feat: Add IPAM IPv6 support

README.md

@@ -355,7 +355,7 @@ No modules.
 | <a name="input_amazon_side_asn"></a> [amazon\_side\_asn](#input\_amazon\_side\_asn) | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | `string` | `"64512"` | no |
 | <a name="input_assign_ipv6_address_on_creation"></a> [assign\_ipv6\_address\_on\_creation](#input\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `false` | no |
 | <a name="input_azs"></a> [azs](#input\_azs) | A list of availability zones names or ids in the region | `list(string)` | `[]` | no |
-| <a name="input_cidr"></a> [cidr](#input\_cidr) | (Optional) The IPv4 CIDR block for the VPC. | `string` | `"0.0.0.0/0"` | no |
+| <a name="input_cidr"></a> [cidr](#input\_cidr) | (Optional) The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using `ipv4_netmask_length` & `ipv4_ipam_pool_id` | `string` | `"0.0.0.0/0"` | no |
 | <a name="input_create_database_internet_gateway_route"></a> [create\_database\_internet\_gateway\_route](#input\_create\_database\_internet\_gateway\_route) | Controls if an internet gateway route for public database access should be created | `bool` | `false` | no |
 | <a name="input_create_database_nat_gateway_route"></a> [create\_database\_nat\_gateway\_route](#input\_create\_database\_nat\_gateway\_route) | Controls if a nat gateway route should be created to give internet access to the database subnets | `bool` | `false` | no |
 | <a name="input_create_database_subnet_group"></a> [create\_database\_subnet\_group](#input\_create\_database\_subnet\_group) | Controls if database subnet group should be created (n.b. database\_subnets must also be set) | `bool` | `true` | no |
@@ -455,6 +455,10 @@ No modules.
 | <a name="input_intra_subnet_tags"></a> [intra\_subnet\_tags](#input\_intra\_subnet\_tags) | Additional tags for the intra subnets | `map(string)` | `{}` | no |
 | <a name="input_intra_subnets"></a> [intra\_subnets](#input\_intra\_subnets) | A list of intra subnets | `list(string)` | `[]` | no |
 | <a name="input_ipv4_ipam_pool_id"></a> [ipv4\_ipam\_pool\_id](#input\_ipv4\_ipam\_pool\_id) | (Optional) The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR. | `string` | `null` | no |
+| <a name="input_ipv4_netmask_length"></a> [ipv4\_netmask\_length](#input\_ipv4\_netmask\_length) | (Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4\_ipam\_pool\_id. | `number` | `null` | no |
+| <a name="input_ipv6_cidr"></a> [ipv6\_cidr](#input\_ipv6\_cidr) | (Optional) IPv6 CIDR block to request from an IPAM Pool. Can be set explicitly or derived from IPAM using `ipv6_netmask_length`. | `string` | `null` | no |
+| <a name="input_ipv6_ipam_pool_id"></a> [ipv6\_ipam\_pool\_id](#input\_ipv6\_ipam\_pool\_id) | (Optional) IPAM Pool ID for a IPv6 pool. Conflicts with `assign_generated_ipv6_cidr_block`. | `string` | `null` | no |
+| <a name="input_ipv6_netmask_length"></a> [ipv6\_netmask\_length](#input\_ipv6\_netmask\_length) | (Optional) Netmask length to request from IPAM Pool. Conflicts with `ipv6_cidr_block`. This can be omitted if IPAM pool as a `allocation_default_netmask_length` set. Valid values: `56`. | `number` | `null` | no |
 | <a name="input_manage_default_network_acl"></a> [manage\_default\_network\_acl](#input\_manage\_default\_network\_acl) | Should be true to adopt and manage Default Network ACL | `bool` | `false` | no |
 | <a name="input_manage_default_route_table"></a> [manage\_default\_route\_table](#input\_manage\_default\_route\_table) | Should be true to manage default route table | `bool` | `false` | no |
 | <a name="input_manage_default_security_group"></a> [manage\_default\_security\_group](#input\_manage\_default\_security\_group) | Should be true to adopt and manage default security group | `bool` | `false` | no |
@@ -516,6 +520,7 @@ No modules.
 | <a name="input_secondary_cidr_blocks"></a> [secondary\_cidr\_blocks](#input\_secondary\_cidr\_blocks) | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | `list(string)` | `[]` | no |
 | <a name="input_single_nat_gateway"></a> [single\_nat\_gateway](#input\_single\_nat\_gateway) | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
+| <a name="input_use_ipam_pool"></a> [use\_ipam\_pool](#input\_use\_ipam\_pool) | Determines whether IPAM pool is used for CIDR allocation | `bool` | `false` | no |
 | <a name="input_vpc_flow_log_permissions_boundary"></a> [vpc\_flow\_log\_permissions\_boundary](#input\_vpc\_flow\_log\_permissions\_boundary) | The ARN of the Permissions Boundary for the VPC Flow Log IAM Role | `string` | `null` | no |
 | <a name="input_vpc_flow_log_tags"></a> [vpc\_flow\_log\_tags](#input\_vpc\_flow\_log\_tags) | Additional tags for the VPC Flow Logs | `map(string)` | `{}` | no |
 | <a name="input_vpc_tags"></a> [vpc\_tags](#input\_vpc\_tags) | Additional tags for the VPC | `map(string)` | `{}` | no |

examples/ipam-vpc/README.md

@@ -42,13 +42,15 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | ../.. | n/a |
+| <a name="module_vpc_ipam_set_cidr"></a> [vpc\_ipam\_set\_cidr](#module\_vpc\_ipam\_set\_cidr) | ../.. | n/a |
+| <a name="module_vpc_ipam_set_netmask"></a> [vpc\_ipam\_set\_netmask](#module\_vpc\_ipam\_set\_netmask) | ../.. | n/a |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [aws_vpc_ipam.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam) | resource |
+| [aws_vpc_ipam_pool.ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_pool) | resource |
 | [aws_vpc_ipam_pool.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_pool) | resource |
 | [aws_vpc_ipam_pool_cidr.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_pool_cidr) | resource |
 | [aws_vpc_ipam_preview_next_cidr.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_preview_next_cidr) | resource |

examples/ipam-vpc/main.tf

@@ -6,7 +6,8 @@ locals {
   name   = "ex-${replace(basename(path.cwd), "_", "-")}"
   region = "eu-west-1"
 
-  partition = cidrsubnets(aws_vpc_ipam_preview_next_cidr.this.cidr, 2, 2)
+  azs               = ["${local.region}a", "${local.region}b", "${local.region}c"]
+  preview_partition = cidrsubnets(aws_vpc_ipam_preview_next_cidr.this.cidr, 2, 2, 2)
 
   tags = {
     Example    = local.name
@@ -19,21 +20,58 @@ locals {
 # VPC Module
 ################################################################################
 
-module "vpc" {
+# IPv4
+module "vpc_ipam_set_netmask" {
   source = "../.."
 
-  name = local.name
+  name = "${local.name}-set-netmask"
 
-  private_subnets = cidrsubnets(local.partition[0], 2, 2)
-  public_subnets  = cidrsubnets(local.partition[1], 2, 2)
+  use_ipam_pool       = true
+  ipv4_ipam_pool_id   = aws_vpc_ipam_pool.this.id
+  ipv4_netmask_length = 16
+  azs                 = local.azs
 
+  private_subnets = cidrsubnets(local.preview_partition[0], 2, 2, 2)
+  public_subnets  = cidrsubnets(local.preview_partition[1], 2, 2, 2)
+
+  tags = local.tags
+
+  depends_on = [
+    aws_vpc_ipam_pool_cidr.this
+  ]
+}
+
+module "vpc_ipam_set_cidr" {
+  source = "../.."
+
+  name = "${local.name}-set-cidr"
+
+  use_ipam_pool     = true
   ipv4_ipam_pool_id = aws_vpc_ipam_pool.this.id
-  azs               = ["${local.region}a", "${local.region}b"]
-  cidr              = aws_vpc_ipam_preview_next_cidr.this.cidr
+  cidr              = "10.1.0.0/16"
+  azs               = local.azs
+
+  private_subnets = ["10.1.1.0/24", "10.1.2.0/24", "10.1.3.0/24"]
+  public_subnets  = ["10.1.11.0/24", "10.1.12.0/24", "10.1.13.0/24"]
 
   tags = local.tags
 }
 
+# # IPv6 - Requires having a CIDR plus its message and signature (see below)
+# module "vpc_ipv6_ipam_set_netmask" {
+#   source = "../.."
+
+#   name = "${local.name}-ipv6-set-netmask"
+
+#   use_ipam_pool       = true
+#   ipv4_ipam_pool_id   = aws_vpc_ipam_pool.this.id
+#   ipv6_ipam_pool_id   = aws_vpc_ipam_pool.ipv6.id
+#   ipv6_netmask_length = 56
+#   azs                 = local.azs
+
+#   tags = local.tags
+# }
+
 ################################################################################
 # Supporting Resources
 ################################################################################
@@ -56,25 +94,54 @@ resource "aws_vpc_ipam" "this" {
   operating_regions {
     region_name = local.region
   }
+
+  tags = local.tags
 }
 
+# IPv4
 resource "aws_vpc_ipam_pool" "this" {
+  description                       = "IPv4 pool"
   address_family                    = "ipv4"
   ipam_scope_id                     = aws_vpc_ipam.this.private_default_scope_id
   locale                            = local.region
-  allocation_default_netmask_length = 24
+  allocation_default_netmask_length = 16
+
+  tags = local.tags
 }
 
 resource "aws_vpc_ipam_pool_cidr" "this" {
   ipam_pool_id = aws_vpc_ipam_pool.this.id
-  cidr         = "10.0.0.0/16"
+  cidr         = "10.0.0.0/8"
 }
 
 resource "aws_vpc_ipam_preview_next_cidr" "this" {
-  ipam_pool_id   = aws_vpc_ipam_pool.this.id
-  netmask_length = 20
+  ipam_pool_id = aws_vpc_ipam_pool.this.id
 
   depends_on = [
     aws_vpc_ipam_pool_cidr.this
   ]
 }
+
+# IPv6
+resource "aws_vpc_ipam_pool" "ipv6" {
+  description                       = "IPv6 pool"
+  address_family                    = "ipv6"
+  ipam_scope_id                     = aws_vpc_ipam.this.public_default_scope_id
+  locale                            = local.region
+  allocation_default_netmask_length = 56
+  publicly_advertisable             = false
+  aws_service                       = "ec2"
+
+  tags = local.tags
+}
+
+# # Requires having a CIDR plus its message and signature
+# resource "aws_vpc_ipam_pool_cidr" "ipv6" {
+#   ipam_pool_id = aws_vpc_ipam_pool.ipv6.id
+#   cidr         = var.ipv6_cidr
+
+#   cidr_authorization_context {
+#     message   = var.message
+#     signature = var.signature
+#   }
+# }