Skip to content

Commit 47a626b

Browse files
VolatusVolatus
committed
feat: add dualstack support
Makes the necessary changes to the VPC, subnets, security groups and gateways to add IPv6 Dualstack support. Signed-off-by: Ismayil Mirzali <[email protected]>
1 parent c019343 commit 47a626b

File tree

6 files changed

+85
-4
lines changed

6 files changed

+85
-4
lines changed

terraform/aws/templates/base.tf

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,11 @@ variable "short_env_id" {
5353
type = string
5454
}
5555

56+
variable "dualstack" {
57+
type = bool
58+
default = false
59+
}
60+
5661
variable "vpc_cidr" {
5762
type = string
5863
default = "10.0.0.0/16"
@@ -95,6 +100,7 @@ resource "aws_security_group_rule" "nat_to_internet_rule" {
95100
to_port = 0
96101
protocol = "-1"
97102
cidr_blocks = ["0.0.0.0/0"]
103+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
98104
}
99105

100106
resource "aws_security_group_rule" "nat_icmp_rule" {
@@ -105,6 +111,7 @@ resource "aws_security_group_rule" "nat_icmp_rule" {
105111
from_port = -1
106112
to_port = -1
107113
cidr_blocks = ["0.0.0.0/0"]
114+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
108115
}
109116

110117
resource "aws_security_group_rule" "nat_tcp_rule" {
@@ -189,6 +196,7 @@ resource "aws_security_group_rule" "internal_security_group_rule_icmp" {
189196
from_port = -1
190197
to_port = -1
191198
cidr_blocks = ["0.0.0.0/0"]
199+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
192200
}
193201

194202
resource "aws_security_group_rule" "internal_security_group_rule_allow_internet" {
@@ -198,6 +206,7 @@ resource "aws_security_group_rule" "internal_security_group_rule_allow_internet"
198206
from_port = 0
199207
to_port = 0
200208
cidr_blocks = ["0.0.0.0/0"]
209+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
201210
}
202211

203212
resource "aws_security_group_rule" "internal_security_group_rule_ssh" {
@@ -293,6 +302,7 @@ resource "aws_security_group_rule" "bosh_security_group_rule_allow_internet" {
293302
from_port = 0
294303
to_port = 0
295304
cidr_blocks = ["0.0.0.0/0"]
305+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
296306
}
297307

298308
resource "aws_security_group" "jumpbox" {
@@ -316,6 +326,7 @@ resource "aws_security_group_rule" "jumpbox_ssh" {
316326
from_port = 22
317327
to_port = 22
318328
cidr_blocks = ["${var.bosh_inbound_cidr}"]
329+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
319330
}
320331

321332
resource "aws_security_group_rule" "jumpbox_rdp" {
@@ -325,6 +336,7 @@ resource "aws_security_group_rule" "jumpbox_rdp" {
325336
from_port = 3389
326337
to_port = 3389
327338
cidr_blocks = ["${var.bosh_inbound_cidr}"]
339+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
328340
}
329341

330342
resource "aws_security_group_rule" "jumpbox_agent" {
@@ -334,6 +346,7 @@ resource "aws_security_group_rule" "jumpbox_agent" {
334346
from_port = 6868
335347
to_port = 6868
336348
cidr_blocks = ["${var.bosh_inbound_cidr}"]
349+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
337350
}
338351

339352
resource "aws_security_group_rule" "jumpbox_director" {
@@ -343,6 +356,7 @@ resource "aws_security_group_rule" "jumpbox_director" {
343356
from_port = 25555
344357
to_port = 25555
345358
cidr_blocks = ["${var.bosh_inbound_cidr}"]
359+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
346360
}
347361

348362
resource "aws_security_group_rule" "jumpbox_egress" {
@@ -352,6 +366,7 @@ resource "aws_security_group_rule" "jumpbox_egress" {
352366
from_port = 0
353367
to_port = 0
354368
cidr_blocks = ["0.0.0.0/0"]
369+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
355370
}
356371

357372
resource "aws_security_group_rule" "bosh_internal_security_rule_tcp" {
@@ -375,6 +390,10 @@ resource "aws_security_group_rule" "bosh_internal_security_rule_udp" {
375390
resource "aws_subnet" "bosh_subnet" {
376391
vpc_id = "${local.vpc_id}"
377392
cidr_block = "${cidrsubnet(var.vpc_cidr, 8, 0)}"
393+
ipv6_cidr_block = var.dualstack ? "${cidrsubnet(aws_vpc.vpc[0].ipv6_cidr_block, 8, 0)}" : null
394+
395+
assign_ipv6_address_on_creation = var.dualstack
396+
enable_dns64 = var.dualstack
378397

379398
tags = {
380399
Name = "${var.env_id}-bosh-subnet"
@@ -391,6 +410,13 @@ resource "aws_route" "bosh_route_table" {
391410
route_table_id = "${aws_route_table.bosh_route_table.id}"
392411
}
393412

413+
resource "aws_route" "bosh_route_table_ipv6" {
414+
count = var.dualstack ? 1 : 0
415+
route_table_id = "${aws_route_table.bosh_route_table.id}"
416+
destination_ipv6_cidr_block = "::/0"
417+
egress_only_gateway_id = aws_egress_only_internet_gateway.egress_ipv6[0].id
418+
}
419+
394420
resource "aws_route_table_association" "route_bosh_subnets" {
395421
subnet_id = "${aws_subnet.bosh_subnet.id}"
396422
route_table_id = "${aws_route_table.bosh_route_table.id}"
@@ -401,6 +427,10 @@ resource "aws_subnet" "internal_subnets" {
401427
vpc_id = "${local.vpc_id}"
402428
cidr_block = "${cidrsubnet(var.vpc_cidr, 4, count.index+1)}"
403429
availability_zone = "${element(var.availability_zones, count.index)}"
430+
ipv6_cidr_block = var.dualstack ? "${cidrsubnet(aws_vpc.vpc[0].ipv6_cidr_block, 8, count.index + 1)}" : null
431+
432+
assign_ipv6_address_on_creation = var.dualstack
433+
enable_dns64 = var.dualstack
404434

405435
tags = {
406436
Name = "${var.env_id}-internal-subnet${count.index}"
@@ -420,6 +450,13 @@ resource "aws_route_table" "nated_route_table" {
420450
}
421451
}
422452

453+
resource "aws_route" "internal_subnets_route_table_ipv6" {
454+
count = var.dualstack ? 1 : 0
455+
route_table_id = "${aws_route_table.nated_route_table.id}"
456+
destination_ipv6_cidr_block = "::/0"
457+
egress_only_gateway_id = aws_egress_only_internet_gateway.egress_ipv6[0].id
458+
}
459+
423460
resource "aws_route_table_association" "route_internal_subnets" {
424461
count = "${length(var.availability_zones)}"
425462
subnet_id = "${element(aws_subnet.internal_subnets.*.id, count.index)}"
@@ -428,6 +465,19 @@ resource "aws_route_table_association" "route_internal_subnets" {
428465

429466
resource "aws_internet_gateway" "ig" {
430467
vpc_id = "${local.vpc_id}"
468+
469+
tags = {
470+
Name = "${var.env_id}"
471+
}
472+
}
473+
474+
resource "aws_egress_only_internet_gateway" "egress_ipv6" {
475+
count = var.dualstack ? 1 : 0
476+
vpc_id = "${local.vpc_id}"
477+
478+
tags = {
479+
Name = "${var.env_id}"
480+
}
431481
}
432482

433483
locals {

terraform/aws/templates/cf_lb.tf

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ resource "aws_security_group" "cf_ssh_lb_security_group" {
1010

1111
ingress {
1212
cidr_blocks = ["0.0.0.0/0"]
13+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
1314
protocol = "tcp"
1415
from_port = 2222
1516
to_port = 2222
@@ -20,6 +21,7 @@ resource "aws_security_group" "cf_ssh_lb_security_group" {
2021
to_port = 0
2122
protocol = "-1"
2223
cidr_blocks = ["0.0.0.0/0"]
24+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
2325
}
2426

2527
tags = {
@@ -52,6 +54,7 @@ resource "aws_security_group" "cf_ssh_lb_internal_security_group" {
5254
to_port = 0
5355
protocol = "-1"
5456
cidr_blocks = ["0.0.0.0/0"]
57+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
5558
}
5659

5760
tags = {
@@ -111,20 +114,23 @@ resource "aws_security_group" "cf_router_lb_security_group" {
111114

112115
ingress {
113116
cidr_blocks = ["0.0.0.0/0"]
117+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
114118
protocol = "tcp"
115119
from_port = 80
116120
to_port = 80
117121
}
118122

119123
ingress {
120124
cidr_blocks = ["0.0.0.0/0"]
125+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
121126
protocol = "tcp"
122127
from_port = 443
123128
to_port = 443
124129
}
125130

126131
ingress {
127132
cidr_blocks = ["0.0.0.0/0"]
133+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
128134
protocol = "tcp"
129135
from_port = 4443
130136
to_port = 4443
@@ -135,6 +141,7 @@ resource "aws_security_group" "cf_router_lb_security_group" {
135141
to_port = 0
136142
protocol = "-1"
137143
cidr_blocks = ["0.0.0.0/0"]
144+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
138145
}
139146

140147
tags = {
@@ -167,6 +174,7 @@ resource "aws_security_group" "cf_router_lb_internal_security_group" {
167174
to_port = 0
168175
protocol = "-1"
169176
cidr_blocks = ["0.0.0.0/0"]
177+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
170178
}
171179

172180
tags = {
@@ -257,6 +265,7 @@ resource "aws_security_group" "cf_tcp_lb_security_group" {
257265

258266
ingress {
259267
cidr_blocks = ["0.0.0.0/0"]
268+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
260269
protocol = "tcp"
261270
from_port = 1024
262271
to_port = 1123
@@ -267,6 +276,7 @@ resource "aws_security_group" "cf_tcp_lb_security_group" {
267276
to_port = 0
268277
protocol = "-1"
269278
cidr_blocks = ["0.0.0.0/0"]
279+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
270280
}
271281

272282
tags = {
@@ -306,6 +316,7 @@ resource "aws_security_group" "cf_tcp_lb_internal_security_group" {
306316
to_port = 0
307317
protocol = "-1"
308318
cidr_blocks = ["0.0.0.0/0"]
319+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
309320
}
310321

311322
tags = {

terraform/aws/templates/concourse_lb.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ resource "aws_security_group_rule" "concourse_lb_internal_80" {
1818
from_port = 80
1919
to_port = 80
2020
cidr_blocks = ["0.0.0.0/0"]
21+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
2122

2223
security_group_id = "${aws_security_group.concourse_lb_internal_security_group.id}"
2324
}
@@ -28,6 +29,7 @@ resource "aws_security_group_rule" "concourse_lb_internal_2222" {
2829
from_port = 2222
2930
to_port = 2222
3031
cidr_blocks = ["0.0.0.0/0"]
32+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
3133

3234
security_group_id = "${aws_security_group.concourse_lb_internal_security_group.id}"
3335
}
@@ -38,6 +40,7 @@ resource "aws_security_group_rule" "concourse_lb_internal_443" {
3840
from_port = 443
3941
to_port = 443
4042
cidr_blocks = ["0.0.0.0/0"]
43+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
4144

4245
security_group_id = "${aws_security_group.concourse_lb_internal_security_group.id}"
4346
}
@@ -48,6 +51,7 @@ resource "aws_security_group_rule" "concourse_lb_internal_egress" {
4851
from_port = 0
4952
to_port = 0
5053
cidr_blocks = ["0.0.0.0/0"]
54+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
5155

5256
security_group_id = "${aws_security_group.concourse_lb_internal_security_group.id}"
5357
}
@@ -141,6 +145,7 @@ resource "aws_security_group_rule" "concourse_lb_internal_8844" {
141145
from_port = 8844
142146
to_port = 8844
143147
cidr_blocks = ["0.0.0.0/0"]
148+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
144149

145150
security_group_id = "${aws_security_group.concourse_lb_internal_security_group.id}"
146151
}
@@ -151,6 +156,7 @@ resource "aws_security_group_rule" "concourse_lb_internal_8443" {
151156
from_port = 8443
152157
to_port = 8443
153158
cidr_blocks = ["0.0.0.0/0"]
159+
ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
154160

155161
security_group_id = "${aws_security_group.concourse_lb_internal_security_group.id}"
156162
}

terraform/aws/templates/iso_segments.tf

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -24,10 +24,13 @@ locals {
2424
}
2525

2626
resource "aws_subnet" "iso_subnets" {
27-
count = "${local.iso_az_count}"
28-
vpc_id = "${local.vpc_id}"
29-
cidr_block = "${cidrsubnet(var.vpc_cidr, 4, count.index + length(var.availability_zones) + 1)}"
30-
availability_zone = "${element(var.availability_zones, count.index)}"
27+
count = "${local.iso_az_count}"
28+
vpc_id = "${local.vpc_id}"
29+
cidr_block = "${cidrsubnet(var.vpc_cidr, 4, count.index + length(var.availability_zones) + 1)}"
30+
ipv6_cidr_block = var.dualstack ? "${cidrsubnet(aws_vpc.vpc[0].ipv6_cidr_block, 8, count.index + 2 + length(var.availability_zones))}" : null
31+
availability_zone = "${element(var.availability_zones, count.index)}"
32+
assign_ipv6_address_on_creation = true
33+
enable_dns64 = true
3134

3235
tags = {
3336
Name = "${var.env_id}-iso-subnet${count.index}"

terraform/aws/templates/lb_subnet.tf

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,10 @@ resource "aws_subnet" "lb_subnets" {
22
count = "${length(var.availability_zones)}"
33
vpc_id = "${local.vpc_id}"
44
cidr_block = "${cidrsubnet(var.vpc_cidr, 8, count.index+2)}"
5+
ipv6_cidr_block = var.dualstack ? "${cidrsubnet(aws_vpc.vpc[0].ipv6_cidr_block, 8, count.index + 1 + length(var.availability_zones))}" : null
56
availability_zone = "${element(var.availability_zones, count.index)}"
7+
assign_ipv6_address_on_creation = var.dualstack
8+
enable_dns64 = var.dualstack
69

710
tags = {
811
Name = "${var.env_id}-lb-subnet${count.index}"
@@ -23,6 +26,13 @@ resource "aws_route" "lb_route_table" {
2326
route_table_id = "${aws_route_table.lb_route_table.id}"
2427
}
2528

29+
resource "aws_route" "lb_route_table_ipv6" {
30+
count = var.dualstack ? 1 : 0
31+
route_table_id = "${aws_route_table.lb_route_table.id}"
32+
destination_ipv6_cidr_block = "::/0"
33+
egress_only_gateway_id = aws_egress_only_internet_gateway.egress_ipv6[0].id
34+
}
35+
2636
resource "aws_route_table_association" "route_lb_subnets" {
2737
count = "${length(var.availability_zones)}"
2838
subnet_id = "${element(aws_subnet.lb_subnets.*.id, count.index)}"

terraform/aws/templates/vpc.tf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ resource "aws_vpc" "vpc" {
1414
cidr_block = "${var.vpc_cidr}"
1515
instance_tenancy = "default"
1616
enable_dns_hostnames = true
17+
assign_generated_ipv6_cidr_block = var.dualstack
1718

1819
tags = {
1920
Name = "${var.env_id}-vpc"

0 commit comments

Comments
 (0)