Terraform: IPv6 support in AWS VPC routes / acls
Without proper support for IPv6 CIDR notation, it is very difficult to automate the configuration of a IPv6 enabled VPC on AWS. It is not possible to set up an internet gateway to support IPv6 traffic, nor is it possible to configure the VPC network ACLs to allow IPv6 traffic in or out.
Terraform Version
0.8.8
Affected Resource(s)
- aws_route
- aws_route_table
- aws_default_route_table
- aws_network_acl
- aws_network_acl_rule
- Possibly other VPC CIDR resources (security groups?)
Terraform Configuration Files
For aws_default_route_table;
variable "environment" {
type = "string"
default = "build"
}
variable "vpc_cidr" {
type = "string"
default = "10.0.5.0/24"
}
variable "vpc_az_subnets" {
type = "list"
default = ["10.0.5.0/26", "10.0.5.64/26", "10.0.5.128/26"]
}
provider "aws" {
region = "us-west-2"
}
variable "az_map" {
type = "list"
default = [
"us-west-2a",
"us-west-2b",
"us-west-2c",
]
}
resource "aws_vpc" "main" {
cidr_block = "${var.vpc_cidr}"
enable_dns_support = true
enable_dns_hostnames = true
assign_generated_ipv6_cidr_block = true
}
resource "aws_subnet" "main" {
vpc_id = "${aws_vpc.main.id}"
cidr_block = "${element(var.vpc_az_subnets, count.index)}"
availability_zone = "${element(var.az_map, count.index)}"
map_public_ip_on_launch = true
ipv6_cidr_block = "${cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, count.index)}"
assign_ipv6_address_on_creation = true
count = "${length(var.az_map)}"
}
resource "aws_internet_gateway" "main" {
vpc_id = "${aws_vpc.main.id}"
}
resource "aws_default_route_table" "main" {
default_route_table_id = "${aws_vpc.main.default_route_table_id}"
route {
cidr_block = "0.0.0.0/0"
gateway_id = "${aws_internet_gateway.main.id}"
}
route {
cidr_block = "::/0" # or a new ipv6_cidr_block param
gateway_id = "${aws_internet_gateway.main.id}"
}
}
Expected Behavior
Ability to set a new ipv6_cidr_block and equivalents param to IPv6 addresses (e.g. ::/0).
Actual Behavior
Using the existing cidr_block results in response Value (::/0) for parameter destinationCidrBlock is invalid. This is not a valid CIDR block. from AWS, as AWS requires you to use param DestinationIpv6CidrBlock for IPv6 VPC routes and Ipv6CidrBlock for IPv6 VPC acls.
Steps to Reproduce
terraform apply
References
- #11430
- #10538
atyndall
All 6 comments
Resolution to this issue would allow users to automate AWS's VPC IPv6 migration guide. Currently, there is no way to complete step 3 (and possibly step 4, but I couldn't tell if Terraform's AWS security group support includes IPv6).
bobby
on 9 Mar 2017
- [x] aws_route - #12639
- [x] aws_route_table - #12640
- [x] aws_default_route_table - #12642
- [x] aws_network_acl - #12641
- [x] aws_network_acl_rule - #12644
- [x] aws_security_group - #12655
- [x] aws_security_group_rule - #12645
These will all be part of the Terraform 0.9 release
Paul
stack72
on 13 Mar 2017
All PRs merged :) This will be part of the next Terraform release
stack72
on 14 Mar 2017
This example was really helpful. Thanks @atyndall !
However, I'm getting:
InvalidParameterValue: Value (::/0) for parameter destinationCidrBlock is invalid. This is not a valid CIDR block.
Did the merged changes decide on a different value?
WyseNynja
on 9 Oct 2017
@WyseNynja, have you tried ipv6_cidr_block instead of cidr_block when specifying IPv6 rules?
Got the same error you mentioned, and fixed it using this ipv6_cidr_block param.
rodrigoSyscop
on 3 Nov 2019
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 4 Nov 2019
Related issues
thebenwaters
ยท
3Comments
c4milo
ยท
3Comments
rjinski
ยท
3Comments
shanmugakarna
ยท
3Comments
pawelsawicz
ยท
3Comments
Most helpful comment
These will all be part of the Terraform 0.9 release
Paul