Terraform not destroying resource after condition is false

Question

I am creating vpc endpoints using terraform. My condition is if we provide subnet IDs in .tfvars file, it would create the endpoints or else it won't. The code is working when endpoints are being created.

Issue: Once the endpoint is created, if I remove the subnet Ids from .tfvars file it only removes the subnets from endpoints. Expectation: It should destroy the endpoint.

Below is my code: resource.tf

resource "aws_vpc_endpoint" "CloudFormation" {
  count   = var.cf_subnet_ids != [] ? 1 : 0
  vpc_id            = var.vpc_id
  service_name      = data.aws_vpc_endpoint_service.cloudformation.service_name
  vpc_endpoint_type = "Interface"
  security_group_ids = var.security_group_ids
  subnet_ids = var.cf_subnet_ids
  private_dns_enabled = true
}
resource "aws_vpc_endpoint" "Monitoring" {
  count   = var.mntr_subnet_ids != [] ? 1 : 0
  vpc_id            = var.vpc_id
  service_name      = data.aws_vpc_endpoint_service.monitoring.service_name
  vpc_endpoint_type = "Interface"
  security_group_ids = var.security_group_ids
  subnet_ids = var.mntr_subnet_ids
  private_dns_enabled = true
}

module.tf

module "VPC1" {
  source = "./endpoints"
  count = var.vpc_endpoints[0].vpc_id != "" ? 1 : 0
  vpc_id = var.vpc_endpoints[0].vpc_id
  cf_subnet_ids = var.vpc_endpoints[0].endpointCloudFormationPerVPC
  mntr_subnet_ids = var.vpc_endpoints[0].endpointMonitoringPerVPC
}
module "VPC2" {
  source = "./endpoints"
  count = var.vpc_endpoints[1].vpc_id != "" ? 1 : 0
  vpc_id = var.vpc_endpoints[1].vpc_id
  cf_subnet_ids = var.vpc_endpoints[1].endpointCloudFormationPerVPC
  mntr_subnet_ids = var.vpc_endpoints[1].endpointMonitoringPerVPC
}

env.tfvars

vpc_endpoints = [
            {
            vpc_id = "vpc-0a7c8cb62ae12ecb0"
            vpc_cidr = ["10.150.2.0/23"]
            endpointCloudFormationPerVPC = ["subnet-0367288ea9b4a0656", "subnet-0779a62471a3ee5b6"]
            endpointMonitoringPerVPC = []
            },
            {
            vpc_id = "vpc-0b085d19c3c35617f"
            vpc_cidr = ["10.150.0.0/23"]
            endpointCloudFormationPerVPC = ["subnet-0367288ea9b4a0656", "subnet-0779a62471a3ee5b6"]
            endpointMonitoringPerVPC = ["subnet-0fd8da6ec6672c759"]
            }
]

Please help.

It creates 3 Endpoints. 2 CF and 1 monitoring with above script. If I modify the .tfvars to below, it should delete the monitoring endpoint. Instead it removes the subnet from endpoint as in it modifies the endpoint instead of destroying it.

vpc_endpoints = [
            {
            vpc_id = "vpc-0a7c8cb62ae12ecb0"
            vpc_cidr = ["10.150.2.0/23"]
            endpointCloudFormationPerVPC = ["subnet-0367288ea9b4a0656"]
            endpointMonitoringPerVPC = []
            },
            {
            vpc_id = "vpc-0b085d19c3c35617f"
            vpc_cidr = ["10.150.0.0/23"]
            endpointCloudFormationPerVPC = ["subnet-0367288ea9b4a0656"]
            endpointMonitoringPerVPC = []
            }

Answer 1

Currently in your declared module arguments, you are assigning the following value for cf_subnet_ids:

var.vpc_endpoints[0].endpointCloudFormationPerVPC

Given your vpc_endpoints variable as posted in the question, this argument value will be null after the list(object) is coalesced. Therefore, when we resolve this value in your config for the resource, it will be:

resource "aws_vpc_endpoint" "CloudFormation" {
  count = null != [] ? 1 : 0
  ...
}

Since null does not equal the empty list constructor [], this will resolve to the first returned value in the ternary 1. This means the resource will still be managed with a count of 1, and your resource will not be deleted.

The easiest and best practices way to begin fixing your config and resolve this unintended behavior would be to convert the <= 0.11 meta-argument count into the >= 0.12 meta-argument for_each: documentation.