From 0eeff27aea012ef6cb08467c1784d1ec3c6525c0 Mon Sep 17 00:00:00 2001
From: Silvio Moioli <silvio@moioli.net>
Date: Fri, 30 May 2025 19:18:37 +0200
Subject: [PATCH] tofu/aws: bugfix: correct vpc creation logic (#66)

Signed-off-by: Silvio Moioli <silvio@moioli.net>
---
 tofu/modules/aws/network/data.tf    | 4 ++--
 tofu/modules/aws/network/main.tf    | 8 ++++----
 tofu/modules/aws/network/outputs.tf | 2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/tofu/modules/aws/network/data.tf b/tofu/modules/aws/network/data.tf
index cfacf13..dc3bfae 100644
--- a/tofu/modules/aws/network/data.tf
+++ b/tofu/modules/aws/network/data.tf
@@ -29,7 +29,7 @@ data "aws_subnet" "public" {
 }
 
 data "aws_subnet" "private" {
-  count = local.create_vpc ? 0 : 1
+  count = !local.create_vpc ? 1 : 0
   vpc_id = one(data.aws_vpc.existing[*].id)
   availability_zone = var.availability_zone
 
@@ -40,7 +40,7 @@ data "aws_subnet" "private" {
 }
 
 data "aws_subnet" "secondary_private" {
-  count = local.create_vpc && var.secondary_availability_zone != null ? 0 : 1
+  count = !local.create_vpc && var.secondary_availability_zone != null ? 1 : 0
   vpc_id = one(data.aws_vpc.existing[*].id)
   availability_zone = var.secondary_availability_zone
 
diff --git a/tofu/modules/aws/network/main.tf b/tofu/modules/aws/network/main.tf
index 278c513..914c713 100644
--- a/tofu/modules/aws/network/main.tf
+++ b/tofu/modules/aws/network/main.tf
@@ -19,7 +19,7 @@ locals {
 
   public_subnet_id = coalesce(one(aws_subnet.public[*].id), one(data.aws_subnet.public[*].id))
   private_subnet_id = coalesce(one(aws_subnet.private[*].id), one(data.aws_subnet.private[*].id))
-  secondary_private_subnet_id = coalesce(one(aws_subnet.secondary_private[*].id), one(data.aws_subnet.secondary_private[*].id))
+  secondary_private_subnet_id = (local.create_vpc && var.secondary_availability_zone != null) ? aws_subnet.secondary_private[0].id : (!local.create_vpc && var.secondary_availability_zone != null) ? data.aws_subnet.secondary_private[0].id : null
 
   create_vpc = var.existing_vpc_name == null
 }
@@ -147,8 +147,8 @@ resource "aws_route_table_association" "private" {
 }
 
 resource "aws_route_table_association" "secondary_private" {
-  count          = var.secondary_availability_zone != null ? 1 : 0
-  subnet_id      = aws_subnet.secondary_private[0].id
+  count          = local.create_vpc && var.secondary_availability_zone != null ? 1 : 0
+  subnet_id      = local.secondary_private_subnet_id
   route_table_id = aws_route_table.private.id
 }
 
@@ -259,7 +259,7 @@ module "bastion" {
     availability_zone : var.availability_zone,
     public_subnet_id : local.public_subnet_id
     private_subnet_id : local.private_subnet_id
-    secondary_private_subnet_id : var.secondary_availability_zone != null ? aws_subnet.secondary_private[0].id : null
+    secondary_private_subnet_id : local.secondary_private_subnet_id
     public_security_group_id : aws_security_group.public.id
     private_security_group_id : aws_security_group.private.id
     ssh_key_name : aws_key_pair.key_pair.key_name
diff --git a/tofu/modules/aws/network/outputs.tf b/tofu/modules/aws/network/outputs.tf
index a6318f6..e79c250 100644
--- a/tofu/modules/aws/network/outputs.tf
+++ b/tofu/modules/aws/network/outputs.tf
@@ -3,7 +3,7 @@ output "config" {
     availability_zone : var.availability_zone,
     public_subnet_id : local.public_subnet_id,
     private_subnet_id : local.private_subnet_id,
-    secondary_private_subnet_id : var.secondary_availability_zone != null ? local.secondary_private_subnet_id : null,
+    secondary_private_subnet_id : local.secondary_private_subnet_id,
     public_security_group_id : aws_security_group.public.id,
     private_security_group_id : aws_security_group.private.id,
     ssh_key_name : aws_key_pair.key_pair.key_name,