-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_ec2: limitation with allocateSubnetsCidr method of AwsIpam class #25537
Comments
Thanks for your report. We will look into this issue. |
Unfortunately this is a limitation of CloudFormation's There is not much we can do about this. Given that from an IPAM allocation, we can't know the CIDR range at synth time, we can't precalculate the ranges at synth time either using the logic that just parses any CIDR. Instead, we have to defer the CIDR calculation to deployment time (where CloudFormation does it), which is causing this error. You can report the issue to CloudFormation: https://github.com/aws-cloudformation/cloudformation-coverage-roadmap Someone could also go and implement a patch to // I think this is correct but it needs double checking, this math requires a lot of thinking
const split1 = Fn.cidr('10.0.0.0/16', 256, 24);
const split2 = Fn.cidr(Fn.select(0, split1), 16, 28); |
…8027) Because of IPAM allocation, we can't know the parent CIDR at synth time, so we cannot calculate the CIDR split at synth time either. This forces us to rely on the `{ Fn::Cidr }` function provided by CloudFormation. For resource consumption reasons, this function is limited to splitting any range into at most 256 subranges, which means the IPAM allocated VPC cannot split into more subranges either. This PR adds a recursive split feature: if we need to split an CIDR range more than 256 times, we will do multiple splits: ```ts Fn.select(300, Fn.cidr(range, 4096, 4)) // <-- illegal // == Fn.select(44, Fn.cidr(Fn.select(1, Fn.cidr(range, 4, 12)), 256, 4)) ``` Fixes #25537. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
@fradetjulien IPAM service team member here. The intended way to get an IPAM allocated cidr block for your VPC is to provide an Ipv4IpamPoolId in the VPC properties. The IPAM allocation resource should only be used for custom allocations. |
@jonahweissman how would you do this using CDK since the |
Describe the bug
I want to deploy the following
ec2.Vpc
with a CIDR allocation done with IPAM.However, it is impossible for me to have a successful deployment if the
ipv4_netmask_length
is <20
.I can successfully deploy the vpc using an
ec2.IpAddresses.aws_ipam_allocation
resource with anipv4_netmask_length
>=20
It seems that the count variable computed here is greater than the maximum allowed value
256
defined here. Causing an error when calling theFn.cidr
method here.This looks normal to me because :
const count = Math.pow(2, netmask - rootNetmask);
math.pow(2, 28 - 16) = 4096
math.pow(2, 24 - 16) = 256
math.pow(2, 28 - 20) = 256
In my case, I think I need to generate the following CIDRs :
- !Cidr 10.0.0.0/16, 256, 24
- !Cidr 10.0.0.0/16, 4096, 28
But the range limitation from the
Fn.cidr
method forbids it. I don't understand why..When I use the
ec2.IpAddresses.cidr
resource, I have no problem because theallocateSubnetsCidr
it is not using theFn.cidr
method. See here.Expected Behavior
I expect the
ec2.IpAddresses.aws_ipam_allocation
resource to behave like theec2.IpAddresses.cidr
resource. It should not limit thecount
value to a maximum value of256
.Current Behavior
I get the following error :
Reproduction Steps
Possible Solution
Avoid using the
Fn.cidr
method inside theallocateSubnetsCidr
method from theAwsIpam
class.Additional Information/Context
No response
CDK CLI Version
2.77.0 (build 06a0b19)
Framework Version
2.77.0
Node.js Version
v18.16.0
OS
Amazon Linux 2
Language
Python
Language Version
3.11.0
Other information
No response
The text was updated successfully, but these errors were encountered: