rm ipam_netmask options, add docs

Author: drewmullen

README.md

@@ -179,6 +179,54 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 
 It is possible to integrate this VPC module with [terraform-aws-transit-gateway module](https://github.com/terraform-aws-modules/terraform-aws-transit-gateway) which handles the creation of TGW resources and VPC attachments. See [complete example there](https://github.com/terraform-aws-modules/terraform-aws-transit-gateway/tree/master/examples/complete).
 
+## VPC CIDR from AWS IP Address Manager (IPAM)
+
+It is possible to have your VPC CIDR assigned from an [AWS IPAM Pool](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_pool). However, In order to build subnets within this module Terraform must know subnet CIDRs to properly plan the amount of resources to build. Since CIDR is derived by IPAM by calling CreateVpc this is not possible within a module unless cidr is known ahead of time. You can get around this by "previewing" the CIDR and then using that as the subnet values.
+
+_Note: Due to race conditions with `terraform plan`, it is not possible to use `ipv4_netmask_length` or a pools `allocation_default_netmask_length` within this module. You must explicitly set the CIDRs for a pool to use._
+
+```hcl
+# Find the pool RAM shared to your account
+# Info on RAM sharing pools: https://docs.aws.amazon.com/vpc/latest/ipam/share-pool-ipam.html
+data "aws_vpc_ipam_pool" "ipv4_example" {
+  filter {
+    name   = "description"
+    values = ["*mypool*"]
+  }
+
+  filter {
+    name   = "address-family"
+    values = ["ipv4"]
+  }
+}
+
+# Preview next CIDR from pool
+data "aws_vpc_ipam_preview_next_cidr" "previewed_cidr" {
+  ipam_pool_id   = data.aws_vpc_ipam_pool.ipv4_example.id
+  netmask_length = 24
+}
+
+data "aws_region" "current" {}
+
+# Calculate subnet cidrs from previewed IPAM CIDR
+locals {
+  partition       = cidrsubnets(data.aws_vpc_ipam_preview_next_cidr.previewed_cidr.cidr, 2, 2)
+  private_subnets = cidrsubnets(local.partition[0], 2, 2)
+  public_subnets  = cidrsubnets(local.partition[1], 2, 2)
+  azs             = formatlist("${data.aws_region.current.name}%s", ["a", "b"])
+}
+
+module "vpc_cidr_from_ipam" {
+  source            = "../.."
+  name              = "vpc-cidr-from-ipam"
+  ipv4_ipam_pool_id = data.aws_vpc_ipam_pool.ipv4_example.id
+  azs               = local.azs
+  cidr              = data.aws_vpc_ipam_preview_next_cidr.previewed_cidr.cidr
+  private_subnets   = local.private_subnets
+  public_subnets    = local.public_subnets
+}
+```
+
 ## Examples
 
 - [Simple VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/simple-vpc)
@@ -188,6 +236,7 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 - [Network ACL](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/network-acls)
 - [VPC Flow Logs](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/vpc-flow-logs)
 - [VPC with Outpost](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/outpost)
+- [VPC CIDR from IPAM](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/ipam-vpc)
 - [Manage Default VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/manage-default-vpc)
 - [Few tests and edge case examples](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/issues)
 
@@ -203,13 +252,13 @@ Full contributing [guidelines are covered here](.github/contributing.md).
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.68 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.68 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.73 |
 
 ## Modules
 
@@ -304,7 +353,7 @@ No modules.
 | <a name="input_amazon_side_asn"></a> [amazon\_side\_asn](#input\_amazon\_side\_asn) | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | `string` | `"64512"` | no |
 | <a name="input_assign_ipv6_address_on_creation"></a> [assign\_ipv6\_address\_on\_creation](#input\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `false` | no |
 | <a name="input_azs"></a> [azs](#input\_azs) | A list of availability zones names or ids in the region | `list(string)` | `[]` | no |
-| <a name="input_cidr"></a> [cidr](#input\_cidr) | (Optional) The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using `ipv4_netmask_length` & `ipv4_ipam_pool_id` | `string` | `"0.0.0.0/0"` | no |
+| <a name="input_cidr"></a> [cidr](#input\_cidr) | (Optional) The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using `ipv4_netmask_length` & `ipv4_ipam_pool_id` | `string` | `null` | no |
 | <a name="input_create_database_internet_gateway_route"></a> [create\_database\_internet\_gateway\_route](#input\_create\_database\_internet\_gateway\_route) | Controls if an internet gateway route for public database access should be created | `bool` | `false` | no |
 | <a name="input_create_database_nat_gateway_route"></a> [create\_database\_nat\_gateway\_route](#input\_create\_database\_nat\_gateway\_route) | Controls if a nat gateway route should be created to give internet access to the database subnets | `bool` | `false` | no |
 | <a name="input_create_database_subnet_group"></a> [create\_database\_subnet\_group](#input\_create\_database\_subnet\_group) | Controls if database subnet group should be created (n.b. database\_subnets must also be set) | `bool` | `true` | no |
@@ -403,7 +452,6 @@ No modules.
 | <a name="input_intra_subnet_tags"></a> [intra\_subnet\_tags](#input\_intra\_subnet\_tags) | Additional tags for the intra subnets | `map(string)` | `{}` | no |
 | <a name="input_intra_subnets"></a> [intra\_subnets](#input\_intra\_subnets) | A list of intra subnets | `list(string)` | `[]` | no |
 | <a name="input_ipv4_ipam_pool_id"></a> [ipv4\_ipam\_pool\_id](#input\_ipv4\_ipam\_pool\_id) | (Optional) The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR. | `string` | `null` | no |
-| <a name="input_ipv4_netmask_length"></a> [ipv4\_netmask\_length](#input\_ipv4\_netmask\_length) | (Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4\_ipam\_pool\_id. | `number` | `null` | no |
 | <a name="input_manage_default_network_acl"></a> [manage\_default\_network\_acl](#input\_manage\_default\_network\_acl) | Should be true to adopt and manage Default Network ACL | `bool` | `false` | no |
 | <a name="input_manage_default_route_table"></a> [manage\_default\_route\_table](#input\_manage\_default\_route\_table) | Should be true to manage default route table | `bool` | `false` | no |
 | <a name="input_manage_default_security_group"></a> [manage\_default\_security\_group](#input\_manage\_default\_security\_group) | Should be true to adopt and manage default security group | `bool` | `false` | no |

examples/ipam-vpc/main.tf

@@ -4,36 +4,28 @@ provider "aws" {
 
 locals {
   name = "ipam-vpc-example"
+  azs  = formatlist("${data.aws_region.current.name}%s", ["a", "b"])
 }
 
-# IPAM Setup
 data "aws_region" "current" {}
 
-resource "aws_vpc_ipam" "example" {
-  operating_regions {
-    region_name = data.aws_region.current.name
-  }
-}
-
-resource "aws_vpc_ipam_pool" "ipv4_example" {
-  address_family                    = "ipv4"
-  ipam_scope_id                     = aws_vpc_ipam.example.private_default_scope_id
-  locale                            = data.aws_region.current.name
-  allocation_default_netmask_length = 28
-}
+/*
+NOTES ON IPAM USAGE:
 
-resource "aws_vpc_ipam_pool_cidr" "ipv4_example" {
-  ipam_pool_id = aws_vpc_ipam_pool.ipv4_example.id
-  cidr         = "172.2.0.0/16"
-}
+In order to build subnets with your VPC Terraform must
+know subnet CIDRs to properly plan # of resources to build.
+Since CIDR is derived by IPAM by calling CreateVpc this is not
+possible within a module unless cidr is known ahead of time.
+We can get around this by "previewing" the CIDR and then using that
+as the subnet values.
 
-# Usage Patterns
+In the example below we use `cidrsubnets()` to calculate a public
+and private "partitions" (group of cidrs) then calculate the specific
+CIDRs for each subnet type.
 
-module "no_ipam_vpc_example" {
-  source = "../.."
-  name   = "no-ipam-${local.name}"
-  cidr   = "172.2.0.32/28"
-}
+For an explanation on prolonged delete times on IPAM pools see 2nd
+*note* in terraform docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_pool_cidr
+*/
 
 data "aws_vpc_ipam_preview_next_cidr" "previewed_cidr" {
   ipam_pool_id   = aws_vpc_ipam_pool.ipv4_example.id
@@ -45,48 +37,44 @@ data "aws_vpc_ipam_preview_next_cidr" "previewed_cidr" {
 }
 
 locals {
-  partition = cidrsubnets(data.aws_vpc_ipam_preview_next_cidr.previewed_cidr.cidr, 2, 2)
+  partition       = cidrsubnets(data.aws_vpc_ipam_preview_next_cidr.previewed_cidr.cidr, 2, 2)
   private_subnets = cidrsubnets(local.partition[0], 2, 2)
-  public_subnets = cidrsubnets(local.partition[1], 2, 2)
+  public_subnets  = cidrsubnets(local.partition[1], 2, 2)
 }
 
-module "ipv4_ipam_calculate_subnets" {
+module "ipv4_ipam_explicit_cidrs_calculate_subnets" {
   source            = "../.."
   name              = "ipv4-calculated-subnets-${local.name}"
   ipv4_ipam_pool_id = aws_vpc_ipam_pool.ipv4_example.id
+  azs               = local.azs
   cidr              = data.aws_vpc_ipam_preview_next_cidr.previewed_cidr.cidr
   private_subnets   = local.private_subnets
   public_subnets    = local.public_subnets
+
   depends_on = [
     aws_vpc_ipam_pool_cidr.ipv4_example
   ]
 }
 
-# module "ipv4_ipam_explicit_cidr_vpc" {
-#   source            = "../.."
-#   name              = "ipv4-explicit-cidr-${local.name}"
-#   ipv4_ipam_pool_id = aws_vpc_ipam_pool.ipv4_example.id
-#   cidr              = "172.2.0.32/28"
-#   depends_on = [
-#     aws_vpc_ipam_pool_cidr.ipv4_example
-#   ]
-# }
+################################
+# IPAM Setup
+# Included for testing & example purposes only
+################################
 
-# module "ipv4_ipam_explicit_netmask_vpc" {
-#   source              = "../.."
-#   name                = "ipv4-explicit-netmask-${local.name}"
-#   ipv4_ipam_pool_id   = aws_vpc_ipam_pool.ipv4_example.id
-#   ipv4_netmask_length = 28
-#   depends_on = [
-#     aws_vpc_ipam_pool_cidr.ipv4_example
-#   ]
-# }
+resource "aws_vpc_ipam" "example" {
+  operating_regions {
+    region_name = data.aws_region.current.name
+  }
+}
+
+resource "aws_vpc_ipam_pool" "ipv4_example" {
+  address_family                    = "ipv4"
+  ipam_scope_id                     = aws_vpc_ipam.example.private_default_scope_id
+  locale                            = data.aws_region.current.name
+  allocation_default_netmask_length = 28
+}
 
-# module "ipv4_ipam_default_netmask_vpc" {
-#   source            = "../.."
-#   name              = "ipv4-default-netmask-${local.name}"
-#   ipv4_ipam_pool_id = aws_vpc_ipam_pool.ipv4_example.id
-#   depends_on = [
-#     aws_vpc_ipam_pool_cidr.ipv4_example
-#   ]
-# }
+resource "aws_vpc_ipam_pool_cidr" "ipv4_example" {
+  ipam_pool_id = aws_vpc_ipam_pool.ipv4_example.id
+  cidr         = "172.2.0.0/16"
+}

examples/ipam-vpc/outputs.tf

@@ -0,0 +1,16 @@
+# VPC
+output "vpc_id" {
+  description = "The ID of the VPC"
+  value       = module.ipv4_ipam_explicit_cidrs_calculate_subnets.vpc_id
+}
+
+# Subnets
+output "private_subnets" {
+  description = "List of IDs of private subnets"
+  value       = module.ipv4_ipam_explicit_cidrs_calculate_subnets.private_subnets
+}
+
+output "public_subnets" {
+  description = "List of IDs of public subnets"
+  value       = module.ipv4_ipam_explicit_cidrs_calculate_subnets.public_subnets
+}

main.tf

@@ -25,9 +25,8 @@ locals {
 resource "aws_vpc" "this" {
   count = var.create_vpc ? 1 : 0
 
-  cidr_block          = var.cidr
-  ipv4_ipam_pool_id   = var.ipv4_ipam_pool_id
-  ipv4_netmask_length = var.ipv4_netmask_length
+  cidr_block        = var.cidr
+  ipv4_ipam_pool_id = var.ipv4_ipam_pool_id
 
   instance_tenancy                 = var.instance_tenancy
   enable_dns_hostnames             = var.enable_dns_hostnames

variables.tf

@@ -1180,9 +1180,3 @@ variable "ipv4_ipam_pool_id" {
   type        = string
   default     = null
 }
-
-variable "ipv4_netmask_length" {
-  description = "(Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4_ipam_pool_id."
-  type        = number
-  default     = null
-}