fix: Resource aws_default_network_acl orphaned subnet_ids (terraform-…

…aws-modules#530)

examples/network-acls/main.tf

@@ -28,9 +28,11 @@ module "vpc" {
     local.network_acls["elasticache_outbound"],
   )
 
-  private_dedicated_network_acl     = true
+  private_dedicated_network_acl     = false
   elasticache_dedicated_network_acl = true
 
+  manage_default_network_acl = true
+
   enable_ipv6 = true
 
   enable_nat_gateway = false
@@ -200,4 +202,3 @@ locals {
     ]
   }
 }
-

main.tf

@@ -534,6 +534,27 @@ resource "aws_default_network_acl" "this" {
 
   default_network_acl_id = element(concat(aws_vpc.this.*.default_network_acl_id, [""]), 0)
 
+  # The value of subnet_ids should be any subnet IDs that are not set as subnet_ids
+  #   for any of the non-default network ACLs
+  subnet_ids = setsubtract(
+    compact(flatten([
+      aws_subnet.public.*.id,
+      aws_subnet.private.*.id,
+      aws_subnet.intra.*.id,
+      aws_subnet.database.*.id,
+      aws_subnet.redshift.*.id,
+      aws_subnet.elasticache.*.id,
+    ])),
+    compact(flatten([
+      aws_network_acl.public.*.subnet_ids,
+      aws_network_acl.private.*.subnet_ids,
+      aws_network_acl.intra.*.subnet_ids,
+      aws_network_acl.database.*.subnet_ids,
+      aws_network_acl.redshift.*.subnet_ids,
+      aws_network_acl.elasticache.*.subnet_ids,
+    ]))
+  )
+
   dynamic "ingress" {
     for_each = var.default_network_acl_ingress
     content {