Merge pull request #104 from pablo19sc/main

IPv6 support + minor updates in TGW routing
aws-ia · Apr 18, 2023 · 62b1991 · 62b1991
2 parents c88195d + a67936a
commit 62b1991
Show file tree

Hide file tree

Showing 33 changed files with 786 additions and 214 deletions.
diff --git a/.header.md b/.header.md
@@ -1,35 +1,45 @@
 # AWS VPC Module
 
-This module can be used to deploy a pragmatic VPC with various subnets types in # AZs. Common deployment examples can be found in [examples/](https://github.com/aws-ia/terraform-aws-vpc/tree/main/examples). Subnet CIDRs can be explicitly set via list of string argument `cidrs` or set via a number `netmask` argument.
+This module can be used to deploy a pragmatic VPC with various subnets types in # AZs. Common deployment examples can be found in [examples/](https://github.com/aws-ia/terraform-aws-vpc/tree/main/examples).
 
 __Note: For information regarding the 4.0 upgrade see our [upgrade guide](https://github.com/aws-ia/terraform-aws-vpc/blob/main/UPGRADE-GUIDE-4.0.md).__
 
 ## Usage
 
-The example below builds a VPC with public and private subnets in 3 AZs. Each subnet calulates a CIDR based on the `netmask` argument passed. The public subnets build nat gateways in each AZ but optionally can be switched to `single_az`.
+The example below builds a dual-stack VPC with public and private subnets in 3 AZs. Each subnet calculates an IPv4 CIDR based on the `netmask` argument passed, and an IPv6 CIDR with a /64 prefix length. The public subnets build NAT gateways in each AZ but optionally can be switched to `single_az`. An Egress-only Internet gateway is created by using the variable `vpc_egress_only_internet_gateway`.
 
 ```hcl
 module "vpc" {
   source   = "aws-ia/vpc/aws"
-  version = ">= 4.0.0"
+  version = ">= 4.2.0"
 
-  name       = "multi-az-vpc"
-  cidr_block = "10.0.0.0/20"
-  az_count   = 3
+  name                                 = "multi-az-vpc"
+  cidr_block                           = "10.0.0.0/16"
+  vpc_assign_generated_ipv6_cidr_block = true
+  vpc_egress_only_internet_gateway     = true
+  az_count                             = 3
 
   subnets = {
+    # Dual-stack subnet
     public = {
       name_prefix               = "my_public" # omit to prefix with "public"
       netmask                   = 24
+      assign_ipv6_cidr          = true
       nat_gateway_configuration = "all_azs" # options: "single_az", "none"
     }
-
+    # IPv4 only subnet
     private = {
       # omitting name_prefix defaults value to "private"
       # name_prefix  = "private_with_egress"
       netmask      = 24
       connect_to_public_natgw = true
     }
+    # IPv6-only subnet
+    private_ipv6 = {
+      ipv6_native      = true
+      assign_ipv6_cidr = true
+      connect_to_eigw  = true
+    }
   }
 
   vpc_flow_logs = {
@@ -43,13 +53,7 @@ module "vpc" {
 
 There are 3 reserved keys for subnet key names in var.subnets corresponding to types "public", "transit_gateway", and "core_network" [(an AWS Cloud WAN feature)](https://docs.aws.amazon.com/vpc/latest/cloudwan/cloudwan-networks-working-with.html). Other custom subnet key names are valid are and those subnets will be private subnets.
 
-```terraform
-transit_gateway_id = <>
-transit_gateway_routes = {
-  public = "pl-123"
-  vpce   = "10.0.0.0/8"
-}
-
+```hcl
 subnets = {
   public = {
     name_prefix               = "my-public" # omit to prefix with "public"
@@ -71,10 +75,28 @@ subnets = {
     # name_prefix  = "private"
     netmask      = 24
   }
+```
+
+```hcl
+transit_gateway_id = <>
+transit_gateway_routes = {
+  private = "0.0.0.0/0"
+  vpce    = "pl-123"
+}
+transit_gateway_ipv6_routes = {
+  private = "::/0"
+}
+
+subnets = {
+  private = { 
+    netmask          = 24 
+    assign_ipv6_cidr = true
+  }
+  vpce = { netmask = 24}
 
   transit_gateway = {
     netmask                                         = 28
-    connect_to_public_natgw                         = true
+    assign_ipv6_cidr                                = true
     transit_gateway_default_route_table_association = true
     transit_gateway_default_route_table_propagation = true
     transit_gateway_appliance_mode_support          = "enable"
@@ -86,24 +108,28 @@ subnets = {
 }
 ```
 
-```terraform
+```hcl
 core_network = {
   id  = <>
   arn = <>
 }
 core_network_routes = {
   workload = "pl-123"
 }
+core_network_ipv6_routes = {
+  workload = "::/0"
+}
 
 subnets = {
   workload = {
-    name_prefix = "workload-private"
-    netmask     = 24
+    name_prefix      = "workload-private"
+    netmask          = 24
+    assign_ipv6_cidr = true
   }
 
   core_network = {
     netmask                = 28
-    ipv6_support           = false
+    assign_ipv6_cidr       = true
     appliance_mode_support = false
     require_acceptance     = true
     accept_attachment      = true
@@ -116,40 +142,46 @@ subnets = {
 
 ## Updating a VPC with new or removed subnets
 
-If using `netmask` to calculate subnets and you wish to either add or remove subnets (ex: adding / removing an AZ), you may have to change from using `netmask` for some subnets and set to explicit instead. Private subnets are always calculated before public.
+If using `netmask` or `assign_ipv6_cidr` to calculate subnets and you wish to either add or remove subnets (ex: adding / removing an AZ), you may have to change from using `netmask` / `assign_ipv6_cidr` for some subnets and set to explicit instead. Private subnets are always calculated before public.
 
 When changing to explicit cidrs, subnets are always ordered by AZ. `0` -> a, `1` -> b, etc.
 
 Example: Changing from 2 azs to 3
 
 Before:
 ```hcl
-cidr_block = "10.0.0.0/16"
-az_count = 2
+cidr_block                           = "10.0.0.0/16"
+vpc_assign_generated_ipv6_cidr_block = true
+az_count                             = 2
 
 subnets = {
   public = {
-   netmask = 24
+    netmask          = 24
+    assign_ipv6_cidr = true
   }
 
   private = {
-   netmask = 24
+   netmask          = 24
+   assign_ipv6_cidr = true
   }
 }
 ```
 
 After:
 ```hcl
-cidr_block = "10.0.0.0/16"
+cidr_block                           = "10.0.0.0/16"
+vpc_assign_generated_ipv6_cidr_block = true
 az_count = 3
 
 subnets = {
   public = {
-   cidrs = ["10.0.0.0/24", "10.0.1.0/24", "10.0.4.0/24"]
+    cidrs      = ["10.0.0.0/24", "10.0.1.0/24", "10.0.4.0/24"]
+    ipv6_cidrs = ["2a05:d01c:bc3:b200::/64", "2a05:d01c:bc3:b201::/64", "2a05:d01c:bc3:b204::/64"]
   }
 
   private = {
-   cidrs = ["10.0.2.0/24", "10.0.3.0/24", "10.0.5.0/24"]
+    cidrs      = ["10.0.2.0/24", "10.0.3.0/24", "10.0.5.0/24"]
+    ipv6_cidrs = ["2a05:d01c:bc3:b202::/64", "2a05:d01c:bc3:b203::/64", "2a05:d01c:bc3:b205::/64"]
   }
 }
 ```
@@ -166,7 +198,7 @@ Example Configuration:
 ```terraform
 module "vpc" {
   source  = "aws-ia/vpc/aws"
-  version = ">= 4.0.0"
+  version = ">= 4.2.0"
 
   name       = "multi-az-vpc"
   cidr_block = "10.0.0.0/20"
@@ -228,6 +260,7 @@ This happens when the Core Network's VPC attachment requires acceptance, so it's
 subnets = {
   core_network = {
     netmask            = 28
+    assign_ipv6_cidr   = true
     require_acceptance = true
     accept_attachment  = true
   }
@@ -240,6 +273,7 @@ subnets = {
 subnets = {
   core_network = {
     netmask            = 28
+    assign_ipv6_cidr   = true
     require_acceptance = true
     accept_attachment  = true
   }
@@ -252,6 +286,7 @@ After you apply and the attachment is accepted (outside the module), change the
 subnets = {
   core_network = {
     netmask            = 28
+    assign_ipv6_cidr   = true
     require_acceptance = false
   }
 }
@@ -261,4 +296,4 @@ subnets = {
 
 # Contributing
 
-Please see our [developer documentation](https://github.com/aws-ia/terraform-aws-vpc/blob/main/contributing.md) for guidance on contributing to this module
+Please see our [developer documentation](https://github.com/aws-ia/terraform-aws-vpc/blob/main/contributing.md) for guidance on contributing to this module.