terraform-aws-modules / terraform-aws-vpc Goto Github PK

Returns error when initialising to download modules.vpc module.
Error downloading modules: Error loading modules: host registry.terraform.io does not provide Terraform modules

After I added the line stating version it worked fine for me.
module "vpc" { source = "terraform-aws-modules/vpc/aws" name = "Terraform" **version = "1.9.1"** [..] }
Not sure how you get this verified and added to release notes or documentation but hope that author will see this note and comment and add.

Hi!

Some resources created by this module are not tagged. Are you open to a PR adding tag support to the rest of the resources like aws_eip for example?

This module is now incompatible with older versions of the AWS provider (e.g. 0.1.4). I haven't tested whether it's possible or it works to constrain a provider within a module but I would think it does. If not, a note in the documentation would suffice.

AWS provider version 0.1.4 yields:

1 error(s) occurred:

* module.vpc.aws_nat_gateway.this: : invalid or unknown key: tags

I would guess this is common across a few old versions.

Hello,
I've been experimenting with the vpc module to modularise my Terraform code in general. On creation of the VPC with a public and private subnets, I wish to launch instances in these subnets.

The subnets variable itself is a Terraform list and does this mean I have to actually dereference individual elements of the subnets to actually launch instances using the `aws_instance' resource?

With this definition:

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "~> 1.22.0"

  name = "xx-${var.environment}"
  cidr = "${var.subnet_prefix}0.0/16"

  azs                 = ["${var.region}a", "${var.region}b", "${var.region}c"]

  tags = {
    Environment = "${var.environment}"
  }
}

I get this error:

* module.network-eu-central-1.module.vpc.output.vpc_enable_classiclink: Resource 'aws_vpc.this' does not have attribute 'enable_classiclink' for variable 'aws_vpc.this.*.enable_classiclink'

I don't quite get how this happens as the aws_vpc should have it as an output.

If I comment out the output in terraform-aws-modules-terraform-aws-vpc-c4bc048/outputs.tf:

#output "vpc_enable_classiclink" {
#  description = "Whether or not the VPC has Classiclink enabled"
#  value       = "${element(concat(aws_vpc.this.*.enable_classiclink, list("")), 0)}"
#}

Then it works fine.

Happy to provide more info as needed.

Error downloading modules: Error loading modules: module vpc: Error loading /root/terraform/configurations/vpcmodule/.terraform/modules/9106ddebf98a46a763539c43da7ae39f/main.tf: local.max_subnet_length: resource variables must be three parts: TYPE.NAME.ATTR in:

${var.create_vpc && local.max_subnet_length > 0 ? local.max_subnet_length : 0}

Tried providing source in different ways:

1. source = "github.com/terraform-aws-modules/terraform-aws-vpc//examples//complete-vpc"
2. source = "github.com/terraform-aws-modules/terraform-aws-vpc"

Just wanted to say thanks for maintaining these modules. Great stuff!

Is there an organization behind managing control and maintenance?

Are there plans to include IPv6 support to this module?

Hi, I'm just curious, what is the benefit of having NAT gateway associated with each private network instead of having just one?

Thanks!

When setting enable_nat_gateway = false I get the following error

Error reading config for aws_nat_gateway[this]: local.nat_gateway_ips: resource variables must be three parts: TYPE.NAME.ATTR in:

${element(local.nat_gateway_ips, (var.single_nat_gateway ? 0 : count.index))}

I am not sure if this is supposed to work, but if it doesn’t I don’t really understand how one is supposed to use this module when a project has multiple state files.

Here is my current directory structure. Network and app1 each have a different s3 backed state file.

justin@justin-ThinkPad-T560 ~/Documents/projects/tf_demo/sample $ tree 
.
├── network
│   ├── main.tf
│   ├── sample.network
│   ├── terraform.tf
│   ├── terraform.tfvars -> ../terraform.tfvars
│   └── variables.tf -> ../variables.tf
├── app1
│   ├── main.tf
│   ├── terraform.tf
│   ├── terraform.tfvars -> ../terraform.tfvars
│   └── variables.tf -> ../variables.tf
├── terraform.tfvars
└── variables.tf

Here is the terraform.tf for the 'network'

terraform {
  backend "s3" {
    bucket = "XXXXXXXXX-us-east-1-terraform-state"
    key    = "sample/network"
    region = "us-east-1"
  }
}

My main.tf for 'app1'

data "terraform_remote_state" "network" {
  backend = "s3"

  config {
    bucket = "XXXXXXXXX-us-east-1-terraform-state"
    key    = "sample/network"
    region = "us-east-1"
  }
}

Say Im going to use this VPC module with the security group module from the registry.

module "appliance_alb_security_group" {
  source = "terraform-aws-modules/security-group/aws"

  name   = "${format("secgrp-alb-app1-%s-%s", var.customer, var.environment)}"
  vpc_id = "${data.terraform_remote_state.network.vpc_id}"
}

Results in

justin@justin-ThinkPad-T560 ~/Documents/projects/tf_demo/sample/portal_federation_connect $ terraform plan -out test.plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

data.terraform_remote_state.network: Refreshing state...

------------------------------------------------------------------------

Error: Error running plan: 1 error(s) occurred:

* module.appliance_alb_security_group.var.vpc_id: Resource 'data.terraform_remote_state.network' does not have attribute 'vpc_id' for variable 'data.terraform_remote_state.network.vpc_id'


justin@justin-ThinkPad-T560 ~/Documents/projects/tf_demo/sample/portal_federation_connect $ 

Terraform Version

Terraform v0.11.2

Terraform Configuration Files

# AWS credentials and region
provider "aws" {
  region = "${var.region}"
}

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "1.9.1"
}

Expected Behavior

Plan should finish without errors

Actual Behavior

Error: module.vpc.aws_vpc.this: "cidr_block" must contain a valid CIDR, got error parsing: invalid CIDR address:

Steps to Reproduce

1. terraform init
2. terraform plan

This module requires terraform 0.10.13 but there is no corresponding version in the official download repository or on the terraform github release page.

This module should require version 0.11+ and only in the release of this module that introduces locals.

Hey there, first of all, I love these modules. I started creating a new stack with this module, but I can't seem to get the NAT Gateway provisioning to work...

TF Snippet:

# VPC Configuration
resource "aws_eip" "nat" {
  count = 3
  vpc = true
}
module "vpc" {
  source                    = "terraform-aws-modules/vpc/aws"
  version                   = "1.9.1"

  name                      = "Test VPC"

  cidr                      = "172.16.0.0/16"
  azs                       = "${var.azs}"
  private_subnets           = ["172.16.0.0/18", "172.16.64.0/18", "172.16.128.0/18"]

  create_database_subnet_group = true
  map_public_ip_on_launch   = false

  enable_nat_gateway        = true
  single_nat_gateway        = false
  external_nat_ip_ids       = ["${aws_eip.nat.*.id}"]
  enable_s3_endpoint        = true

  enable_dhcp_options       = true
  dhcp_options_domain_name  = "aws.my-domain.com"

  tags                      = "${var.tags}"
}

Error:

Error: Error refreshing state: 1 error(s) occurred:

* module.vpc.aws_nat_gateway.this: 3 error(s) occurred:

* module.vpc.aws_nat_gateway.this[0]: element: element() may not be used with an empty list in:

${element(aws_subnet.public.*.id, (var.single_nat_gateway ? 0 : count.index))}
* module.vpc.aws_nat_gateway.this[1]: element: element() may not be used with an empty list in:

${element(aws_subnet.public.*.id, (var.single_nat_gateway ? 0 : count.index))}
* module.vpc.aws_nat_gateway.this[2]: element: element() may not be used with an empty list in:

${element(aws_subnet.public.*.id, (var.single_nat_gateway ? 0 : count.index))}

Hi,

I stumpled on this while attempting to use the DHCP options functionality to provide a list of my own DNS resolvers in the VPC.

While this has been touched upon in #35 and the "complete VPC" example is actually working with the current template, I think this is happening when interpolation is used to create the list of DNS servers entered into the VPC module config.

Example:

module "vpc" {
  ...
  enable_dhcp_options = true
  dhcp_options_domain_name_servers = ["${module.dns1.ip}", "${module.dns2.ip}", "${module.dns3.ip}"]
 ...
}

Changing the current template to the following works with default variable, the "complete VPC" example and the list of variables exemplified above.

resource "aws_vpc_dhcp_options" "this" {
  ...
  domain_name_servers  = ["${var.dhcp_options_domain_name_servers}"]
  ...
}

Does anyone have an idea of what's going on?

This is also relevant for ntp_servers and netbios_name_servers.

Wanted to know why they might get left behind after tf destroy

Hi there!

How do you reference this VPC ID in another module?

Thanks,
Josh

Got these on plan:
Error: module.vpc.aws_eip.nat[0]: : invalid or unknown key: tags
Error: module.vpc.aws_eip.nat[1]: : invalid or unknown key: tags

Commenting of "tag=..." line for resource "aws_eip" "nat" resolves the issue.

I see there is a separate repo for terraform-aws-vpn-gateway - would it make sense to include the vpn gateway in the vpc module, given that is is managed under the VPC console and a vpn gateway would only be created within a VPC? I haven't been able to think of a scenario where a vpn gateway resource would be created outside the scope of the vpc it was going to be attached to. Route-table-propagation could then be refactored as a true/false flag instead of having to define a vpn gateway elsewhere and pass it in as a variable. I can submit a PR for this if it makes sense.

Inspired by terraform-community-modules/tf_aws_vpc#64 and https://github.com/GSA/terraform-vpc-flow-log

Some points to take into account when adding VPC flow log feature to this VPC module:

• Make creation of aws_flow_log conditional. Disabled by default.
• Make creation of aws_cloudwatch_log_group conditional. User should be able to provide existing log group.
• Limit resources in log_policy to only what is necessary.
• Make creation of aws_iam_role conditional. User should be able to provide existing IAM role.
• Do not create aws_cloudwatch_log_group and aws_iam_role resources, if aws_flow_log is disabled.
• Make changes to an existing complete-vpc example
• Update README

I noticed my tf was creating one routing table per private AZ, while would expect it to be per group of private subnets across multiple AZs

Code issue is at:
https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/main.tf#L48

Hey,
I would recommend excluding from this module Database, ElastiCache, s3 resources cause they're not direct VPC responsibilities and more related to the app stack. Still, you can create a set of smaller modules or use different naming to give a context that module can create much broader resource infrastructure.

Right now db_subnet_group is only created if a dedicated database_subnets variable is specified.
For simple setups where only two subnets per availability zone are created, it would be nice to be able to create the db_subnet_group in the private_subnets.
An optional parameter like create_database_subnet_group_in_private_subnets would do the trick.

Using an example documented here, I should be able to specify the provider within the aws_vpc resource to denote a different region for a VPC that is created by this module. It would appear this module doesn't bring in that variable, therefore I'm not able to use a provider alias to set up VPCs across multiple regions and peer them with that example.

I have my own private VPC module, and when I use a subnet output from it as an input for a module that brings up an ec2 instance, the instance is always launched as soon as the subnet is created but before the nat-gateway is up. I looked through the code here and I didn't see anything that would fix that.

Hello!

First, thanks for this module, it really helps jumpstart setting up an aws environment!

I have a question (and possibly a feature request?) I am looking to have multiple private subnets in my VPC that have different application types that I would like to be able to restrict traffic differently through the use of different network ACL's.

Essentially, I would like to have one set of private subnets (spanning AZ's) that has some automation tooling/api's deployed in them and one set of private subnets (again, spanning AZ's) with user facing applications/api's in them.

I mistakenly thought I would be able to just put 3 AZ's with 6 subnets in the private_subnets array but I see when I do a terraform plan that ends up with duplicate names, 3 sets of duplicates like this:

1. [vpc-name]-private-AZ1
2. [vpc-name]-private-AZ2
3. [vpc-name]-private-AZ3
4. [vpc-name]-private-AZ1
5. [vpc-name]-private-AZ2
6. [vpc-name]-private-AZ3

What I really want is something like:

1. [vpc-name]-private-apps-AZ1
2. [vpc-name]-private-apps-AZ2
3. [vpc-name]-private-apps-AZ3
4. [vpc-name]-private-automation-AZ1
5. [vpc-name]-private-automation-AZ2
6. [vpc-name]-private-automation-AZ3

Is this something that is possible or you guys would consider or is there some other way you would suggest this should be accomplished?

Thanks!

Getting this error when attempting to use this module:

Error: Error running plan: 2 error(s) occurred:

* module.vpc.aws_route_table_association.database: 3 error(s) occurred:

* module.vpc.aws_route_table_association.database[1]: element: element() may not be used with an empty list in:

${element(aws_route_table.private.*.id, count.index)}
* module.vpc.aws_route_table_association.database[2]: element: element() may not be used with an empty list in:

${element(aws_route_table.private.*.id, count.index)}
* module.vpc.aws_route_table_association.database[0]: element: element() may not be used with an empty list in:

${element(aws_route_table.private.*.id, count.index)}
* module.vpc.aws_route_table_association.elasticache: 3 error(s) occurred:

* module.vpc.aws_route_table_association.elasticache[2]: element: element() may not be used with an empty list in:

${element(aws_route_table.private.*.id, count.index)}
* module.vpc.aws_route_table_association.elasticache[1]: element: element() may not be used with an empty list in:

${element(aws_route_table.private.*.id, count.index)}
* module.vpc.aws_route_table_association.elasticache[0]: element: element() may not be used with an empty list in:

${element(aws_route_table.private.*.id, count.index)}

Here is the tf file

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"

  name = "prod-vpc"

  cidr = "10.0.0.0/16"

  azs                 = ["us-west-2a", "us-west-2b", "us-west-2c"]
  public_subnets      = ["10.0.0.0/22", "10.0.4.0/22", "10.0.8.0/22"]
  database_subnets    = ["10.0.128.0/24", "10.0.129.0/24", "10.0.130.0/24"]
  elasticache_subnets = ["10.0.131.0/24", "10.0.132.0/24", "10.0.133.0/24"]

  enable_dns_support   = true
  enable_dns_hostnames = true
  enable_nat_gateway   = false

  tags = "${local.common_tags}"
}

Module version 1.10.0

Terraform versions

Terraform v0.11.1
+ provider.aws v1.5.0

As per the warning in the docs.

https://www.terraform.io/docs/providers/aws/r/default_route_table.html

Include instructions from this comment: #4 (comment)

I'm having trouble using the following with this module:

resource "aws_vpn_gateway_route_propagation" "SpokeA" {
  count          = "${length(module.spokeA.private_route_table_ids)}"
  vpn_gateway_id = "${module.spokeA.vgw_id}"
  route_table_id = "${element(module.spokeA.private_route_table_ids, count.index)}"
}

The problem I'm having is every other time I run Terraform the propagation is turned off and then on again.

I noticed private_propagating_vgws in the variables and main.tf of this module but am a bit puzzled as to how to use this parameter in combination with enable_vpn_gateway="true".

Can someone provide an example of the correct way to enable route propagation on the route tables associated with the VPC created by this module?

I'm not sure why this is occurring but I get this error with the introduction of the elastic ip tags committed in v1.16:

Error: module.vpc.module.vpc.aws_eip.nat[0]: : invalid or unknown key: tags
Error: module.vpc.module.vpc.aws_eip.nat[1]: : invalid or unknown key: tags
Error: module.vpc.module.vpc.aws_eip.nat[2]: : invalid or unknown key: tags

The VPC Module

module "vpc" {
  source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v1.16.0"

  name = "vpcdev"
  cidr = "..."

  azs = "${split(",", lookup(var.vpc_azs, var.region))}"

  private_subnets = [...]

  public_subnets = [...]

  enable_nat_gateway = true
  enable_vpn_gateway = true

  tags = {
    Terraform   = "true"
    Environment = "Dev"
  }
}

I was able to figure out the issue I had overlapping subnets.

Hi,

b684241 removed a bunch of variables that it shouldn't have. Releases since (1.4.1 and 1.5.0) are totally unusable. They break all unversioned inclusions of the module:

Error getting plugins: module root: 
  module banksites-vpc.root: 8 error(s) occurred:

* resource 'aws_vpc_dhcp_options.this' config: unknown variable referenced: 'dhcp_options_domain_name'. define it with 'variable' blocks
* resource 'aws_vpc_dhcp_options.this' config: unknown variable referenced: 'dhcp_options_domain_name_servers'. define it with 'variable' blocks
* resource 'aws_vpc_dhcp_options.this' config: unknown variable referenced: 'dhcp_options_ntp_servers'. define it with 'variable' blocks
* resource 'aws_vpc_dhcp_options.this' config: unknown variable referenced: 'dhcp_options_netbios_name_servers'. define it with 'variable' blocks
* resource 'aws_vpc_dhcp_options.this' config: unknown variable referenced: 'dhcp_options_netbios_node_type'. define it with 'variable' blocks
* resource 'aws_vpc_dhcp_options.this' count: unknown variable referenced: 'enable_dhcp_options'. define it with 'variable' blocks
* resource 'aws_vpc_dhcp_options_association.this' count: unknown variable referenced: 'enable_dhcp_options'. define it with 'variable' blocks
* resource 'aws_vpn_gateway.this' count: unknown variable referenced: 'enable_vpn_gateway'. define it with 'variable' blocks

Hello,
I see this error when converging with Terraform v0.11.1

• provider.aws v1.5.0
  I set enable_nat_gateway to true and have one private subnet enabled in the module.

2 error(s) occurred:

* module.production.module.vpc.aws_route.private_nat_gateway[0]: 1 error(s) occurred:

* aws_route.private_nat_gateway.0: Error creating route: RouteAlreadyExists: The route identified by 0.0.0.0/0 already exists.
        status code: 400, request id: c90d42d0-64f8-44da-89ea-bdfc37252a1e
* module.production.module.vpc.aws_route.private_nat_gateway[2]: 1 error(s) occurred:

* aws_route.private_nat_gateway.2: Error creating route: RouteAlreadyExists: The route identified by 0.0.0.0/0 already exists.
        status code: 400, request id: 47d42d18-bbac-4a1b-8966-61d2e954358d`

When we use vpc peering it would be nice to be able to include aws_route entry to private and or private subnets routing_table.

I'm wondering if it would be better to pass aws_route_table complete or just aws_route elements.

Hello,

Using the module with:

locals {
   subnet1 = "${cidrsubnet(var.vpc_cidr, 2, 0)}"
   subnet2 = "${cidrsubnet(var.vpc_cidr, 2, 1)}"
   subnet3 = "${cidrsubnet(var.vpc_cidr, 2, 2)}"
   subnet4 = "${cidrsubnet(var.vpc_cidr, 2, 3)}"
}
module "vpc" {
  source = "terraform-aws-modules/vpc/aws"
  version = "1.9.1"

  name = "${var.vpc_name}"
  cidr = "${var.vpc_cidr}"

  azs             = ["eu-central-1a", "eu-central-1b"]
  private_subnets = ["${local.subnet1}", "${local.subnet2}"]
  public_subnets  = ["${local.subnet3}", "${local.subnet4}"]

  enable_nat_gateway = true
  enable_vpn_gateway = false

  tags = {
    test = "thetestvalue"
    Environment = "test"
  }
}

The Elastic IPs that get created by the NAT gateways get not tagged. Missing value in
https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/main.tf
resource "aws_eip" "nat" for local.nat_gateway_ips.

Thanks for your help.

in 97c5f73 the module name changed from "mod" to "this."

As someone who is coming over from the old repo, this forces me to tear down all existing VPCs that utilize this module and rebuild for the change.

As a full break in backwards compat, I would consider this a bug.

Hello,

It may be a stupid question, but why do aws_nat_gateway(s) associated with public_subnet(s), but not with private_subnets?

I assume, that public_subnets are designed for the hosts, which have public IP association

Please, correct me if I'm wrong

I just did an upgrade from terraform v0.10.7 to v0.11.2.

In doing so, I did a terraform init that pulled in v1.17.0 of the module.

Running a terraform plan gave me:

Error: module.vpc.aws_eip.nat: : invalid or unknown key: tags

Rolling back to terraform v0.10.7 (but keeping v.1.17.0 of the module) allows terraform plan to run cleanly.

Commenting out the change made in 928df80 and running it with either version of terraform also works.

Have I missed a piece of migration in going from an older terraform version, or is there still a problem with aws_eip tagging, something along the lines of terraform-community-modules/tf_aws_vpc#29 ?

Or perhaps there is a regression in terraform itself? Not quite sure where the problem lies (and admit that the true problem may be a PEBKAC on my part).

ElastiCache cluster has a subnet_group_name argument, but no subnet_group_id argument, so the output variable elasticache_subnet_group is not useful in this regard.

Should a elasticache_subnet_group_name output be added?

The NAT Gateway IPs in my setup need to survive the terraform apply-destroy cycle because they are the interface to integrate my infrastructure with other infrastructures outside my control. More specifically, these IPs need to be whitelisted somewhere else for my system to work.

As it is now, if I build up my infrastructure, destroy it and build it again, I will get new IPs for the NAT Gateways. This poses a problem for me because whitelisting the new IPs has to go through a manual process.

To this end I would like to be able to allocate EIPs outside my plan, and pass those into the VPC module as input variables. I'm opening the issue to raise awareness to the problem and to promote a discussion about it. Maybe there are other ways of achieving this that I'm missing?

Meanwhile I'll work on a PR to address this problem.

Hello,
I think it would be very useful if resource names are exposed as variables so that resource names can be appropriately set when the resources are created.
I understand that we can set tags to filter resources, but naming resources appropriately is a nice to have feature.

I was confused by this, wondering why I could not curl google.com for example when entering an instance in my VPC. Looking further and I found this:

variable "enable_dns_support" {
  description = "Should be true if you want to use private DNS within the VPC"
  default     = false
}

Should that not be true, and false if you would be using your own authoritative DNS server? The default seems to be x.x.x.2 on the VPC, and when dig google.com I was getting timeouts until setting enable_dns_support = true.

Right now, this module is creating a route table for every subnet even when there is a single NAT Gateway. This is unnecessary, as all the route tables are using the same NAT Gateway, and multiple subnets can be associated with the same route table.

I propose that when the user elects to use a single NAT Gateway, all the private subnets should be associated with just a single private route table.

Was expecting to access private subnet id as $module.vpc.private_subnets.*.id, but its not working.
How should I be able to access the subnet id.

I need to give special name to all subnet I create with terraform.
Is their any chance to have this possibility with this module ?

Like replacing the simple list of subnet of something like :

  xxxxxx_subnets = [
    {
      "name" = "MySubnet1",
      "subnet" = "XX.XX.XX.XX/XX"
    },
    {
      "name" = "MySubnet2",
      "subnet" = "XX.XX.XX.XX/XX"
    },
    {
      "name" = "MySubnet3",
      "subnet" = "XX.XX.XX.XX/XX"
    }
  ]

When passing no public subnets, but still using an S3 VPC endpoint, the module should not try to associate the endpoint with a (non-existent) public route table.

Error: Error running plan: 1 error(s) occurred:

* module.vpc.aws_vpc_endpoint_route_table_association.public_s3: 1 error(s) occurred:

* module.vpc.aws_vpc_endpoint_route_table_association.public_s3: Resource 'aws_route_table.public' not found for variable 'aws_route_table.public.id'

The condition in this line needs to account for the length of var.public_subnets.

Looks like the count for the dynamodb vpc endpoint is also flawed. A bit differently though. There is only one public route table for all public subnets, so the length check should be in the condition and the count should be 1 if true.

I modified the simple-vpc example to use a vpn gateway and get this error...
Error: output 'vgw_id': unknown resource 'aws_vpn_gateway.' referenced in variable aws_vpn_gateway..id

main.tf...

  region = "eu-west-1"
}

module "vpc" {
  source = "../../"

  name = "simple-example"

  cidr = "10.0.0.0/16"

  azs             = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]

  enable_nat_gateway = true
  single_nat_gateway = true
  enable_vpn_gateway = true

  tags = {
    Owner       = "user"
    Environment = "dev"
  }
}

output.tf...

# VPC
output "vpc_id" {
  description = "The ID of the VPC"
  value       = "${module.vpc.vpc_id}"
}

# Subnets
output "private_subnets" {
  description = "List of IDs of private subnets"
  value       = ["${module.vpc.private_subnets}"]
}

output "public_subnets" {
  description = "List of IDs of public subnets"
  value       = ["${module.vpc.public_subnets}"]
}

# NAT gateways
output "nat_public_ips" {
  description = "List of public Elastic IPs created for AWS NAT Gateway"
  value       = ["${module.vpc.nat_public_ips}"]
}

output "vgw_id" {
  description = "The ID of the VPN Gateway"
  value       = "${element(concat(aws_vpn_gateway.this.*.id, list("")), 0)}"
}

$ terraform init
Initializing modules...
- module.vpc

Error: output 'vgw_id': unknown resource 'aws_vpn_gateway.*' referenced in variable aws_vpn_gateway.*.id