Terraform errors trying to Add NACL rules to project that uses VPC Module to set initial NACL values

Question

The issue I am having is a strange one. We have developed a VPC module that is used to provision initial VPC infrastructure that is used across all 30+ AWS account this organization has. We use this module to provision cookie cutter VPC deployments. Then we can go in and customized each account with whatever infrastructure each application team needs relative to that environment.

Each VPC has components that are deployed that talk to on prem resources, Cisco CSR spoke and hub for Direct Connects, and a standard set of NACL's

What I am trying to do is add some additional aws_network_acl_rule to the NACL's setup within the VPC module. I am outputting the value in the module, and I define the resource block like so:

resource "aws_network_acl_rule" "myapp-1" {
  network_acl_id = "${module.vpc.vpc_prv_app_nacl}"
  rule_number    = 300
  egress         = false
  protocol       = "-1"
  rule_action    = "allow"
  cidr_block     = "${var.on_prem_cidr}"
  from_port      = 0
  to_port        = 0
}

What happens when I apply the configuration has me stumped. I get this error

 aws_network_acl_rule.myapp-1: aws_network_acl_rule.myapp-1: Expected the Network ACL to have Entries, got: {
  Associations: [JSON Object]

There are existing entries for each module created NACL along with the proper subnet associations. Not sure what to do with that error message.

Answer 1

The problem and solution was fairly straightforward. When creating an nacl resource, if you specify nacl rules inline, they cannot be expanded upon outside the initial nacl resource block. The solution was to remove the inline rules and place them into separate aws_network_acl_rule resource blocks. This allowed us to expand on the modules aws_network_acl easily.