Running only master in public subnet

[rohit-zabbed]

Trying to customise the setup , to separate master and workers in different subnets(public & private),
need workers to communicate using nat gateway, with below tf script

provider "aws" {
  region = "${var.aws_region}"
}

resource "aws_eip" "nat" {
  count = 1
  vpc = true
}

resource "aws_default_security_group" "default" {
  vpc_id = "${module.vpc.vpc_id}"

  ingress {
    from_port = 8
    to_port = 0
    protocol = "icmp"
    cidr_blocks = [
      "0.0.0.0/0"]
  }
}

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"
  name = "${var.tectonic_cluster_name}"
  cidr = "${var.vpc_cidr}"
  azs = [
    "us-west-1a"]
  public_subnets = [
    "10.10.11.0/24"]
  private_subnets = [
    "10.10.1.0/24"]
  database_subnets = [
    "10.10.21.0/24"]
  elasticache_subnets = [
    "10.10.31.0/24"]
  enable_nat_gateway = true
  single_nat_gateway = true
  reuse_nat_ips = true
  external_nat_ip_ids = [
    "${aws_eip.nat.*.id}"]
  enable_vpn_gateway = false
  create_database_subnet_group = true

  tags = "${var.tags}"

  private_subnet_tags = {
    "kubernetes.io/cluster/${var.tectonic_cluster_name}" = "shared"
    Owner = "rohit"
    Environment = "${var.tectonic_cluster_name}"
    Name = "${var.tectonic_cluster_name}"
  }

  database_subnet_tags = {
    Owner = "rohit"
    Environment = "${var.tectonic_cluster_name}"
    Name = "${var.tectonic_cluster_name}"
  }

  elasticache_subnet_tags = {
    Owner = "rohit"
    Environment = "${var.tectonic_cluster_name}"
    Name = "${var.tectonic_cluster_name}"
  }
}

module "kubernetes" {
  source = "coreos/kubernetes/aws"
  tectonic_aws_assets_s3_bucket_name = "tectonic-cf"

  tectonic_aws_region = "${var.aws_region}"
  tectonic_aws_ssh_key = "itops"
  tectonic_aws_vpc_cidr_block = "${var.vpc_cidr}"
  tectonic_aws_public_endpoints = true
  tectonic_base_domain = "${var.tectonic_base_domain}"
  tectonic_cluster_name = "${var.tectonic_cluster_name}"
  tectonic_container_linux_version = "latest"
  tectonic_license_path = "/Users/rverma/dev/tectonic/tectonic-license.txt"
  tectonic_pull_secret_path = "/Users/rverma/dev/tectonic/config.json"
  tectonic_networking = "flannel"
  tectonic_tls_validity_period = "26280"
  tectonic_vanilla_k8s = false
  tectonic_admin_email = "${var.tectonic_admin_email}"
  tectonic_admin_password = "${var.tectonic_admin_password}"

  tectonic_aws_external_vpc_id = "${module.vpc.vpc_id}"
  tectonic_aws_external_private_zone = "***"
  // tectonic_ca_cert = ""
  // tectonic_ca_key = ""
  // tectonic_ca_key_alg = "RSA"

  tectonic_etcd_count = "0"
  tectonic_aws_etcd_ec2_type = "${var.master_instance_type}"
  tectonic_aws_etcd_root_volume_iops = "100"
  tectonic_aws_etcd_root_volume_size = "30"
  tectonic_aws_etcd_root_volume_type = "gp2"

  tectonic_master_count = "1"
  tectonic_aws_master_ec2_type = "${var.master_instance_type}"
  tectonic_aws_external_master_subnet_ids = "${module.vpc.public_subnets}"
  tectonic_aws_master_root_volume_iops = "100"
  tectonic_aws_master_root_volume_size = "30"
  tectonic_aws_master_root_volume_type = "gp2"

  tectonic_worker_count = "${var.min_worker_count}"
  tectonic_aws_external_worker_subnet_ids = "${module.vpc.private_subnets}"
  tectonic_aws_worker_ec2_type = "${var.worker_instance_type}"
  tectonic_aws_worker_root_volume_iops = "100"
  tectonic_aws_worker_root_volume_size = "30"
  tectonic_aws_worker_root_volume_type = "gp2"
}

Getting warnings as

Warning: output "etcd_sg_id": must use splat syntax to access aws_security_group.etcd attribute "id", because it has "count" set; use aws_security_group.etcd.*.id to obtain a list of the attributes across all instances
Warning: output "aws_api_external_dns_name": must use splat syntax to access aws_elb.api_external attribute "dns_name", because it has "count" set; use aws_elb.api_external.*.dns_name to obtain a list of the attributes across all instances
Warning: output "aws_elb_api_external_zone_id": must use splat syntax to access aws_elb.api_external attribute "zone_id", because it has "count" set; use aws_elb.api_external.*.zone_id to obtain a list of the attributes across all instances
Warning: output "aws_api_internal_dns_name": must use splat syntax to access aws_elb.api_internal attribute "dns_name", because it has "count" set; use aws_elb.api_internal.*.dns_name to obtain a list of the attributes across all instances
Warning: output "aws_elb_api_internal_zone_id": must use splat syntax to access aws_elb.api_internal attribute "zone_id", because it has "count" set; use aws_elb.api_internal.*.zone_id to obtain a list of the attributes across all instances

And Exceptions as

module.kubernetes.module.vpc.data.aws_subnet.external_worker: data.aws_subnet.external_worker: value of 'count' cannot be computed
module.kubernetes.module.vpc.data.aws_subnet.external_master: data.aws_subnet.external_master: value of 'count' cannot be computed

[squat]

@rohit-zabbed in Tectonic masters and workers are already separated into public and private subnets, respectively. What exactly do you hope to accomplish?

[rohit-zabbed]

@squat I check that, its correct, but I still want to create another private subnet as part of definition.
Wondering what's wrong with above script, ideally I should be able to setup kubernetes in an existing vpc.