[Bug]: Data Source: aws_nat_gateway returning null values for some NAT gateways on eu-west-2

[anirban0105]

Terraform Core Version

1.4.5

AWS Provider Version

4.63.0, 4.64.0

Affected Resource(s)

data "aws_nat_gateway"

Expected Behavior

Changes to Outputs:
   ngw = {
       allocation_id        = "eipalloc-xxxxxxxxxxxxxxx"
       connectivity_type    = "public"
       filter               = null
       id                   = "nat-xxxxxxxxxxxxxxx"
       network_interface_id = "eni-xxxxxxxxxxxxxxx"
       private_ip           = "10.X.X.X"
       public_ip            = "18.X.X.X"
       state                = "available"
       subnet_id            = "subnet-xxxxxxxxxxxxxxx"
       tags                 = {
           Environment = "eu-west-2"
           Name        = "eu-west-2-blah"
           Owner       = "PAAS"
        }
       timeouts             = null
       vpc_id               = "vpc-xxxxxxxxxxxxxxx"
    }

Actual Behavior

Changes to Outputs:
   ngw = {
       allocation_id        = null
       association_id       = null
       connectivity_type    = "public"
       filter               = null
       id                   = "nat-xxxxxxxxxxxxxxx"
       network_interface_id = null
       private_ip           = null
       public_ip            = null
       state                = "available"
       subnet_id            = "subnet-xxxxxxxxxxxxxxx"
       tags                 = {
           Environment = "eu-west-2"
           Name        = "eu-west-2-blah"
           Owner       = "PAAS"
        }
       timeouts             = null
       vpc_id               = "vpc-xxxxxxxxxxxxxxxxxx"
    }

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

N/A

Steps to Reproduce

terraform {
  required_version = "1.4.5"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "4.64.0"
    }
  }
}

provider "aws" {
  region     = "eu-west-2"
}

data "aws_nat_gateway" "ngw" {
  id = "nat-xxxxxxxxxxxxxxx"
}

output "ngw" {
  value = data.aws_nat_gateway.ngw
}

Debug Output

No response

Panic Output

No response

Important Factoids

This is only happening in AWS region eu-west-2. AWS provider 4.62.0 is working fine.

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[ewbankkit]

Relates #30546?

[roberth-k]

Hi @anirban0105 -- could you confirm whether:

• Is it all NAT Gateways or only a particular set of them that consistently produce the null outputs?
• Is it consistently the same set of NAT Gateways, or is it different NAT Gateways on every run?
• Does the null output persist consistently between runs?

If possible, please also provide the output from aws ec2 describe-nat-gateways --nat-gateway-ids {id-of-affected-nat-gateway}. This will help us determine whether the unintended behaviour could be AWS-side or provider-side.

Thank you!

[roberth-k]

@anirban0105 I have attempted, unsuccessfully, to reproduce this issue by comparing the output of provider version 4.62.0 and 4.63.0 as well as 4.64.0. Could you advise whether the following sequence is similar to the one that results in the null outputs in your case?

• Manually created a Public NAT Gateway with a single Elastic IP in a public subnet.

• My Terraform version is:

$ terraform -version
Terraform v1.4.5
on darwin_arm64

• Applied the following Terraform configuration using version 4.62.0 of the AWS Provider:

terraform {
  required_version = "1.4.5"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "4.62.0"
    }
  }
}

provider "aws" {
  region = "eu-west-2"
}

data "aws_nat_gateway" "ngw" {
  id = "nat-03b72bb1e68264dad"
}

output "ngw" {
  value = data.aws_nat_gateway.ngw
}

• The output from the above Terraform configuration was:

$ terraform init

Initializing the backend...

Initializing provider plugins...
- Finding hashicorp/aws versions matching "4.62.0"...
- Installing hashicorp/aws v4.62.0...
- Installed hashicorp/aws v4.62.0 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

$ terraform apply
data.aws_nat_gateway.main: Reading...
data.aws_nat_gateway.main: Read complete after 0s [id=nat-03b72bb1e68264dad]

Changes to Outputs:
  + ngw = {
      + allocation_id        = "eipalloc-083b78cee29b4f89e"
      + connectivity_type    = "public"
      + filter               = null
      + id                   = "nat-03b72bb1e68264dad"
      + network_interface_id = "eni-0c060ac90668b0652"
      + private_ip           = "172.31.41.129"
      + public_ip            = "18.135.69.171"
      + state                = "available"
      + subnet_id            = "subnet-0b10d518af3534052"
      + tags                 = {}
      + timeouts             = null
      + vpc_id               = "vpc-0a9b9b0397b025ef2"
    }

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes


Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

ngw = {
  "allocation_id" = "eipalloc-083b78cee29b4f89e"
  "connectivity_type" = "public"
  "filter" = toset(null) /* of object */
  "id" = "nat-03b72bb1e68264dad"
  "network_interface_id" = "eni-0c060ac90668b0652"
  "private_ip" = "172.31.41.129"
  "public_ip" = "18.135.69.171"
  "state" = "available"
  "subnet_id" = "subnet-0b10d518af3534052"
  "tags" = tomap({})
  "timeouts" = null /* object */
  "vpc_id" = "vpc-0a9b9b0397b025ef2"
}

• I then proceeded to upgrade to version 4.63.0 of the provider in the Terraform configuration without changing anything else. I ran terraform init -upgrade followed by terraform apply, which output the following:

$ terraform init -upgrade

Initializing the backend...

Initializing provider plugins...
- Finding hashicorp/aws versions matching "4.63.0"...
- Installing hashicorp/aws v4.63.0...
- Installed hashicorp/aws v4.63.0 (signed by HashiCorp)

Terraform has made some changes to the provider dependency selections recorded
in the .terraform.lock.hcl file. Review those changes and commit them to your
version control system if they represent changes you intended to make.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

$ terraform apply
data.aws_nat_gateway.main: Reading...
data.aws_nat_gateway.main: Read complete after 0s [id=nat-03b72bb1e68264dad]

Changes to Outputs:
  ~ ngw = {
      + association_id       = "eipassoc-08f3719814b4be01b"
        id                   = "nat-03b72bb1e68264dad"
        tags                 = {}
        # (10 unchanged attributes hidden)
    }

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes


Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

ngw = {
  "allocation_id" = "eipalloc-083b78cee29b4f89e"
  "association_id" = "eipassoc-08f3719814b4be01b"
  "connectivity_type" = "public"
  "filter" = toset(null) /* of object */
  "id" = "nat-03b72bb1e68264dad"
  "network_interface_id" = "eni-0c060ac90668b0652"
  "private_ip" = "172.31.41.129"
  "public_ip" = "18.135.69.171"
  "state" = "available"
  "subnet_id" = "subnet-0b10d518af3534052"
  "tags" = tomap({})
  "timeouts" = null /* object */
  "vpc_id" = "vpc-0a9b9b0397b025ef2"
}

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.