for vpc with id vpc-xxxxxx error should be coming from your data source and it means the EC2 DescribeSubnets call returned no subnets. You can enable Terraform debug logging to troubleshoot that API call (e.g. TF_LOG=debug terraform plan). Here's the relevant code:

https://github.com/terraform-providers/terraform-provider-aws/blob/7a37b00695a59386e928eb55a58c1c3db4a14126/aws/data_source_aws_subnet_ids.go#L69-L71

bflad on 2 Dec 2018

Hi @bflad , thanks for your response.
If I understand correctly you're saying there is sort of a timing issue as to when the subnet data source is running and returning the data, is that correct? Let me zoom out a little bit and say that this data source's output is counted so I can iterate over the number of route table associations. Per your suggestion, how can I run the target data source at a specific timing?
Thanks.

results-may-vary on 3 Dec 2018