Skip to content

Commit 44bfb0c

Browse files
VolatusVolatus
committed
feat: add dualstack support
Makes the necessary changes to the VPC, subnets, security groups and gateways to add IPv6 Dualstack support. Signed-off-by: Ismayil Mirzali <[email protected]>
1 parent c019343 commit 44bfb0c

File tree

6 files changed

+109
-701
lines changed

6 files changed

+109
-701
lines changed

terraform/aws/templates/base.tf

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,11 @@ variable "short_env_id" {
5353
type = string
5454
}
5555

56+
variable "dualstack" {
57+
type = bool
58+
default = false
59+
}
60+
5661
variable "vpc_cidr" {
5762
type = string
5863
default = "10.0.0.0/16"
@@ -95,6 +100,7 @@ resource "aws_security_group_rule" "nat_to_internet_rule" {
95100
to_port = 0
96101
protocol = "-1"
97102
cidr_blocks = ["0.0.0.0/0"]
103+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
98104
}
99105

100106
resource "aws_security_group_rule" "nat_icmp_rule" {
@@ -105,6 +111,7 @@ resource "aws_security_group_rule" "nat_icmp_rule" {
105111
from_port = -1
106112
to_port = -1
107113
cidr_blocks = ["0.0.0.0/0"]
114+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
108115
}
109116

110117
resource "aws_security_group_rule" "nat_tcp_rule" {
@@ -189,6 +196,7 @@ resource "aws_security_group_rule" "internal_security_group_rule_icmp" {
189196
from_port = -1
190197
to_port = -1
191198
cidr_blocks = ["0.0.0.0/0"]
199+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
192200
}
193201

194202
resource "aws_security_group_rule" "internal_security_group_rule_allow_internet" {
@@ -198,6 +206,7 @@ resource "aws_security_group_rule" "internal_security_group_rule_allow_internet"
198206
from_port = 0
199207
to_port = 0
200208
cidr_blocks = ["0.0.0.0/0"]
209+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
201210
}
202211

203212
resource "aws_security_group_rule" "internal_security_group_rule_ssh" {
@@ -293,6 +302,7 @@ resource "aws_security_group_rule" "bosh_security_group_rule_allow_internet" {
293302
from_port = 0
294303
to_port = 0
295304
cidr_blocks = ["0.0.0.0/0"]
305+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
296306
}
297307

298308
resource "aws_security_group" "jumpbox" {
@@ -316,6 +326,7 @@ resource "aws_security_group_rule" "jumpbox_ssh" {
316326
from_port = 22
317327
to_port = 22
318328
cidr_blocks = ["${var.bosh_inbound_cidr}"]
329+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
319330
}
320331

321332
resource "aws_security_group_rule" "jumpbox_rdp" {
@@ -325,6 +336,7 @@ resource "aws_security_group_rule" "jumpbox_rdp" {
325336
from_port = 3389
326337
to_port = 3389
327338
cidr_blocks = ["${var.bosh_inbound_cidr}"]
339+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
328340
}
329341

330342
resource "aws_security_group_rule" "jumpbox_agent" {
@@ -334,6 +346,7 @@ resource "aws_security_group_rule" "jumpbox_agent" {
334346
from_port = 6868
335347
to_port = 6868
336348
cidr_blocks = ["${var.bosh_inbound_cidr}"]
349+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
337350
}
338351

339352
resource "aws_security_group_rule" "jumpbox_director" {
@@ -343,6 +356,7 @@ resource "aws_security_group_rule" "jumpbox_director" {
343356
from_port = 25555
344357
to_port = 25555
345358
cidr_blocks = ["${var.bosh_inbound_cidr}"]
359+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
346360
}
347361

348362
resource "aws_security_group_rule" "jumpbox_egress" {
@@ -352,6 +366,7 @@ resource "aws_security_group_rule" "jumpbox_egress" {
352366
from_port = 0
353367
to_port = 0
354368
cidr_blocks = ["0.0.0.0/0"]
369+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
355370
}
356371

357372
resource "aws_security_group_rule" "bosh_internal_security_rule_tcp" {
@@ -375,6 +390,10 @@ resource "aws_security_group_rule" "bosh_internal_security_rule_udp" {
375390
resource "aws_subnet" "bosh_subnet" {
376391
vpc_id = "${local.vpc_id}"
377392
cidr_block = "${cidrsubnet(var.vpc_cidr, 8, 0)}"
393+
ipv6_cidr_block = var.dualstack ? "${cidrsubnet(aws_vpc.vpc[0].ipv6_cidr_block, 8, 0)}" : null
394+
395+
assign_ipv6_address_on_creation = var.dualstack
396+
enable_dns64 = var.dualstack
378397

379398
tags = {
380399
Name = "${var.env_id}-bosh-subnet"
@@ -391,6 +410,13 @@ resource "aws_route" "bosh_route_table" {
391410
route_table_id = "${aws_route_table.bosh_route_table.id}"
392411
}
393412

413+
resource "aws_route" "bosh_route_table_ipv6" {
414+
count = var.dualstack ? 1 : 0
415+
route_table_id = "${aws_route_table.bosh_route_table.id}"
416+
destination_ipv6_cidr_block = "::/0"
417+
egress_only_gateway_id = aws_egress_only_internet_gateway.egress_ipv6[0].id
418+
}
419+
394420
resource "aws_route_table_association" "route_bosh_subnets" {
395421
subnet_id = "${aws_subnet.bosh_subnet.id}"
396422
route_table_id = "${aws_route_table.bosh_route_table.id}"
@@ -401,6 +427,10 @@ resource "aws_subnet" "internal_subnets" {
401427
vpc_id = "${local.vpc_id}"
402428
cidr_block = "${cidrsubnet(var.vpc_cidr, 4, count.index+1)}"
403429
availability_zone = "${element(var.availability_zones, count.index)}"
430+
ipv6_cidr_block = var.dualstack ? "${cidrsubnet(aws_vpc.vpc[0].ipv6_cidr_block, 8, count.index + 1)}" : null
431+
432+
assign_ipv6_address_on_creation = var.dualstack
433+
enable_dns64 = var.dualstack
404434

405435
tags = {
406436
Name = "${var.env_id}-internal-subnet${count.index}"
@@ -420,6 +450,13 @@ resource "aws_route_table" "nated_route_table" {
420450
}
421451
}
422452

453+
resource "aws_route" "internal_subnets_route_table_ipv6" {
454+
count = var.dualstack ? 1 : 0
455+
route_table_id = "${aws_route_table.nated_route_table.id}"
456+
destination_ipv6_cidr_block = "::/0"
457+
egress_only_gateway_id = aws_egress_only_internet_gateway.egress_ipv6[0].id
458+
}
459+
423460
resource "aws_route_table_association" "route_internal_subnets" {
424461
count = "${length(var.availability_zones)}"
425462
subnet_id = "${element(aws_subnet.internal_subnets.*.id, count.index)}"
@@ -428,6 +465,19 @@ resource "aws_route_table_association" "route_internal_subnets" {
428465

429466
resource "aws_internet_gateway" "ig" {
430467
vpc_id = "${local.vpc_id}"
468+
469+
tags = {
470+
Name = "${var.env_id}"
471+
}
472+
}
473+
474+
resource "aws_egress_only_internet_gateway" "egress_ipv6" {
475+
count = var.dualstack ? 1 : 0
476+
vpc_id = "${local.vpc_id}"
477+
478+
tags = {
479+
Name = "${var.env_id}"
480+
}
431481
}
432482

433483
locals {
@@ -519,6 +569,10 @@ output "internal_az_subnet_cidr_mapping" {
519569
}"
520570
}
521571

572+
output "internal_az_subnet_ipv6_cidr_mapping" {
573+
value = var.dualstack ? zipmap("${aws_subnet.internal_subnets.*.availability_zone}", "${aws_subnet.internal_subnets.*.ipv6_cidr_block}") : null
574+
}
575+
522576
output "director_name" {
523577
value = "${local.director_name}"
524578
}
@@ -527,6 +581,10 @@ output "internal_cidr" {
527581
value = "${local.internal_cidr}"
528582
}
529583

584+
output "internal_cidr_ipv6" {
585+
value = var.dualstack ? aws_subnet.bosh_subnet.ipv6_cidr_block : null
586+
}
587+
530588
output "internal_gw" {
531589
value = "${local.internal_gw}"
532590
}

0 commit comments

Comments
 (0)