Merge pull request #33 from stromnet/ipv6-renumbering-fix

IPv6 renumbering fix
telia-oss · Mar 15, 2021 · 11f840f · 11f840f
2 parents c52d516 + 0617421
commit 11f840f
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -14,3 +14,7 @@ This is a module which simplifies setting up a new VPC and getting it into a use
 
 Note that, if `create_nat_gateways` is enabled, each private subnet has a route table which targets an individual NAT gateway when accessing
 the internet over IPv4, which means that all instances in a given private subnet will appear to have the same static IP from the outside.
+
+Note: if you already have a VPC setup with private subnets, and later add public subnets, your private subnet needs to be recreated due to how this module originally assigned IPv6 addresses.
+This can be avoided by setting the variables `ipv6_private_subnet_netnum_offset = 0` & `ipv6_public_subnet_netnum_offset = 128` which will force private subnets to still be allocated from 0, and public subnets from an offset.
+The maximum value of subnets in a IPv6 CIDR block is 255, we get a /56 from AWS and we divide them into /64 which gives us 8 bits for subnets. Hence 128 will allow 128 private subnets, and 128 public ones.
diff --git a/main.tf b/main.tf
@@ -83,7 +83,7 @@ resource "aws_subnet" "public" {
   count                           = length(var.public_subnet_cidrs)
   vpc_id                          = aws_vpc.main.id
   cidr_block                      = var.public_subnet_cidrs[count.index]
-  ipv6_cidr_block                 = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, count.index)
+  ipv6_cidr_block                 = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, var.ipv6_public_subnet_netnum_offset + count.index)
   availability_zone               = element(local.azs, count.index)
   map_public_ip_on_launch         = true
   assign_ipv6_address_on_creation = true
@@ -170,7 +170,7 @@ resource "aws_subnet" "private" {
   count                           = length(var.private_subnet_cidrs)
   vpc_id                          = aws_vpc.main.id
   cidr_block                      = var.private_subnet_cidrs[count.index]
-  ipv6_cidr_block                 = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, count.index + length(var.public_subnet_cidrs))
+  ipv6_cidr_block                 = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, count.index + (var.ipv6_private_subnet_netnum_offset == -1 ? length(var.public_subnet_cidrs) : var.ipv6_private_subnet_netnum_offset))
   availability_zone               = element(local.azs, count.index)
   map_public_ip_on_launch         = false
   assign_ipv6_address_on_creation = true
@@ -194,10 +194,12 @@ resource "aws_vpc_endpoint" "s3" {
   service_name    = "com.amazonaws.${data.aws_region.current.name}.s3"
   vpc_id          = aws_vpc.main.id
   route_table_ids = compact(concat(aws_route_table.private.*.id, aws_route_table.public.*.id))
+  policy          = var.s3_endpoint_policy
 }
 
 resource "aws_vpc_endpoint" "dynamodb" {
   service_name    = "com.amazonaws.${data.aws_region.current.name}.dynamodb"
   vpc_id          = aws_vpc.main.id
   route_table_ids = compact(concat(aws_route_table.private.*.id, aws_route_table.public.*.id))
+  policy          = var.dynamodb_endpoint_policy
 }
diff --git a/variables.tf b/variables.tf
@@ -29,6 +29,18 @@ variable "private_subnet_cidrs" {
   default     = []
 }
 
+variable "ipv6_public_subnet_netnum_offset" {
+  description = "By default public IPv6 subnets is allocated from start of VPC IPv6 CIDR block. This can be used to force an offset, i.e. if adding public subnets when private ones already exists (which would be at beginning of block)."
+  type        = number
+  default     = 0
+}
+
+variable "ipv6_private_subnet_netnum_offset" {
+  description = "By default private IPv6 subnet is allocated directly after last public subnet. This can be used to force an offset."
+  type        = number
+  default     = -1
+}
+
 variable "create_nat_gateways" {
   description = "Optionally create NAT gateways (which cost $) to provide internet connectivity to the private subnets."
   type        = bool
@@ -47,3 +59,12 @@ variable "tags" {
   default     = {}
 }
 
+variable "s3_endpoint_policy" {
+  description = "Policy document to attach to S3 Gateway Endpoint. Defaults to blank."
+  default     = null
+}
+
+variable "dynamodb_endpoint_policy" {
+  description = "Policy document to attach to DynamoDb Gateway Endpoint. Defaults to blank."
+  default     = null
+}