diff --git a/tag-shared-vpc-resources/README.md b/tag-shared-vpc-resources/README.md
index c5785a4..d11680d 100644
--- a/tag-shared-vpc-resources/README.md
+++ b/tag-shared-vpc-resources/README.md
@@ -175,6 +175,7 @@ No modules.
 | [aws_ec2_tag.vpcs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
 | [null_resource.network_acl](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.network_acls](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.setup_directory](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_arn.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
diff --git a/tag-shared-vpc-resources/tag-network-acls.tf b/tag-shared-vpc-resources/tag-network-acls.tf
index 7710f1c..7b80b16 100644
--- a/tag-shared-vpc-resources/tag-network-acls.tf
+++ b/tag-shared-vpc-resources/tag-network-acls.tf
@@ -21,19 +21,25 @@ data "aws_network_acls" "network_acls" {
 # there is still no aws_network_acl, but there is an issue for it
 #   https://github.com/hashicorp/terraform-provider-aws/issues/19754
 
+resource "null_resource" "setup_directory" {
+  triggers = {
+    directory = "setup"
+  }
+
+  provisioner "local-exec" {
+    command = "test -d ${path.root}/${self.triggers.directory} || mkdir -p ${path.root}/${self.triggers.directory}"
+  }
+}
+
 resource "null_resource" "network_acl" {
   for_each = toset(flatten(concat([for k, v in data.aws_network_acls.network_acls : v.ids])))
   triggers = {
-    directory      = "setup"
+    directory      = null_resource.setup_directory.triggers.directory
     network_acl_id = each.key
     filename       = "network_acl.${each.key}.json"
     full_filename  = format("%v/%v/%v", path.root, "setup", "network_acl.${each.key}.json")
   }
 
-  provisioner "local-exec" {
-    command = "test -d ${path.root}/${self.triggers.directory} || mkdir -p ${path.root}/${self.triggers.directory}"
-  }
-
   provisioner "local-exec" {
     working_dir = path.root
     command     = "${path.module}/bin/assume_role_wrapper.sh aws ec2 describe-network-acls --network-acl-id ${each.key} --output json > ${self.triggers.directory}/${self.triggers.filename}"