Issue #16: ipv6 support - add ipv6 support #21
Conversation
main.tf
Outdated
| @@ -41,6 +41,14 @@ resource "aws_route" "public_internet_gateway" { | |||
| gateway_id = "${aws_internet_gateway.this.id}" | |||
| } | |||
|
|
|||
| resource "aws_route" "public_internet_gateway_ipv6" { | |||
| count = "${var.enable_ipv6 ? (length(var.public_subnets) > 0 ? 1 : 0) : 0}" | |||
There was a problem hiding this comment.
count = "${var.enable_ipv6 && length(var.public_subnets) > 0 ? 1 : 0}"
There was a problem hiding this comment.
oops 🤦♂️ :) Fixed in latest commit
| instance_tenancy = "${var.instance_tenancy}" | ||
| enable_dns_hostnames = "${var.enable_dns_hostnames}" | ||
| enable_dns_support = "${var.enable_dns_support}" | ||
| assign_generated_ipv6_cidr_block = "${var.enable_ipv6}" |
There was a problem hiding this comment.
Keep empty line before tags
There was a problem hiding this comment.
Fixed in latest commit
outputs.tf
Outdated
| } | ||
|
|
||
| output "ipv6_enabled_private_subnets_ipv4_cidr_blocks" { | ||
| description = "Map of List of ipv4 cidr_blocks of private subnets in an ipv6 enabled VPC" |
There was a problem hiding this comment.
The description is a dangerous nice mix of ipv4 and ipv6 even if it makes sense :)
There was a problem hiding this comment.
Also, this is not map of list, but just a list
There was a problem hiding this comment.
Fixed in latest commit
| @@ -67,11 +75,24 @@ resource "aws_subnet" "public" { | |||
| tags = "${merge(var.tags, var.public_subnet_tags, map("Name", format("%s-public-%s", var.name, element(var.azs, count.index))))}" | |||
| } | |||
|
|
|||
| resource "aws_subnet" "public_ipv6" { | |||
There was a problem hiding this comment.
Making aws_subnet resources conditionally is a bad idea, because it require twice more code for some things. Instead, we should always use the same aws_subnet resource (public and private). I think it should be possible, because ipv6-related features are the same as for ipv4 (with the exception of aws_egress_only_internet_gateway which is only for ipv6).
Follow up questions:
- Will
ipv6_cidr_blockwork with empty value? - What will the value of
aws_vpc.this.ipv6_cidr_blockbe when VPC has not enabled IPv6? - Why did you specify the number of bits as "8" as an argument of
cidrsubnet?
There was a problem hiding this comment.
Hi Anton,
I agree that making aws_subnet resources conditionally is not ideal - if you had a chance to review the discussion in the related issue you'll see I originally went down the path of using the same private and public subnet resources but ran into some issues due to the ipv6_cidr_block behavior.
To address your questions directly:
ipv6_cidr_blocksubnet argument will work with an empty value, but the following
ipv6_cidr_block = "${var.enable_ipv6 ? cidrsubnet(aws_vpc.this.ipv6_cidr_block,8,count.index) : ""}"
won't work due to the answer to 2. belowaws_vpc.this.ipv6_cidr_blockis undefined when theassign_generated_ipv6_cidr_blockargument isfalsein vpc resource definition, which resulted in the conditional referenced in 1. failing with the following error:
* module.vpc.aws_subnet.public[0]: Resource 'aws_vpc.this' does not have attribute 'ipv6_cidr_block' for variable 'aws_vpc.this.ipv6_cidr_block'- I specified 8 bits in
cidrsubnetbecause AWS ipv6 blocks are autoassigned a /56 mask and the AWS ipv6 subnets require a /64 mask, so this should always be 8 (i think)
There was a problem hiding this comment.
Thanks for the clarification. I want to try the code in this PR and see if I can make something around 1 and 2 during Monday evening.
There was a problem hiding this comment.
@antonbabenko looks like there was a recently submitted PR that would fix the issue we are seeing.
If we wait until this is fixed we won't need to create conditional subnet resources. Additionally, it looks like there is a "fix" coming in 0.11.x (see 0.11.0-beta1 changelog) that may cause this PR code to break because of the new output validation (I assume that if our conditionally created subnet resources are not created, terraform would throw an error due to the exception in the ipv6_* output interpolations).
I'm thinking we can sit on this until that PR is merged and I can refactor the ipv6 support into the existing the resources, and hopefully at the same time provide forward compatibility. Let me know your thoughts :)
There was a problem hiding this comment.
Great finding! Absolutely, let's wait for this PR. Terraform AWS provider is the best place to fix this kind of issues.
|
+1 for this feature |
|
+1 |
|
Has work on this halted? It's pretty much the last thing in the way of me switching over from my own vpc module ... |
|
Please thumb-up the related issue in the AWS provider - hashicorp/terraform-provider-aws#2103. This should indicate to the maintainers that this feature is not very large and it is still important for a lot of users. |
|
+1 Still not available in v1.37.0 |
|
IPv6 is a good feature to have, but it is not so easy to make it supported in this module. I have updated this module by adding support for Note, that this adds IPv6 support only to VPC and not to other resources. Adding IPv6 support to |
|
It looks like the upstream provider PR has been merged in; are we ready to move forward with this PR again? |
|
Yes, at least we can try once more. Last time I looked at it there were some bugs which prevented me from making it. I am not entirely sure what was it. |
|
I suggest to split this PR to small parts. Example: ipv6 for subnets |
Based on work done in terraform-aws-modules#21.
|
I re-implemented most of this in #218 with success to test it. I think all the terraform components are in place. I did notice some issues with the deletion of the ipv6 route table when the vpc is destroyed. One last thing, this PR makes an assumption about the spread of the ipv6 subnets. I think it'd be better to have the user specify the prefixes, they already are doing so for ipv4 anyway. |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
There are several resources which should be updated to have IPv6 support: