add ipam ipv4 support

drewmullen · drewmullen · commit 668f92a83ee7 · 2021-12-02T16:36:51.000-05:00
diff --git a/README.md b/README.md
@@ -203,13 +203,13 @@ Full contributing [guidelines are covered here](.github/contributing.md).
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.63 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.68 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.63 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.68 |
 
 ## Modules
 
@@ -304,7 +304,7 @@ No modules.
 | <a name="input_amazon_side_asn"></a> [amazon\_side\_asn](#input\_amazon\_side\_asn) | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | `string` | `"64512"` | no |
 | <a name="input_assign_ipv6_address_on_creation"></a> [assign\_ipv6\_address\_on\_creation](#input\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `false` | no |
 | <a name="input_azs"></a> [azs](#input\_azs) | A list of availability zones names or ids in the region | `list(string)` | `[]` | no |
-| <a name="input_cidr"></a> [cidr](#input\_cidr) | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | `string` | `"0.0.0.0/0"` | no |
+| <a name="input_cidr"></a> [cidr](#input\_cidr) | (Optional) The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using `ipv4_netmask_length` & `ipv4_ipam_pool_id` | `string` | `null` | no |
 | <a name="input_create_database_internet_gateway_route"></a> [create\_database\_internet\_gateway\_route](#input\_create\_database\_internet\_gateway\_route) | Controls if an internet gateway route for public database access should be created | `bool` | `false` | no |
 | <a name="input_create_database_nat_gateway_route"></a> [create\_database\_nat\_gateway\_route](#input\_create\_database\_nat\_gateway\_route) | Controls if a nat gateway route should be created to give internet access to the database subnets | `bool` | `false` | no |
 | <a name="input_create_database_subnet_group"></a> [create\_database\_subnet\_group](#input\_create\_database\_subnet\_group) | Controls if database subnet group should be created (n.b. database\_subnets must also be set) | `bool` | `true` | no |
@@ -402,6 +402,8 @@ No modules.
 | <a name="input_intra_subnet_suffix"></a> [intra\_subnet\_suffix](#input\_intra\_subnet\_suffix) | Suffix to append to intra subnets name | `string` | `"intra"` | no |
 | <a name="input_intra_subnet_tags"></a> [intra\_subnet\_tags](#input\_intra\_subnet\_tags) | Additional tags for the intra subnets | `map(string)` | `{}` | no |
 | <a name="input_intra_subnets"></a> [intra\_subnets](#input\_intra\_subnets) | A list of intra subnets | `list(string)` | `[]` | no |
+| <a name="input_ipv4_ipam_pool_id"></a> [ipv4\_ipam\_pool\_id](#input\_ipv4\_ipam\_pool\_id) | (Optional) The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR. | `string` | `null` | no |
+| <a name="input_ipv4_netmask_length"></a> [ipv4\_netmask\_length](#input\_ipv4\_netmask\_length) | (Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4\_ipam\_pool\_id. | `number` | `null` | no |
 | <a name="input_manage_default_network_acl"></a> [manage\_default\_network\_acl](#input\_manage\_default\_network\_acl) | Should be true to adopt and manage Default Network ACL | `bool` | `false` | no |
 | <a name="input_manage_default_route_table"></a> [manage\_default\_route\_table](#input\_manage\_default\_route\_table) | Should be true to manage default route table | `bool` | `false` | no |
 | <a name="input_manage_default_security_group"></a> [manage\_default\_security\_group](#input\_manage\_default\_security\_group) | Should be true to adopt and manage default security group | `bool` | `false` | no |
diff --git a/examples/ipam-vpc/main.tf b/examples/ipam-vpc/main.tf
@@ -0,0 +1,56 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+locals {
+  name = "ipam-vpc-example"
+}
+
+# IPAM Setup
+data "aws_region" "current" {}
+
+resource "aws_vpc_ipam" "example" {
+  operating_regions {
+    region_name = data.aws_region.current.name
+  }
+}
+
+resource "aws_vpc_ipam_pool" "ipv4_example" {
+  address_family                    = "ipv4"
+  ipam_scope_id                     = aws_vpc_ipam.example.private_default_scope_id
+  locale                            = data.aws_region.current.name
+  allocation_default_netmask_length = 28
+}
+
+resource "aws_vpc_ipam_pool_cidr" "ipv4_example" {
+  ipam_pool_id = aws_vpc_ipam_pool.ipv4_example.id
+  cidr         = "172.2.0.0/16"
+}
+
+# Usage Patterns
+
+module "no_ipam_vpc_example" {
+  source = "../.."
+  name   = "no-ipam-${local.name}"
+  cidr   = "172.2.0.32/28"
+}
+
+module "ipv4_ipam_explicit_cidr_vpc" {
+  source            = "../.."
+  name              = "ipv4-explicit-cidr-${local.name}"
+  ipv4_ipam_pool_id = aws_vpc_ipam_pool.ipv4_example.id
+  cidr              = "172.2.0.32/28"
+}
+
+module "ipv4_ipam_explicit_netmask_vpc" {
+  source              = "../.."
+  name                = "ipv4-explicit-netmask-${local.name}"
+  ipv4_ipam_pool_id   = aws_vpc_ipam_pool.ipv4_example.id
+  ipv4_netmask_length = 28
+}
+
+module "ipv4_ipam_default_netmask_vpc" {
+  source            = "../.."
+  name              = "ipv4-default-netmask-${local.name}"
+  ipv4_ipam_pool_id = aws_vpc_ipam_pool.ipv4_example.id
+}
diff --git a/examples/ipam-vpc/outputs.tf b/examples/ipam-vpc/outputs.tf
diff --git a/examples/ipam-vpc/variables.tf b/examples/ipam-vpc/variables.tf
diff --git a/examples/ipam-vpc/versions.tf b/examples/ipam-vpc/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 0.13.1"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.68"
+    }
+  }
+}
diff --git a/main.tf b/main.tf
@@ -16,6 +16,10 @@ locals {
     ),
     0,
   )
+  ipv4_using_ipam                 = var.ipv4_ipam_pool_id == null ? false : true
+  ipv4_ipam_with_explicit_cidr    = var.ipv4_ipam_pool_id != null && var.cidr != null ? true : false
+  ipv4_ipam_with_explicit_netmask = local.ipv4_using_ipam && var.ipv4_netmask_length != null ? var.ipv4_netmask_length : null
+  cidr                            = !local.ipv4_using_ipam || local.ipv4_ipam_with_explicit_cidr == true ? var.cidr : null
 }
 
 ################################################################################
@@ -25,7 +29,10 @@ locals {
 resource "aws_vpc" "this" {
   count = var.create_vpc ? 1 : 0
 
-  cidr_block                       = var.cidr
+  cidr_block          = local.cidr
+  ipv4_ipam_pool_id   = local.ipv4_using_ipam ? var.ipv4_ipam_pool_id : null
+  ipv4_netmask_length = local.ipv4_ipam_with_explicit_netmask
+
   instance_tenancy                 = var.instance_tenancy
   enable_dns_hostnames             = var.enable_dns_hostnames
   enable_dns_support               = var.enable_dns_support
diff --git a/variables.tf b/variables.tf
@@ -11,9 +11,9 @@ variable "name" {
 }
 
 variable "cidr" {
-  description = "The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden"
+  description = "(Optional) The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using `ipv4_netmask_length` & `ipv4_ipam_pool_id`"
   type        = string
-  default     = "0.0.0.0/0"
+  default     = null
 }
 
 variable "enable_ipv6" {
@@ -1174,3 +1174,15 @@ variable "flow_log_per_hour_partition" {
   type        = bool
   default     = false
 }
+
+variable "ipv4_ipam_pool_id" {
+  description = "(Optional) The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR."
+  type        = string
+  default     = null
+}
+
+variable "ipv4_netmask_length" {
+  description = "(Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4_ipam_pool_id."
+  type        = number
+  default     = null
+}
diff --git a/versions.tf b/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.63"
+      version = ">= 3.68"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ terraform {`
`4`	`4`	`required_providers {`
`5`	`5`	`aws = {`
`6`	`6`	`source = "hashicorp/aws"`
`7`		`- version = ">= 3.63"`
	`7`	`+ version = ">= 3.68"`
`8`	`8`	`}`
`9`	`9`	`}`
`10`	`10`	`}`