From 5cf50d84b6a5f94ac36cd0e73d6e998b7ac58c63 Mon Sep 17 00:00:00 2001
From: Ryan Goh <1871494+ryanoolala@users.noreply.github.com>
Date: Thu, 2 Nov 2023 14:28:26 +0800
Subject: [PATCH] chore: added toggles to conditionally create nacls depending
 on subnet cidr variables

---
 README.md    |  22 +++-
 main.tf      |   9 +-
 nacl.tf      | 286 ++++++++++++++++++++++++++++++++-------------------
 outputs.tf   |  12 +--
 variables.tf |   6 ++
 5 files changed, 218 insertions(+), 117 deletions(-)

diff --git a/README.md b/README.md
index 6f4e755..2b1b63e 100644
--- a/README.md
+++ b/README.md
@@ -204,6 +204,7 @@ As this module was originalyl intended to create 1 vpc with 1 cidr range for man
 > terragrunt import 'module.vpc.aws_vpc_ipv4_cidr_block_association.this[0]' vpc-cidr-assoc-xxx
 > terragrunt import 'module.vpc.aws_internet_gateway.this[0]' igw-xxx
 
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 No requirements.
@@ -218,7 +219,7 @@ No requirements.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | github.com/GovTechSG/terraform-aws-vpc-forked | v3.7.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | github.com/GovTechSG/terraform-aws-vpc-forked | v4.0.0 |
 
 ## Resources
 
@@ -281,6 +282,7 @@ No requirements.
 | [aws_network_acl_rule.private_inbound_openvpn_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
 | [aws_network_acl_rule.private_inbound_openvpn_rule_secondary_cidr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
 | [aws_network_acl_rule.private_inbound_rdp_rule_deny](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.private_inbound_rdp_rule_deny_udp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
 | [aws_network_acl_rule.private_inbound_ssh_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
 | [aws_network_acl_rule.private_inbound_ssh_rule_deny](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
 | [aws_network_acl_rule.private_inbound_ssh_rule_secondary_cidr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
@@ -305,6 +307,7 @@ No requirements.
 | [aws_network_acl_rule.private_outbound_ssh_rule_secondary_cidr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
 | [aws_network_acl_rule.public_inbound_allow_all_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
 | [aws_network_acl_rule.public_inbound_rdp_rule_deny](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.public_inbound_rdp_rule_deny_udp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
 | [aws_network_acl_rule.public_inbound_ssh_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
 | [aws_network_acl_rule.public_inbound_ssh_rule_deny](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
 | [aws_network_acl_rule.public_inbound_ssh_rule_secondary_cidr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
@@ -328,8 +331,21 @@ No requirements.
 | <a name="input_database_subnets"></a> [database\_subnets](#input\_database\_subnets) | cidr range of your database subnets | `list(string)` | `[]` | no |
 | <a name="input_default_network_acl_name"></a> [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | Name to be used on the Default Network ACL | `string` | `""` | no |
 | <a name="input_default_network_acl_tags"></a> [default\_network\_acl\_tags](#input\_default\_network\_acl\_tags) | Additional tags for the Default Network ACL | `map(string)` | `{}` | no |
+| <a name="input_default_route_table_name"></a> [default\_route\_table\_name](#input\_default\_route\_table\_name) | Name to be used on the default route table | `string` | `null` | no |
+| <a name="input_default_route_table_propagating_vgws"></a> [default\_route\_table\_propagating\_vgws](#input\_default\_route\_table\_propagating\_vgws) | List of virtual gateways for propagation | `list(string)` | `[]` | no |
+| <a name="input_default_route_table_routes"></a> [default\_route\_table\_routes](#input\_default\_route\_table\_routes) | Configuration block of routes. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table#route | `list(map(string))` | `[]` | no |
+| <a name="input_default_route_table_tags"></a> [default\_route\_table\_tags](#input\_default\_route\_table\_tags) | Additional tags for the default route table | `map(string)` | `{}` | no |
+| <a name="input_default_security_group_egress"></a> [default\_security\_group\_egress](#input\_default\_security\_group\_egress) | List of maps of egress rules to set on the default security group | `list(map(string))` | `[]` | no |
+| <a name="input_default_security_group_ingress"></a> [default\_security\_group\_ingress](#input\_default\_security\_group\_ingress) | List of maps of ingress rules to set on the default security group | `list(map(string))` | `[]` | no |
+| <a name="input_default_security_group_name"></a> [default\_security\_group\_name](#input\_default\_security\_group\_name) | Name to be used on the default security group | `string` | `null` | no |
 | <a name="input_default_security_group_rules"></a> [default\_security\_group\_rules](#input\_default\_security\_group\_rules) | Allowed inbound rules for default security group | `map(any)` | `{}` | no |
+| <a name="input_default_security_group_tags"></a> [default\_security\_group\_tags](#input\_default\_security\_group\_tags) | Additional tags for the default security group | `map(string)` | `{}` | no |
+| <a name="input_default_vpc_enable_dns_hostnames"></a> [default\_vpc\_enable\_dns\_hostnames](#input\_default\_vpc\_enable\_dns\_hostnames) | Should be true to enable DNS hostnames in the Default VPC | `bool` | `true` | no |
+| <a name="input_default_vpc_enable_dns_support"></a> [default\_vpc\_enable\_dns\_support](#input\_default\_vpc\_enable\_dns\_support) | Should be true to enable DNS support in the Default VPC | `bool` | `true` | no |
+| <a name="input_default_vpc_name"></a> [default\_vpc\_name](#input\_default\_vpc\_name) | Name to be used on the Default VPC | `string` | `null` | no |
+| <a name="input_default_vpc_tags"></a> [default\_vpc\_tags](#input\_default\_vpc\_tags) | Additional tags for the Default VPC | `map(string)` | `{}` | no |
 | <a name="input_eks_cluster_tags"></a> [eks\_cluster\_tags](#input\_eks\_cluster\_tags) | List of tags that EKS will create, but also added to VPC for persistency across terraform applies | `map(any)` | `{}` | no |
+| <a name="input_enable_nat_gateway"></a> [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | Should be true if you want to provision NAT Gateways for each of your private networks | `bool` | `true` | no |
 | <a name="input_firewall_dedicated_network_acl"></a> [firewall\_dedicated\_network\_acl](#input\_firewall\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for firewall subnets | `bool` | `false` | no |
 | <a name="input_firewall_inbound_acl_rules"></a> [firewall\_inbound\_acl\_rules](#input\_firewall\_inbound\_acl\_rules) | firewall subnets inbound network ACL rules | `list(map(string))` | <pre>[<br>  {<br>    "cidr_block": "0.0.0.0/0",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "rule_action": "allow",<br>    "rule_number": 100,<br>    "to_port": 0<br>  }<br>]</pre> | no |
 | <a name="input_firewall_outbound_acl_rules"></a> [firewall\_outbound\_acl\_rules](#input\_firewall\_outbound\_acl\_rules) | Firewall subnets outbound network ACL rules | `list(map(string))` | <pre>[<br>  {<br>    "cidr_block": "0.0.0.0/0",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "rule_action": "allow",<br>    "rule_number": 100,<br>    "to_port": 0<br>  }<br>]</pre> | no |
@@ -338,6 +354,9 @@ No requirements.
 | <a name="input_folder"></a> [folder](#input\_folder) | Path relative to root of terraform directory where this module is used. This is for easier locating of where the individual resource is created with aws console | `map(any)` | n/a | yes |
 | <a name="input_intranet_subnets"></a> [intranet\_subnets](#input\_intranet\_subnets) | cidr range of your intranet subnets | `list(string)` | `[]` | no |
 | <a name="input_manage_default_network_acl"></a> [manage\_default\_network\_acl](#input\_manage\_default\_network\_acl) | Should be true to adopt and manage Default Network ACL | `bool` | `false` | no |
+| <a name="input_manage_default_route_table"></a> [manage\_default\_route\_table](#input\_manage\_default\_route\_table) | Should be true to manage default route table | `bool` | `true` | no |
+| <a name="input_manage_default_security_group"></a> [manage\_default\_security\_group](#input\_manage\_default\_security\_group) | Should be true to adopt and manage default security group | `bool` | `true` | no |
+| <a name="input_manage_default_vpc"></a> [manage\_default\_vpc](#input\_manage\_default\_vpc) | Should be true to adopt and manage Default VPC | `bool` | `false` | no |
 | <a name="input_map_public_ip_on_launch"></a> [map\_public\_ip\_on\_launch](#input\_map\_public\_ip\_on\_launch) | Should be false if you do not want to auto-assign public IP on launch | `bool` | `true` | no |
 | <a name="input_number_of_azs"></a> [number\_of\_azs](#input\_number\_of\_azs) | Determines number of availability zones to use in the region | `number` | `2` | no |
 | <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | cidr range of your private subnets | `list(string)` | `[]` | no |
@@ -387,3 +406,4 @@ No requirements.
 | <a name="output_vpc_private_route_table_ids"></a> [vpc\_private\_route\_table\_ids](#output\_vpc\_private\_route\_table\_ids) | List of IDs of private route tables |
 | <a name="output_vpc_public_route_table_ids"></a> [vpc\_public\_route\_table\_ids](#output\_vpc\_public\_route\_table\_ids) | The IDs of the public route tables |
 | <a name="output_vpc_region"></a> [vpc\_region](#output\_vpc\_region) | The region the VPC belongs to |
+<!-- END_TF_DOCS -->
diff --git a/main.tf b/main.tf
index 6328506..8628f00 100644
--- a/main.tf
+++ b/main.tf
@@ -16,10 +16,10 @@ locals {
 
 # creates the elastic IPs which the NAT gateways are allocated
 resource "aws_eip" "nat" {
-  count = local.eip_count
+  count = var.enable_nat_gateway ? local.eip_count : 0
 
-  vpc  = true
-  tags = merge(var.tags, local.tags, var.folder)
+  domain = "vpc"
+  tags   = merge(var.tags, local.tags, var.folder)
 }
 
 # virtual private cloud creator
@@ -92,7 +92,7 @@ module "vpc" {
   }
 
   # nat stuff
-  enable_nat_gateway                 = true
+  enable_nat_gateway                 = var.enable_nat_gateway
   single_nat_gateway                 = false
   one_nat_gateway_per_az             = true
   reuse_nat_ips                      = true
@@ -136,6 +136,7 @@ module "vpc" {
 #######################
 
 resource "aws_default_security_group" "default" {
+  count  = var.manage_default_security_group ? 1 : 0
   vpc_id = module.vpc.vpc_id
   tags   = merge(var.tags, local.tags, var.folder)
 
diff --git a/nacl.tf b/nacl.tf
index ae42b2c..1f95d0d 100644
--- a/nacl.tf
+++ b/nacl.tf
@@ -1,6 +1,14 @@
+locals {
+  create_private  = length(var.private_subnets) > 0
+  create_public   = length(var.public_subnets) > 0
+  create_intranet = length(var.intranet_subnets) > 0
+  create_database = length(var.database_subnets) > 0
+}
 
 # override default network acl
+
 resource "aws_default_network_acl" "default" {
+  count                  = var.manage_default_network_acl ? 1 : 0
   default_network_acl_id = tolist(data.aws_network_acls.default.ids)[0]
 
   tags = merge({ "Name" = "${var.vpc_name}-default" }, var.tags, local.tags, var.folder)
@@ -19,24 +27,28 @@ data "aws_network_acls" "default" {
 }
 
 resource "aws_network_acl" "private" {
+  count      = local.create_private ? 1 : 0
   vpc_id     = module.vpc.vpc_id
   subnet_ids = module.vpc.private_subnets
   tags       = merge({ "Name" = "${var.vpc_name}-private" }, var.tags, local.tags, var.folder)
 }
 
 resource "aws_network_acl" "public" {
+  count      = local.create_public ? 1 : 0
   vpc_id     = module.vpc.vpc_id
   subnet_ids = module.vpc.public_subnets
   tags       = merge({ "Name" = "${var.vpc_name}-public" }, var.tags, local.tags, var.folder)
 }
 
 resource "aws_network_acl" "intra" {
+  count      = local.create_intranet ? 1 : 0
   vpc_id     = module.vpc.vpc_id
   subnet_ids = module.vpc.intra_subnets
   tags       = merge({ "Name" = "${var.vpc_name}-intra" }, var.tags, local.tags, var.folder)
 }
 
 resource "aws_network_acl" "database" {
+  count      = local.create_database ? 1 : 0
   vpc_id     = module.vpc.vpc_id
   subnet_ids = module.vpc.database_subnets
   tags       = merge({ "Name" = "${var.vpc_name}-database" }, var.tags, local.tags, var.folder)
@@ -48,7 +60,8 @@ resource "aws_network_acl" "database" {
 ###########################
 
 resource "aws_network_acl_rule" "public_inbound_rdp_rule_deny" {
-  network_acl_id = aws_network_acl.public.id
+  count          = local.create_public ? 1 : 0
+  network_acl_id = aws_network_acl.public[0].id
   cidr_block     = "0.0.0.0/0"
   rule_number    = 105
   protocol       = "tcp"
@@ -58,7 +71,8 @@ resource "aws_network_acl_rule" "public_inbound_rdp_rule_deny" {
 }
 
 resource "aws_network_acl_rule" "public_inbound_rdp_rule_deny_udp" {
-  network_acl_id = aws_network_acl.public.id
+  count          = local.create_public ? 1 : 0
+  network_acl_id = aws_network_acl.public[0].id
   cidr_block     = "0.0.0.0/0"
   rule_number    = 106
   protocol       = "udp"
@@ -68,7 +82,8 @@ resource "aws_network_acl_rule" "public_inbound_rdp_rule_deny_udp" {
 }
 
 resource "aws_network_acl_rule" "public_outbound_rdp_rule_deny" {
-  network_acl_id = aws_network_acl.public.id
+  count          = local.create_public ? 1 : 0
+  network_acl_id = aws_network_acl.public[0].id
   rule_number    = 105
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -79,7 +94,8 @@ resource "aws_network_acl_rule" "public_outbound_rdp_rule_deny" {
 }
 
 resource "aws_network_acl_rule" "public_inbound_ssh_rule" {
-  network_acl_id = aws_network_acl.public.id
+  count          = local.create_public ? 1 : 0
+  network_acl_id = aws_network_acl.public[0].id
   rule_number    = 120
   cidr_block     = module.vpc.vpc_cidr_block
   protocol       = "tcp"
@@ -89,7 +105,8 @@ resource "aws_network_acl_rule" "public_inbound_ssh_rule" {
 }
 
 resource "aws_network_acl_rule" "public_outbound_ssh_rule" {
-  network_acl_id = aws_network_acl.public.id
+  count          = local.create_public ? 1 : 0
+  network_acl_id = aws_network_acl.public[0].id
   rule_number    = 120
   cidr_block     = module.vpc.vpc_cidr_block
   protocol       = "tcp"
@@ -100,8 +117,8 @@ resource "aws_network_acl_rule" "public_outbound_ssh_rule" {
 }
 
 resource "aws_network_acl_rule" "public_inbound_ssh_rule_secondary_cidr" {
-  count          = length(var.secondary_cidr_blocks)
-  network_acl_id = aws_network_acl.public.id
+  count          = local.create_public ? length(var.secondary_cidr_blocks) : 0
+  network_acl_id = aws_network_acl.public[0].id
   rule_number    = 121 + count.index
   cidr_block     = var.secondary_cidr_blocks[count.index]
   protocol       = "tcp"
@@ -111,8 +128,8 @@ resource "aws_network_acl_rule" "public_inbound_ssh_rule_secondary_cidr" {
 }
 
 resource "aws_network_acl_rule" "public_outbound_ssh_rule_secondary_cidr" {
-  count          = length(var.secondary_cidr_blocks)
-  network_acl_id = aws_network_acl.public.id
+  count          = local.create_public ? length(var.secondary_cidr_blocks) : 0
+  network_acl_id = aws_network_acl.public[0].id
   rule_number    = 121 + count.index
   cidr_block     = var.secondary_cidr_blocks[count.index]
   protocol       = "tcp"
@@ -123,7 +140,8 @@ resource "aws_network_acl_rule" "public_outbound_ssh_rule_secondary_cidr" {
 }
 
 resource "aws_network_acl_rule" "public_inbound_ssh_rule_deny" {
-  network_acl_id = aws_network_acl.public.id
+  count          = local.create_public ? 1 : 0
+  network_acl_id = aws_network_acl.public[0].id
   cidr_block     = "0.0.0.0/0"
   rule_number    = 139
   protocol       = "tcp"
@@ -133,7 +151,8 @@ resource "aws_network_acl_rule" "public_inbound_ssh_rule_deny" {
 }
 
 resource "aws_network_acl_rule" "public_outbound_ssh_rule_deny" {
-  network_acl_id = aws_network_acl.public.id
+  count          = local.create_public ? 1 : 0
+  network_acl_id = aws_network_acl.public[0].id
   rule_number    = 139
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -144,7 +163,8 @@ resource "aws_network_acl_rule" "public_outbound_ssh_rule_deny" {
 }
 
 resource "aws_network_acl_rule" "public_inbound_allow_all_rule" {
-  network_acl_id = aws_network_acl.public.id
+  count          = local.create_public ? 1 : 0
+  network_acl_id = aws_network_acl.public[0].id
   rule_number    = 140
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -154,7 +174,8 @@ resource "aws_network_acl_rule" "public_inbound_allow_all_rule" {
 }
 
 resource "aws_network_acl_rule" "public_outbound_allow_all_rule" {
-  network_acl_id = aws_network_acl.public.id
+  count          = local.create_public ? 1 : 0
+  network_acl_id = aws_network_acl.public[0].id
   rule_number    = 140
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -168,7 +189,8 @@ resource "aws_network_acl_rule" "public_outbound_allow_all_rule" {
 # Private subnet ACL
 ###########################
 resource "aws_network_acl_rule" "private_inbound_rdp_rule_deny" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   cidr_block     = "0.0.0.0/0"
   rule_number    = 105
   protocol       = "tcp"
@@ -178,7 +200,8 @@ resource "aws_network_acl_rule" "private_inbound_rdp_rule_deny" {
 }
 
 resource "aws_network_acl_rule" "private_inbound_rdp_rule_deny_udp" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   cidr_block     = "0.0.0.0/0"
   rule_number    = 106
   protocol       = "udp"
@@ -189,7 +212,8 @@ resource "aws_network_acl_rule" "private_inbound_rdp_rule_deny_udp" {
 
 
 resource "aws_network_acl_rule" "private_outbound_rdp_rule_deny" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 105
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -200,7 +224,8 @@ resource "aws_network_acl_rule" "private_outbound_rdp_rule_deny" {
 }
 
 resource "aws_network_acl_rule" "private_inbound_allow_80_rule" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 109
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -210,7 +235,8 @@ resource "aws_network_acl_rule" "private_inbound_allow_80_rule" {
 }
 
 resource "aws_network_acl_rule" "private_outbound_allow_80_rule" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 109
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -221,7 +247,8 @@ resource "aws_network_acl_rule" "private_outbound_allow_80_rule" {
 }
 
 resource "aws_network_acl_rule" "private_inbound_allow_443_rule" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 110
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -231,7 +258,8 @@ resource "aws_network_acl_rule" "private_inbound_allow_443_rule" {
 }
 
 resource "aws_network_acl_rule" "private_outbound_allow_443_rule" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 110
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -242,7 +270,8 @@ resource "aws_network_acl_rule" "private_outbound_allow_443_rule" {
 }
 
 resource "aws_network_acl_rule" "private_inbound_nfs_111_rule" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 115
   cidr_block     = module.vpc.vpc_cidr_block
   protocol       = "tcp"
@@ -252,7 +281,8 @@ resource "aws_network_acl_rule" "private_inbound_nfs_111_rule" {
 }
 
 resource "aws_network_acl_rule" "private_outbound_nfs_111_rule" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 115
   cidr_block     = module.vpc.vpc_cidr_block
   protocol       = "tcp"
@@ -263,8 +293,8 @@ resource "aws_network_acl_rule" "private_outbound_nfs_111_rule" {
 }
 
 resource "aws_network_acl_rule" "private_inbound_nfs_111_rule_secondary_cidr" {
-  count          = length(var.secondary_cidr_blocks)
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? length(var.secondary_cidr_blocks) : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 116 + count.index
   cidr_block     = var.secondary_cidr_blocks[count.index]
   protocol       = "tcp"
@@ -274,8 +304,8 @@ resource "aws_network_acl_rule" "private_inbound_nfs_111_rule_secondary_cidr" {
 }
 
 resource "aws_network_acl_rule" "private_outbound_nfs_111_rule_secondary_cidr" {
-  count          = length(var.secondary_cidr_blocks)
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? length(var.secondary_cidr_blocks) : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 116 + count.index
   cidr_block     = var.secondary_cidr_blocks[count.index]
   protocol       = "tcp"
@@ -286,7 +316,8 @@ resource "aws_network_acl_rule" "private_outbound_nfs_111_rule_secondary_cidr" {
 }
 
 resource "aws_network_acl_rule" "private_inbound_ssh_rule" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 120
   cidr_block     = module.vpc.vpc_cidr_block
   protocol       = "tcp"
@@ -296,7 +327,8 @@ resource "aws_network_acl_rule" "private_inbound_ssh_rule" {
 }
 
 resource "aws_network_acl_rule" "private_outbound_ssh_rule" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 120
   cidr_block     = module.vpc.vpc_cidr_block
   protocol       = "tcp"
@@ -307,8 +339,8 @@ resource "aws_network_acl_rule" "private_outbound_ssh_rule" {
 }
 
 resource "aws_network_acl_rule" "private_inbound_ssh_rule_secondary_cidr" {
-  count          = length(var.secondary_cidr_blocks)
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? length(var.secondary_cidr_blocks) : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 121 + count.index
   cidr_block     = var.secondary_cidr_blocks[count.index]
   protocol       = "tcp"
@@ -318,8 +350,8 @@ resource "aws_network_acl_rule" "private_inbound_ssh_rule_secondary_cidr" {
 }
 
 resource "aws_network_acl_rule" "private_outbound_ssh_rule_secondary_cidr" {
-  count          = length(var.secondary_cidr_blocks)
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? length(var.secondary_cidr_blocks) : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 121 + count.index
   cidr_block     = var.secondary_cidr_blocks[count.index]
   protocol       = "tcp"
@@ -330,7 +362,8 @@ resource "aws_network_acl_rule" "private_outbound_ssh_rule_secondary_cidr" {
 }
 
 resource "aws_network_acl_rule" "private_inbound_ldap_rule" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 125
   cidr_block     = module.vpc.vpc_cidr_block
   protocol       = "tcp"
@@ -340,7 +373,8 @@ resource "aws_network_acl_rule" "private_inbound_ldap_rule" {
 }
 
 resource "aws_network_acl_rule" "private_outbound_ldap_rule" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 125
   cidr_block     = module.vpc.vpc_cidr_block
   protocol       = "tcp"
@@ -351,8 +385,8 @@ resource "aws_network_acl_rule" "private_outbound_ldap_rule" {
 }
 
 resource "aws_network_acl_rule" "private_inbound_ldap_rule_secondary_cidr" {
-  count          = length(var.secondary_cidr_blocks)
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? length(var.secondary_cidr_blocks) : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 126 + count.index
   cidr_block     = var.secondary_cidr_blocks[count.index]
   protocol       = "tcp"
@@ -362,8 +396,8 @@ resource "aws_network_acl_rule" "private_inbound_ldap_rule_secondary_cidr" {
 }
 
 resource "aws_network_acl_rule" "private_outbound_ldap_rule_secondary_cidr" {
-  count          = length(var.secondary_cidr_blocks)
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? length(var.secondary_cidr_blocks) : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 126 + count.index
   cidr_block     = var.secondary_cidr_blocks[count.index]
   protocol       = "tcp"
@@ -374,7 +408,8 @@ resource "aws_network_acl_rule" "private_outbound_ldap_rule_secondary_cidr" {
 }
 
 resource "aws_network_acl_rule" "private_inbound_openvpn_rule" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 135
   cidr_block     = module.vpc.vpc_cidr_block
   protocol       = "tcp"
@@ -384,7 +419,8 @@ resource "aws_network_acl_rule" "private_inbound_openvpn_rule" {
 }
 
 resource "aws_network_acl_rule" "private_outbound_openvpn_rule" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 135
   cidr_block     = module.vpc.vpc_cidr_block
   protocol       = "tcp"
@@ -395,7 +431,8 @@ resource "aws_network_acl_rule" "private_outbound_openvpn_rule" {
 }
 
 resource "aws_network_acl_rule" "private_inbound_ssh_rule_deny" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   cidr_block     = "0.0.0.0/0"
   rule_number    = 139
   protocol       = "tcp"
@@ -405,7 +442,8 @@ resource "aws_network_acl_rule" "private_inbound_ssh_rule_deny" {
 }
 
 resource "aws_network_acl_rule" "private_outbound_ssh_rule_deny" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 139
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -416,8 +454,8 @@ resource "aws_network_acl_rule" "private_outbound_ssh_rule_deny" {
 }
 
 resource "aws_network_acl_rule" "private_inbound_openvpn_rule_secondary_cidr" {
-  count          = length(var.secondary_cidr_blocks)
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? length(var.secondary_cidr_blocks) : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 136 + count.index
   cidr_block     = var.secondary_cidr_blocks[count.index]
   protocol       = "tcp"
@@ -427,8 +465,8 @@ resource "aws_network_acl_rule" "private_inbound_openvpn_rule_secondary_cidr" {
 }
 
 resource "aws_network_acl_rule" "private_outbound_openvpn_rule_secondary_cidr" {
-  count          = length(var.secondary_cidr_blocks)
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? length(var.secondary_cidr_blocks) : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 136 + count.index
   cidr_block     = var.secondary_cidr_blocks[count.index]
   protocol       = "tcp"
@@ -439,7 +477,8 @@ resource "aws_network_acl_rule" "private_outbound_openvpn_rule_secondary_cidr" {
 }
 
 resource "aws_network_acl_rule" "private_inbound_allow_all_ephemeral_rule" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 140
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -449,7 +488,8 @@ resource "aws_network_acl_rule" "private_inbound_allow_all_ephemeral_rule" {
 }
 
 resource "aws_network_acl_rule" "private_outbound_allow_all_ephemeral_rule" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 140
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -460,7 +500,8 @@ resource "aws_network_acl_rule" "private_outbound_allow_all_ephemeral_rule" {
 }
 
 resource "aws_network_acl_rule" "private_inbound_allow_all_udp" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 141
   cidr_block     = module.vpc.vpc_cidr_block
   protocol       = "udp"
@@ -470,7 +511,8 @@ resource "aws_network_acl_rule" "private_inbound_allow_all_udp" {
 }
 
 resource "aws_network_acl_rule" "private_outbound_allow_all_udp" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 141
   cidr_block     = module.vpc.vpc_cidr_block
   protocol       = "udp"
@@ -481,8 +523,8 @@ resource "aws_network_acl_rule" "private_outbound_allow_all_udp" {
 }
 
 resource "aws_network_acl_rule" "private_inbound_allow_all_udp_secondary_cidr" {
-  count          = length(var.secondary_cidr_blocks)
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? length(var.secondary_cidr_blocks) : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 142 + count.index
   cidr_block     = var.secondary_cidr_blocks[count.index]
   protocol       = "udp"
@@ -492,8 +534,8 @@ resource "aws_network_acl_rule" "private_inbound_allow_all_udp_secondary_cidr" {
 }
 
 resource "aws_network_acl_rule" "private_outbound_allow_all_udp_secondary_cidr" {
-  count          = length(var.secondary_cidr_blocks)
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? length(var.secondary_cidr_blocks) : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 142 + count.index
   cidr_block     = var.secondary_cidr_blocks[count.index]
   protocol       = "udp"
@@ -504,7 +546,8 @@ resource "aws_network_acl_rule" "private_outbound_allow_all_udp_secondary_cidr"
 }
 
 resource "aws_network_acl_rule" "private_inbound_allow_tcp_dns" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 147
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -514,7 +557,8 @@ resource "aws_network_acl_rule" "private_inbound_allow_tcp_dns" {
 }
 
 resource "aws_network_acl_rule" "private_outbound_allow_tcp_dns" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 147
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -525,7 +569,8 @@ resource "aws_network_acl_rule" "private_outbound_allow_tcp_dns" {
 }
 
 resource "aws_network_acl_rule" "private_inbound_allow_smtp_rule" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 150
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -535,7 +580,8 @@ resource "aws_network_acl_rule" "private_inbound_allow_smtp_rule" {
 }
 
 resource "aws_network_acl_rule" "private_outbound_allow_smtp_rule" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 150
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -546,7 +592,8 @@ resource "aws_network_acl_rule" "private_outbound_allow_smtp_rule" {
 }
 
 resource "aws_network_acl_rule" "private_inbound_allow_bgp_179_rule" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 153
   cidr_block     = module.vpc.vpc_cidr_block
   protocol       = "tcp"
@@ -556,7 +603,8 @@ resource "aws_network_acl_rule" "private_inbound_allow_bgp_179_rule" {
 }
 
 resource "aws_network_acl_rule" "private_outbound_allow_bgp_179_rule" {
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? 1 : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 153
   cidr_block     = module.vpc.vpc_cidr_block
   protocol       = "tcp"
@@ -567,8 +615,8 @@ resource "aws_network_acl_rule" "private_outbound_allow_bgp_179_rule" {
 }
 
 resource "aws_network_acl_rule" "private_inbound_allow_bgp_179_secondary_cidr" {
-  count          = length(var.secondary_cidr_blocks)
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? length(var.secondary_cidr_blocks) : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 154 + count.index
   cidr_block     = var.secondary_cidr_blocks[count.index]
   protocol       = "tcp"
@@ -578,8 +626,8 @@ resource "aws_network_acl_rule" "private_inbound_allow_bgp_179_secondary_cidr" {
 }
 
 resource "aws_network_acl_rule" "private_outbound_allow_bgp_179_secondary_cidr" {
-  count          = length(var.secondary_cidr_blocks)
-  network_acl_id = aws_network_acl.private.id
+  count          = local.create_private ? length(var.secondary_cidr_blocks) : 0
+  network_acl_id = aws_network_acl.private[0].id
   rule_number    = 154 + count.index
   cidr_block     = var.secondary_cidr_blocks[count.index]
   protocol       = "tcp"
@@ -594,7 +642,8 @@ resource "aws_network_acl_rule" "private_outbound_allow_bgp_179_secondary_cidr"
 ###########################
 
 resource "aws_network_acl_rule" "intra_inbound_rdp_rule_deny" {
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? 1 : 0
+  network_acl_id = aws_network_acl.intra[0].id
   cidr_block     = "0.0.0.0/0"
   rule_number    = 105
   protocol       = "tcp"
@@ -604,7 +653,8 @@ resource "aws_network_acl_rule" "intra_inbound_rdp_rule_deny" {
 }
 
 resource "aws_network_acl_rule" "intra_outbound_rdp_rule_deny" {
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? 1 : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 105
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -615,7 +665,8 @@ resource "aws_network_acl_rule" "intra_outbound_rdp_rule_deny" {
 }
 
 resource "aws_network_acl_rule" "intranet_inbound_allow_443_rule" {
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? 1 : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 110
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -625,7 +676,8 @@ resource "aws_network_acl_rule" "intranet_inbound_allow_443_rule" {
 }
 
 resource "aws_network_acl_rule" "intranet_outbound_allow_443_rule" {
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? 1 : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 110
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -636,7 +688,8 @@ resource "aws_network_acl_rule" "intranet_outbound_allow_443_rule" {
 }
 
 resource "aws_network_acl_rule" "intranet_inbound_nfs_111_rule" {
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? 1 : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 115
   cidr_block     = module.vpc.vpc_cidr_block
   protocol       = "tcp"
@@ -646,7 +699,8 @@ resource "aws_network_acl_rule" "intranet_inbound_nfs_111_rule" {
 }
 
 resource "aws_network_acl_rule" "intranet_outbound_nfs_111_rule" {
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? 1 : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 115
   cidr_block     = module.vpc.vpc_cidr_block
   protocol       = "tcp"
@@ -657,8 +711,8 @@ resource "aws_network_acl_rule" "intranet_outbound_nfs_111_rule" {
 }
 
 resource "aws_network_acl_rule" "intranet_inbound_nfs_111_rule_secondary_cidr" {
-  count          = length(var.secondary_cidr_blocks)
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? length(var.secondary_cidr_blocks) : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 116 + count.index
   cidr_block     = var.secondary_cidr_blocks[count.index]
   protocol       = "tcp"
@@ -668,8 +722,8 @@ resource "aws_network_acl_rule" "intranet_inbound_nfs_111_rule_secondary_cidr" {
 }
 
 resource "aws_network_acl_rule" "intranet_outbound_nfs_111_rule_secondary_cidr" {
-  count          = length(var.secondary_cidr_blocks)
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? length(var.secondary_cidr_blocks) : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 116 + count.index
   cidr_block     = var.secondary_cidr_blocks[count.index]
   protocol       = "tcp"
@@ -680,7 +734,8 @@ resource "aws_network_acl_rule" "intranet_outbound_nfs_111_rule_secondary_cidr"
 }
 
 resource "aws_network_acl_rule" "intranet_inbound_ssh_rule" {
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? 1 : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 120
   cidr_block     = module.vpc.vpc_cidr_block
   protocol       = "tcp"
@@ -690,7 +745,8 @@ resource "aws_network_acl_rule" "intranet_inbound_ssh_rule" {
 }
 
 resource "aws_network_acl_rule" "intranet_outbound_ssh_rule" {
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? 1 : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 120
   cidr_block     = module.vpc.vpc_cidr_block
   protocol       = "tcp"
@@ -701,8 +757,8 @@ resource "aws_network_acl_rule" "intranet_outbound_ssh_rule" {
 }
 
 resource "aws_network_acl_rule" "intranet_inbound_ssh_rule_secondary_cidr" {
-  count          = length(var.secondary_cidr_blocks)
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? length(var.secondary_cidr_blocks) : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 121 + count.index
   cidr_block     = var.secondary_cidr_blocks[count.index]
   protocol       = "tcp"
@@ -712,8 +768,8 @@ resource "aws_network_acl_rule" "intranet_inbound_ssh_rule_secondary_cidr" {
 }
 
 resource "aws_network_acl_rule" "intranet_outbound_ssh_rule_secondary_cidr" {
-  count          = length(var.secondary_cidr_blocks)
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? length(var.secondary_cidr_blocks) : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 121 + count.index
   cidr_block     = var.secondary_cidr_blocks[count.index]
   protocol       = "tcp"
@@ -724,7 +780,8 @@ resource "aws_network_acl_rule" "intranet_outbound_ssh_rule_secondary_cidr" {
 }
 
 resource "aws_network_acl_rule" "intra_inbound_ssh_rule_deny" {
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? 1 : 0
+  network_acl_id = aws_network_acl.intra[0].id
   cidr_block     = "0.0.0.0/0"
   rule_number    = 139
   protocol       = "tcp"
@@ -734,7 +791,8 @@ resource "aws_network_acl_rule" "intra_inbound_ssh_rule_deny" {
 }
 
 resource "aws_network_acl_rule" "intra_outbound_ssh_rule_deny" {
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? 1 : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 139
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -745,7 +803,8 @@ resource "aws_network_acl_rule" "intra_outbound_ssh_rule_deny" {
 }
 
 resource "aws_network_acl_rule" "intra_inbound_allow_all_ephemeral_rule" {
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? 1 : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 140
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -755,7 +814,8 @@ resource "aws_network_acl_rule" "intra_inbound_allow_all_ephemeral_rule" {
 }
 
 resource "aws_network_acl_rule" "intra_outbound_allow_all_ephemeral_rule" {
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? 1 : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 140
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -766,7 +826,8 @@ resource "aws_network_acl_rule" "intra_outbound_allow_all_ephemeral_rule" {
 }
 
 resource "aws_network_acl_rule" "intra_inbound_allow_all_udp" {
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? 1 : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 141
   cidr_block     = module.vpc.vpc_cidr_block
   protocol       = "udp"
@@ -776,7 +837,8 @@ resource "aws_network_acl_rule" "intra_inbound_allow_all_udp" {
 }
 
 resource "aws_network_acl_rule" "intra_outbound_allow_all_udp" {
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? 1 : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 141
   cidr_block     = module.vpc.vpc_cidr_block
   protocol       = "udp"
@@ -787,8 +849,8 @@ resource "aws_network_acl_rule" "intra_outbound_allow_all_udp" {
 }
 
 resource "aws_network_acl_rule" "intra_inbound_allow_all_udp_secondary_cidr" {
-  count          = length(var.secondary_cidr_blocks)
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? length(var.secondary_cidr_blocks) : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 142 + count.index
   cidr_block     = var.secondary_cidr_blocks[count.index]
   protocol       = "udp"
@@ -798,8 +860,8 @@ resource "aws_network_acl_rule" "intra_inbound_allow_all_udp_secondary_cidr" {
 }
 
 resource "aws_network_acl_rule" "intra_outbound_allow_all_udp_secondary_cidr" {
-  count          = length(var.secondary_cidr_blocks)
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? length(var.secondary_cidr_blocks) : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 142 + count.index
   cidr_block     = var.secondary_cidr_blocks[count.index]
   protocol       = "udp"
@@ -810,7 +872,8 @@ resource "aws_network_acl_rule" "intra_outbound_allow_all_udp_secondary_cidr" {
 }
 
 resource "aws_network_acl_rule" "intra_inbound_allow_tcp_dns" {
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? 1 : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 147
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -820,7 +883,8 @@ resource "aws_network_acl_rule" "intra_inbound_allow_tcp_dns" {
 }
 
 resource "aws_network_acl_rule" "intra_outbound_allow_tcp_dns" {
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? 1 : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 147
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -832,7 +896,8 @@ resource "aws_network_acl_rule" "intra_outbound_allow_tcp_dns" {
 
 
 resource "aws_network_acl_rule" "intranet_inbound_bgp_179_rule" {
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? 1 : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 153
   cidr_block     = module.vpc.vpc_cidr_block
   protocol       = "tcp"
@@ -842,7 +907,8 @@ resource "aws_network_acl_rule" "intranet_inbound_bgp_179_rule" {
 }
 
 resource "aws_network_acl_rule" "intranet_outbound_bgp_179_rule" {
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? 1 : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 153
   cidr_block     = module.vpc.vpc_cidr_block
   protocol       = "tcp"
@@ -853,8 +919,8 @@ resource "aws_network_acl_rule" "intranet_outbound_bgp_179_rule" {
 }
 
 resource "aws_network_acl_rule" "intranet_inbound_bgp_179_rule_secondary_cidr" {
-  count          = length(var.secondary_cidr_blocks)
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? length(var.secondary_cidr_blocks) : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 154 + count.index
   cidr_block     = var.secondary_cidr_blocks[count.index]
   protocol       = "tcp"
@@ -864,8 +930,8 @@ resource "aws_network_acl_rule" "intranet_inbound_bgp_179_rule_secondary_cidr" {
 }
 
 resource "aws_network_acl_rule" "intranet_outbound_bgp_179_rule_secondary_cidr" {
-  count          = length(var.secondary_cidr_blocks)
-  network_acl_id = aws_network_acl.intra.id
+  count          = local.create_intranet ? length(var.secondary_cidr_blocks) : 0
+  network_acl_id = aws_network_acl.intra[0].id
   rule_number    = 154 + count.index
   cidr_block     = var.secondary_cidr_blocks[count.index]
   protocol       = "tcp"
@@ -880,7 +946,8 @@ resource "aws_network_acl_rule" "intranet_outbound_bgp_179_rule_secondary_cidr"
 # Database subnet ACL
 ###########################
 resource "aws_network_acl_rule" "database_inbound_rdp_rule_deny" {
-  network_acl_id = aws_network_acl.database.id
+  count          = local.create_database ? 1 : 0
+  network_acl_id = aws_network_acl.database[0].id
   cidr_block     = "0.0.0.0/0"
   rule_number    = 105
   protocol       = "tcp"
@@ -890,7 +957,8 @@ resource "aws_network_acl_rule" "database_inbound_rdp_rule_deny" {
 }
 
 resource "aws_network_acl_rule" "database" {
-  network_acl_id = aws_network_acl.database.id
+  count          = local.create_database ? 1 : 0
+  network_acl_id = aws_network_acl.database[0].id
   rule_number    = 105
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -901,7 +969,8 @@ resource "aws_network_acl_rule" "database" {
 }
 
 resource "aws_network_acl_rule" "database_inbound_allow_443_rule" {
-  network_acl_id = aws_network_acl.database.id
+  count          = local.create_database ? 1 : 0
+  network_acl_id = aws_network_acl.database[0].id
   rule_number    = 110
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -911,7 +980,8 @@ resource "aws_network_acl_rule" "database_inbound_allow_443_rule" {
 }
 
 resource "aws_network_acl_rule" "database_outbound_allow_443_rule" {
-  network_acl_id = aws_network_acl.database.id
+  count          = local.create_database ? 1 : 0
+  network_acl_id = aws_network_acl.database[0].id
   rule_number    = 110
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -922,7 +992,8 @@ resource "aws_network_acl_rule" "database_outbound_allow_443_rule" {
 }
 
 resource "aws_network_acl_rule" "database_inbound_ssh_rule_deny" {
-  network_acl_id = aws_network_acl.database.id
+  count          = local.create_database ? 1 : 0
+  network_acl_id = aws_network_acl.database[0].id
   cidr_block     = "0.0.0.0/0"
   rule_number    = 139
   protocol       = "tcp"
@@ -932,7 +1003,8 @@ resource "aws_network_acl_rule" "database_inbound_ssh_rule_deny" {
 }
 
 resource "aws_network_acl_rule" "database_outbound_ssh_rule_deny" {
-  network_acl_id = aws_network_acl.database.id
+  count          = local.create_database ? 1 : 0
+  network_acl_id = aws_network_acl.database[0].id
   rule_number    = 139
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -943,7 +1015,8 @@ resource "aws_network_acl_rule" "database_outbound_ssh_rule_deny" {
 }
 
 resource "aws_network_acl_rule" "database_inbound_allow_all_ephemeral_rule" {
-  network_acl_id = aws_network_acl.database.id
+  count          = local.create_database ? 1 : 0
+  network_acl_id = aws_network_acl.database[0].id
   rule_number    = 140
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
@@ -953,7 +1026,8 @@ resource "aws_network_acl_rule" "database_inbound_allow_all_ephemeral_rule" {
 }
 
 resource "aws_network_acl_rule" "database_outbound_allow_all_ephemeral_rule" {
-  network_acl_id = aws_network_acl.database.id
+  count          = local.create_database ? 1 : 0
+  network_acl_id = aws_network_acl.database[0].id
   rule_number    = 140
   cidr_block     = "0.0.0.0/0"
   protocol       = "tcp"
diff --git a/outputs.tf b/outputs.tf
index 7db330e..a7d5b5e 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -179,12 +179,12 @@ output "vpc_main_route_table_id" {
 
 output "default_network_acl_id" {
   description = "The ID of the default network ACL"
-  value       = module.vpc.default_network_acl_id
+  value       = var.manage_default_network_acl ? module.vpc.default_network_acl_id : 0
 }
 
 output "default_security_group_id" {
   description = "The ID of the security group created by default on VPC creation"
-  value       = module.vpc.default_security_group_id
+  value       = var.manage_default_security_group ? module.vpc.default_security_group_id : ""
 }
 
 output "https_security_group_id" {
@@ -194,22 +194,22 @@ output "https_security_group_id" {
 
 output "public_network_acl_id" {
   description = "The ID of the public network ACL"
-  value       = aws_network_acl.public.id
+  value       = local.create_public ? aws_network_acl.public[0].id : ""
 }
 
 output "intranet_network_acl_id" {
   description = "The ID of the intra network ACL"
-  value       = aws_network_acl.intra.id
+  value       = local.create_intranet ? aws_network_acl.intra[0].id : ""
 }
 
 output "private_network_acl_id" {
   description = "The ID of the privatenetwork ACL"
-  value       = aws_network_acl.private.id
+  value       = local.create_private ? aws_network_acl.private[0].id : ""
 }
 
 output "database_network_acl_id" {
   description = "The ID of the database network ACL"
-  value       = aws_network_acl.database.id
+  value       = local.create_database ? aws_network_acl.database[0].id : ""
 }
 
 output "firewall_network_acl_id" {
diff --git a/variables.tf b/variables.tf
index ab4261c..7956e9a 100644
--- a/variables.tf
+++ b/variables.tf
@@ -142,6 +142,12 @@ variable "firewall_inbound_acl_rules" {
   ]
 }
 
+variable "enable_nat_gateway" {
+  description = "Should be true if you want to provision NAT Gateways for each of your private networks"
+  type        = bool
+  default     = true
+}
+
 variable "firewall_outbound_acl_rules" {
   description = "Firewall subnets outbound network ACL rules"
   type        = list(map(string))