Fix test failures: validation enforcement and subnet count

**Fixes:**

1. **TestValidationMutualExclusivity** - Replace non-blocking `check` block with `null_resource` precondition
   - Terraform `check` blocks only produce warnings, they don't fail the plan
   - Added `null_resource` with lifecycle precondition to properly fail when both NAT placement methods are specified
   - Added null provider (>= 3.0) to required_providers
   - Test now correctly expects plan failure when `nat_gateway_public_subnet_indices` AND `nat_gateway_public_subnet_names` are both set

2. **TestNATPlacementByName** - Add explicit subnet counts to test fixture
   - Test expected 4 public subnets (2 per AZ × 2 AZs) but only got 2
   - Root cause: Missing `public_subnets_per_az_count` and `private_subnets_per_az_count` in test config
   - The dynamic-subnets module requires both count AND names when using named subnets
   - Added `public_subnets_per_az_count: 2` and `private_subnets_per_az_count: 2` to match the passing nat-by-index test pattern

**Files Changed:**
- src/main.tf: Removed `check` block, added `null_resource` with precondition and depends_on
- src/versions.tf: Added null provider requirement
- test/fixtures/stacks/catalog/usecase/nat-by-name.yaml: Added explicit subnet counts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: aknysh

src/main.tf

@@ -96,14 +96,6 @@ module "vpc" {
   context = module.this.context
 }
 
-# Validate NAT Gateway placement variable mutual exclusivity at plan time
-check "nat_placement_mutual_exclusivity" {
-  assert {
-    condition     = !local.nat_placement_conflict
-    error_message = "Cannot specify both nat_gateway_public_subnet_indices and nat_gateway_public_subnet_names. Choose one NAT placement method or leave both null for default behavior (NAT in all public subnets)."
-  }
-}
-
 # We could create a security group per endpoint,
 # but until we are ready to customize them by service, it is just a waste
 # of resources. We use a single security group for all endpoints.
@@ -151,10 +143,26 @@ module "vpc_endpoints" {
   context = module.this.context
 }
 
+# Validation resource to check NAT Gateway placement variable mutual exclusivity
+# This must run before the subnets module to catch configuration errors at plan time
+resource "null_resource" "nat_placement_validation" {
+  count = local.enabled ? 1 : 0
+
+  lifecycle {
+    precondition {
+      condition     = !local.nat_placement_conflict
+      error_message = "Cannot specify both nat_gateway_public_subnet_indices and nat_gateway_public_subnet_names. Choose one NAT placement method or leave both null for default behavior (NAT in all public subnets)."
+    }
+  }
+}
+
 module "subnets" {
   source  = "cloudposse/dynamic-subnets/aws"
   version = "3.0.1"
 
+  # Ensure validation runs before subnets module
+  depends_on = [null_resource.nat_placement_validation]
+
   availability_zones              = local.availability_zones
   availability_zone_ids           = local.availability_zone_ids
   ipv4_cidr_block                 = [module.vpc.vpc_cidr_block]

src/versions.tf

@@ -6,5 +6,9 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 5.0.0"
     }
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 3.0"
+    }
   }
 }

test/fixtures/stacks/catalog/usecase/nat-by-name.yaml

@@ -9,7 +9,9 @@ components:
           - "b"
           - "c"
         # Test named subnet configuration
+        public_subnets_per_az_count: 2
         public_subnets_per_az_names: ["nat", "web"]
+        private_subnets_per_az_count: 2
         private_subnets_per_az_names: ["app", "database"]
         # Test NAT Gateway placement by name - only in "nat" named subnets
         nat_gateway_public_subnet_names: ["nat"]