From c2f9c88ec1acf1d5c56337ea4d88459c1eb84955 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johan=20Str=C3=B6m=20=28gyh896=29?= <johan.strom@tv4.se>
Date: Mon, 15 Mar 2021 14:51:02 +0100
Subject: [PATCH 1/2] Allow custom offset for IPv6 netnum allocations

---
 README.md    |  4 ++++
 main.tf      |  4 ++--
 variables.tf | 12 ++++++++++++
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index d12444a..e9047b0 100644
--- a/README.md
+++ b/README.md
@@ -14,3 +14,7 @@ This is a module which simplifies setting up a new VPC and getting it into a use
 
 Note that, if `create_nat_gateways` is enabled, each private subnet has a route table which targets an individual NAT gateway when accessing
 the internet over IPv4, which means that all instances in a given private subnet will appear to have the same static IP from the outside.
+
+Note: if you already have a VPC setup with private subnets, and later add public subnets, your private subnet needs to be recreated due to how this module originally assigned IPv6 addresses.
+This can be avoided by setting the variables `ipv6_private_subnet_netnum_offset = 0` & `ipv6_public_subnet_netnum_offset = 128` which will force private subnets to still be allocated from 0, and public subnets from an offset.
+The maximum value of subnets in a IPv6 CIDR block is 255, we get a /56 from AWS and we divide them into /64 which gives us 8 bits for subnets. Hence 128 will allow 128 private subnets, and 128 public ones.
diff --git a/main.tf b/main.tf
index 9db6518..0a3eb46 100644
--- a/main.tf
+++ b/main.tf
@@ -83,7 +83,7 @@ resource "aws_subnet" "public" {
   count                           = length(var.public_subnet_cidrs)
   vpc_id                          = aws_vpc.main.id
   cidr_block                      = var.public_subnet_cidrs[count.index]
-  ipv6_cidr_block                 = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, count.index)
+  ipv6_cidr_block                 = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, var.ipv6_public_subnet_netnum_offset + count.index)
   availability_zone               = element(local.azs, count.index)
   map_public_ip_on_launch         = true
   assign_ipv6_address_on_creation = true
@@ -170,7 +170,7 @@ resource "aws_subnet" "private" {
   count                           = length(var.private_subnet_cidrs)
   vpc_id                          = aws_vpc.main.id
   cidr_block                      = var.private_subnet_cidrs[count.index]
-  ipv6_cidr_block                 = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, count.index + length(var.public_subnet_cidrs))
+  ipv6_cidr_block                 = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, count.index + (var.ipv6_private_subnet_netnum_offset == -1 ? length(var.public_subnet_cidrs) : var.ipv6_private_subnet_netnum_offset))
   availability_zone               = element(local.azs, count.index)
   map_public_ip_on_launch         = false
   assign_ipv6_address_on_creation = true
diff --git a/variables.tf b/variables.tf
index 3242f70..9eb4450 100644
--- a/variables.tf
+++ b/variables.tf
@@ -29,6 +29,18 @@ variable "private_subnet_cidrs" {
   default     = []
 }
 
+variable "ipv6_public_subnet_netnum_offset" {
+  description = "By default public IPv6 subnets is allocated from start of VPC IPv6 CIDR block. This can be used to force an offset, i.e. if adding public subnets when private ones already exists (which would be at beginning of block)."
+  type        = number
+  default     = 0
+}
+
+variable "ipv6_private_subnet_netnum_offset" {
+  description = "By default private IPv6 subnet is allocated directly after last public subnet. This can be used to force an offset."
+  type        = number
+  default     = -1
+}
+
 variable "create_nat_gateways" {
   description = "Optionally create NAT gateways (which cost $) to provide internet connectivity to the private subnets."
   type        = bool

From 06174218ba383da6d9eb0e154a24f538ba54f612 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johan=20Str=C3=B6m=20=28gyh896=29?= <johan.strom@tv4.se>
Date: Mon, 15 Mar 2021 14:51:14 +0100
Subject: [PATCH 2/2] Allow setting custom endpoint policies

---
 main.tf      | 2 ++
 variables.tf | 9 +++++++++
 2 files changed, 11 insertions(+)

diff --git a/main.tf b/main.tf
index 0a3eb46..94f4ab6 100644
--- a/main.tf
+++ b/main.tf
@@ -194,10 +194,12 @@ resource "aws_vpc_endpoint" "s3" {
   service_name    = "com.amazonaws.${data.aws_region.current.name}.s3"
   vpc_id          = aws_vpc.main.id
   route_table_ids = compact(concat(aws_route_table.private.*.id, aws_route_table.public.*.id))
+  policy          = var.s3_endpoint_policy
 }
 
 resource "aws_vpc_endpoint" "dynamodb" {
   service_name    = "com.amazonaws.${data.aws_region.current.name}.dynamodb"
   vpc_id          = aws_vpc.main.id
   route_table_ids = compact(concat(aws_route_table.private.*.id, aws_route_table.public.*.id))
+  policy          = var.dynamodb_endpoint_policy
 }
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index 9eb4450..cda8304 100644
--- a/variables.tf
+++ b/variables.tf
@@ -59,3 +59,12 @@ variable "tags" {
   default     = {}
 }
 
+variable "s3_endpoint_policy" {
+  description = "Policy document to attach to S3 Gateway Endpoint. Defaults to blank."
+  default     = null
+}
+
+variable "dynamodb_endpoint_policy" {
+  description = "Policy document to attach to DynamoDb Gateway Endpoint. Defaults to blank."
+  default     = null
+}