[Bug]: The argument "default_network_acl_id" is required, but no definition was found

[prajith-nair]

Terraform Core Version

v1.7.3

AWS Provider Version

v5.36.0

Affected Resource(s)

aws_vpc

Expected Behavior

when manage_default_network_acl = true is enabled, the parameter default_network_acl_id should not be defined.

Actual Behavior

terraform apply fails with The argument "default_network_acl_id" is required, but no definition was found.

Relevant Error/Panic Output Snippet

 Error: Missing required argument
│
│   with module.vpc.module.vpc.aws_default_network_acl.this[0],
│   on .terraform/modules/vpc.vpc/main.tf line 1262, in resource "aws_default_network_acl" "this":
│ 1262:   default_network_acl_id = aws_vpc.this[0].default_network_acl_id
│
│ The argument "default_network_acl_id" is required, but no definition was found.

Steps to Reproduce

create a vpc using terraform module terraform-aws-modules/vpc/aws with manage_default_network_acl = true and during next apply you will endup with below error

 Error: Missing required argument
│
│   with module.vpc.module.vpc.aws_default_network_acl.this[0],
│   on .terraform/modules/vpc.vpc/main.tf line 1262, in resource "aws_default_network_acl" "this":
│ 1262:   default_network_acl_id = aws_vpc.this[0].default_network_acl_id
│
│ The argument "default_network_acl_id" is required, but no definition was found.

Terraform Configuration Files

# Create VPC using Terraform Module
module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "5.5.2"
  # Details
  name                               = "${var.name}-${local.name}"
  cidr                               = var.cidr
  azs                                = var.azs
  public_subnets                     = var.public_subnets
  private_subnets                    = var.private_subnets
  database_subnets                   = var.database_subnets
  create_database_subnet_group       = var.create_database_subnet_group
  create_database_subnet_route_table = var.create_database_subnet_route_table
  # create_database_internet_gateway_route = true
  # create_database_nat_gateway_route = true

  # NAT Gateways - Outbound Communication
  enable_nat_gateway = var.enable_nat_gateway
  single_nat_gateway = var.single_nat_gateway
  # DNS Parameters in VPC
  enable_dns_hostnames = true
  enable_dns_support   = true
  manage_default_network_acl = true

  # Additional tags for the VPC
  tags     = local.tags
  vpc_tags = local.tags

  # Instances launched into the Public subnet should be assigned a public IP address. Specify true to indicate that instances launched into the subnet should be assigned a public IP address
  map_public_ip_on_launch = true
}

resource "aws_subnet" "private_subnet" {
  for_each          = { for idx, subnet in var.private_subnets : idx => subnet }
  depends_on        = [module.vpc]
  vpc_id            = module.vpc.vpc_id
  cidr_block        = each.value
  availability_zone = var.azs[each.key]

  tags = {
    Name                                            = "${var.name}-${var.private_subnet_suffix}-${var.azs[each.key]}"
    Environment                                     = var.environment
    "kubernetes.io/cluster/module.eks.cluster_name" = "shared"
    "kubernetes.io/role/internal-elb"               = "1"
  }
}

resource "aws_subnet" "public_subnet" {
  for_each          = { for idx, subnet in var.public_subnets : idx => subnet }
  depends_on        = [module.vpc]
  vpc_id            = module.vpc.vpc_id
  cidr_block        = each.value
  availability_zone = var.azs[each.key]

  tags = {
    Name                                            = "${var.name}-${var.public_subnet_suffix}-${var.azs[each.key]}"
    Environment                                     = var.environment
    "kubernetes.io/cluster/module.eks.cluster_name" = "shared"
    "kubernetes.io/role/elb"                        = "1"
  }
}

resource "aws_subnet" "db_subnet" {
  for_each          = { for idx, subnet in var.database_subnets : idx => subnet }
  depends_on        = [module.vpc]
  vpc_id            = module.vpc.vpc_id
  cidr_block        = each.value
  availability_zone = var.azs[each.key]

  tags = {
    Name                                            = "${var.name}-${var.db_subnet_suffix}-${var.azs[each.key]}"
    Environment                                     = var.environment
    "kubernetes.io/cluster/module.eks.cluster_name" = "shared"
    "kubernetes.io/role/internal-elb"               = "1"
  }
}

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[gmanera]

Same problem here.

│ Error: Missing required argument
│
│   with module.network.module.vpc.aws_default_network_acl.this[0],
│   on .terraform\modules\network.vpc\main.tf line 1262, in resource "aws_default_network_acl" "this":
│ 1262:   default_network_acl_id = aws_vpc.this[0].default_network_acl_id
│
│ The argument "default_network_acl_id" is required, but no definition was found.

[MihalisW]

Same problem here, this has actually become a blocker for me.

[renepardon]

Still a problem in version 5.8.1

[lacg]

Well, same issue here. Interestingly, it works locally, but when I'm using the same code on an AWS CodeBuild pipeline, it raises the same error. Any workaround?

[sbeaulie]

I get the error during the apply, and subsequent runs during the plan stage as well, effectively blocking our pipeline.

[craigjbutler]

I observed the same issue and tested with 5.8.1 also and was able to reproduce, eg. Error: Missing required argument with module.vpc-standard.aws_default_network_acl.this[0], on .terraform/modules/vpc-standard/main.tf line 1280, in resource "aws_default_network_acl" "this": 1280: default_network_acl_id = aws_vpc.this[0].default_network_acl_id The argument "default_network_acl_id" is required, but no definition was found.

I traced this back to missing permission(s) in the IAM role, in my case the permissions were: ec2:CreateNetworkAclEntry ec2:DescribeNetworkAcls ec2:DeleteNetworkAclEntry

Once I added the permissions to the role the issue was no longer evident. @lacg This would also explain your issue as you will likely find your pipeline is using a different role to running it locally.

Hope that helps.

[lacg]

Thank you, I’ll try!

[roberto-ungarelli]

It works here now! Thank you @craigjbutler !