add support for vpc_config.ipv6_allowed_for_dual_stack

Author: zahorniak

README.md

@@ -864,6 +864,7 @@ No modules.
 | <a name="input_trigger_on_package_timestamp"></a> [trigger\_on\_package\_timestamp](#input\_trigger\_on\_package\_timestamp) | Whether to recreate the Lambda package if the timestamp changes | `bool` | `true` | no |
 | <a name="input_trusted_entities"></a> [trusted\_entities](#input\_trusted\_entities) | List of additional trusted entities for assuming Lambda Function role (trust relationship) | `any` | `[]` | no |
 | <a name="input_use_existing_cloudwatch_log_group"></a> [use\_existing\_cloudwatch\_log\_group](#input\_use\_existing\_cloudwatch\_log\_group) | Whether to use an existing CloudWatch log group or create new | `bool` | `false` | no |
+| <a name="input_vpc_ipv6_allowed_for_dual_stack"></a> [vpc\_ipv6\_allowed\_for\_dual\_stack](#input\_vpc\_ipv6\_allowed\_for\_dual\_stack) | Allows outbound IPv6 traffic on VPC functions that are connected to dual-stack subnets. | `bool` | `false` | no |
 | <a name="input_vpc_security_group_ids"></a> [vpc\_security\_group\_ids](#input\_vpc\_security\_group\_ids) | List of security group ids when Lambda Function should run in the VPC. | `list(string)` | `null` | no |
 | <a name="input_vpc_subnet_ids"></a> [vpc\_subnet\_ids](#input\_vpc\_subnet\_ids) | List of subnet ids when Lambda Function should run in the VPC. Usually private or intra subnets. | `list(string)` | `null` | no |
 

examples/with-vpc/main.tf

@@ -17,12 +17,13 @@ module "lambda_function_in_vpc" {
   function_name = "${random_pet.this.id}-lambda-in-vpc"
   description   = "My awesome lambda function"
   handler       = "index.lambda_handler"
-  runtime       = "python3.8"
+  runtime       = "python3.9"
 
   source_path = "${path.module}/../fixtures/python3.8-app1"
 
   vpc_subnet_ids                     = module.vpc.intra_subnets
   vpc_security_group_ids             = [module.vpc.default_security_group_id]
+  vpc_ipv6_allowed_for_dual_stack    = true
   attach_network_policy              = true
   replace_security_groups_on_destroy = true
   replacement_security_group_ids     = [module.vpc.default_security_group_id]
@@ -38,6 +39,9 @@ module "vpc" {
   azs           = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
   intra_subnets = ["10.10.101.0/24", "10.10.102.0/24", "10.10.103.0/24"]
 
+  enable_ipv6                = true
+  intra_subnet_ipv6_prefixes = [0, 1, 2]
+
   # Add public_subnets and NAT Gateway to allow access to internet from Lambda
   # public_subnets  = ["10.10.1.0/24", "10.10.2.0/24", "10.10.3.0/24"]
   # enable_nat_gateway = true

main.tf

@@ -91,8 +91,9 @@ resource "aws_lambda_function" "this" {
   dynamic "vpc_config" {
     for_each = var.vpc_subnet_ids != null && var.vpc_security_group_ids != null ? [true] : []
     content {
-      security_group_ids = var.vpc_security_group_ids
-      subnet_ids         = var.vpc_subnet_ids
+      ipv6_allowed_for_dual_stack = var.vpc_ipv6_allowed_for_dual_stack
+      security_group_ids          = var.vpc_security_group_ids
+      subnet_ids                  = var.vpc_subnet_ids
     }
   }
 

variables.tf

@@ -176,6 +176,12 @@ variable "vpc_security_group_ids" {
   default     = null
 }
 
+variable "vpc_ipv6_allowed_for_dual_stack" {
+  description = "Allows outbound IPv6 traffic on VPC functions that are connected to dual-stack subnets."
+  type        = bool
+  default     = false
+}
+
 variable "tags" {
   description = "A map of tags to assign to resources."
   type        = map(string)

wrappers/main.tf

@@ -129,6 +129,7 @@ module "wrapper" {
   trigger_on_package_timestamp                 = try(each.value.trigger_on_package_timestamp, var.defaults.trigger_on_package_timestamp, true)
   trusted_entities                             = try(each.value.trusted_entities, var.defaults.trusted_entities, [])
   use_existing_cloudwatch_log_group            = try(each.value.use_existing_cloudwatch_log_group, var.defaults.use_existing_cloudwatch_log_group, false)
+  vpc_ipv6_allowed_for_dual_stack              = try(each.value.vpc_ipv6_allowed_for_dual_stack, var.defaults.vpc_ipv6_allowed_for_dual_stack, false)
   vpc_security_group_ids                       = try(each.value.vpc_security_group_ids, var.defaults.vpc_security_group_ids, null)
   vpc_subnet_ids                               = try(each.value.vpc_subnet_ids, var.defaults.vpc_subnet_ids, null)
 }