Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Excluding CIDRs when creating pools #68

Open
oponomarov-tu opened this issue Jul 25, 2024 · 4 comments
Open

Excluding CIDRs when creating pools #68

oponomarov-tu opened this issue Jul 25, 2024 · 4 comments

Comments

@oponomarov-tu
Copy link

Hi,

cidr_allocations input variable has been removed in d04f955 (#10). How one does ensure that certain CIDR is excluded from the top-level root pool?

Something like this does not work:

module "ipam" {
  source  = "aws-ia/ipam/aws"
  version = "2.1.0"

  top_name = "root ipam"
  top_cidr = ["172.16.0.0/12"]

  pool_configurations = {
    (data.aws_region.current.name) = {

      description    = "${data.aws_region.current.name} top level pool"
      netmask_length = 16
      locale         = data.aws_region.current.name
      sub_pools = {

        development = {
          name                     = "development"
          netmask_length           = 18
          ram_share_principals     = ["<redacted>"]
          allocation_resource_tags = { env = "development" }
        }
        
        ...

      }
    }
  }
}

resource "aws_vpc_ipam_pool_cidr_allocation" "on_prem_172_networks" {
  ipam_pool_id = module.ipam.pool_level_0.id

  cidr  = "172.16.0.0/20"
}
@drewmullen
Copy link
Contributor

try setting top_locale

allocations are only made in the pools with a locale and… iirc you must also be constructing your provider in the same region where the locale is (i could be wrong on this point)

@rwejdling
Copy link

rwejdling commented Jul 26, 2024

It's a timing issue. The sub-pools are allocated when the module is applied and the CIDR that we want to allocate (exclude) is already allocated to the first sub-pool.

So we get this error when trying to allocate the CIDR we want to exclude:
image

So either we need to:

  1. Add a feature to the module so CIDR's that should be excluded are allocated in the top-pool before the sub-pools are applied. I.e., add a top_cidr_allocations input var to the module.
  2. Create a sub-pool that we must no use, to allocate the space in the top-pool.
  3. Create the IPAM top-pool, allocation the exclusion, and then add the sub-pools (this will leave us in a state that can't easily be reapplied).

Would option 1. make sense to add to this module as a general feature going forward? Otherwise we'll just go with one of our workarounds.

@drewmullen
Copy link
Contributor

Initially I had set the allocations inside but it ended up being impossible because of how the TF provider client and subsequent calls are made to regions :/ which is how you found the PR where I took it out.

your best bet may be to use the sub-pool module and roll your own graph with the structure forced by the parent module.

I am sorry! I really wish this was possible… The problem has to do with the fact that I Pam as a service is managed from a single region, but then also add items that are accessible via other regions. The resource for an allocation has to call the region directly, which is not possible with a module since we’re speaking to the “parent region”. Or, rather, it’s only possible in the parent region

some hope… there’s a proposal to allow for setting region on a resource, individually… if this ever gets merged that would help resolve this type of issue: hashicorp/terraform-provider-aws#31517

@drewmullen
Copy link
Contributor

@rwejdling @oponomarov-tu this is supposed to be merged by this summer: hashicorp/terraform-provider-aws#27758 (comment)

would allow for us to complete this FR 🎉 🎉 🎉 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants