fix(nat): ensure NAT gateways are created in correct availability zones (#1257)

Author: Manoj-Kumar-Selvaraj

CHANGELOG.md

@@ -2,6 +2,12 @@
 
 All notable changes to this project will be documented in this file.
 
+## [Unreleased]
+
+### Bug Fixes
+
+* fix: Ensure NAT gateways are created in the correct availability zones ([#1257](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1257))
+
 ## [6.5.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v6.4.1...v6.5.0) (2025-10-21)
 
 ### Features

main.tf

@@ -1199,9 +1199,33 @@ resource "aws_route" "private_ipv6_egress" {
 # NAT Gateway
 ################################################################################
 
+data "aws_availability_zones" "available" {
+  count = length(var.azs) == 0 ? 1 : 0
+
+  state = "available"
+}
+
 locals {
-  nat_gateway_count = var.single_nat_gateway ? 1 : var.one_nat_gateway_per_az ? length(var.azs) : local.max_subnet_length
-  nat_gateway_ips   = var.reuse_nat_ips ? var.external_nat_ip_ids : aws_eip.nat[*].id
+  # Use provided AZs or fetch from data source, then sort for consistency
+  sorted_azs = sort(length(var.azs) > 0 ? var.azs : data.aws_availability_zones.available[0].names)
+
+  # Build mapping AZ -> first public subnet ID found for that AZ
+  az_to_public_subnet = {
+    for az in local.sorted_azs : az => try(
+      # Sort subnets within each AZ for consistent selection
+      sort([for s in aws_subnet.public : s.id if s.availability_zone == az])[0],
+      aws_subnet.public[0].id
+    )
+  }
+
+  nat_gateway_count = var.single_nat_gateway ? 1 : var.one_nat_gateway_per_az ? length(local.sorted_azs) : local.max_subnet_length
+  nat_gateway_ips   = var.reuse_nat_ips ? sort(var.external_nat_ip_ids) : aws_eip.nat[*].id
+
+  # Determine NAT gateway subnet IDs to use
+  nat_gateway_subnet_ids = length(var.nat_gateway_subnet_ids) > 0 ? sort(var.nat_gateway_subnet_ids) : [
+    for i, az in local.sorted_azs : local.az_to_public_subnet[az]
+    if i < local.nat_gateway_count
+  ]
 }
 
 resource "aws_eip" "nat" {
@@ -1235,8 +1259,8 @@ resource "aws_nat_gateway" "this" {
     var.single_nat_gateway ? 0 : count.index,
   )
   subnet_id = element(
-    aws_subnet.public[*].id,
-    var.single_nat_gateway ? 0 : count.index,
+    local.nat_gateway_subnet_ids,
+    var.single_nat_gateway ? 0 : count.index
   )
 
   tags = merge(

variables.tf

@@ -1210,6 +1210,17 @@ variable "igw_tags" {
 # NAT Gateway
 ################################################################################
 
+variable "nat_gateway_subnet_ids" {
+  description = "List of subnet IDs to use for NAT Gateways. If provided, these subnet IDs will be used (in order). If empty, the module will automatically select the public subnet that matches each Availability Zone (AZ)."
+  type        = list(string)
+  default     = []
+
+  validation {
+    condition     = alltrue([for id in var.nat_gateway_subnet_ids : can(regex("^subnet-", id)) || id == ""])
+    error_message = "NAT Gateway subnet IDs must be valid subnet IDs starting with 'subnet-' or be empty strings."
+  }
+}
+
 variable "enable_nat_gateway" {
   description = "Should be true if you want to provision NAT Gateways for each of your private networks"
   type        = bool
@@ -1234,6 +1245,20 @@ variable "one_nat_gateway_per_az" {
   default     = false
 }
 
+variable "nat_gateway_subnet_ids" {
+  description = <<EOT
+Optional list of subnet IDs to use for NAT Gateways. If provided, these
+subnet IDs will be used (in order). If empty, the module will automatically
+select the public subnet that matches each Availability Zone (AZ).
+EOT
+  validation {
+    condition = alltrue([for id in var.nat_gateway_subnet_ids : id != ""])
+    error_message = "nat_gateway_subnet_ids must not contain empty strings."
+  }
+  type    = list(string)
+  default = []
+}
+
 variable "reuse_nat_ips" {
   description = "Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable"
   type        = bool