feat: Add support for ipv6 (#66)

terraform-aws-modules · Jun 10, 2022 · 32dacc2 · 32dacc2
1 parent c5ac16c
commit 32dacc2
Show file tree

Hide file tree

Showing 12 changed files with 106 additions and 16 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.62.3
+    rev: v1.72.1
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
@@ -23,7 +23,7 @@ repos:
           - '--args=--only=terraform_standard_module_structure'
           - '--args=--only=terraform_workspace_remote'
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.1.0
+    rev: v4.3.0
     hooks:
       - id: check-merge-conflict
       - id: end-of-file-fixer
diff --git a/README.md b/README.md
@@ -46,7 +46,7 @@ module "vpn_gateway" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 2.0"
+  version = "~> 3.0"
 
   enable_vpn_gateway = true
   amazon_side_asn    = 64620
@@ -115,7 +115,10 @@ module "vpn_gateway" {
   source  = "terraform-aws-modules/vpn-gateway/aws"
   version = "~> 2.0"
 
-  connect_to_transit_gateway = true
+  create_vpn_gateway_attachment = false
+  connect_to_transit_gateway    = true
+
+  vpc_id                     = module.vpc.vpc_id
   transit_gateway_id         = aws_ec2_transit_gateway.this.id
   customer_gateway_id        = module.vpc.cgw_ids[0]
 
@@ -128,9 +131,9 @@ module "vpn_gateway" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 2.0"
+  version = "~> 3.0"
 
-  enable_vpn_gateway = true
+  enable_vpn_gateway = false
   amazon_side_asn    = 64620
 
   customer_gateways = {
@@ -165,7 +168,10 @@ module "vpn_gateway" {
   source  = "terraform-aws-modules/vpn-gateway/aws"
   version = "~> 2.0"
 
-  connect_to_transit_gateway = true
+  create_vpn_gateway_attachment = false
+  connect_to_transit_gateway    = true
+
+  vpc_id                     = module.vpc.vpc_id
   transit_gateway_id         = module.tgw.ec2_transit_gateway_id
   customer_gateway_id        = module.vpc.cgw_ids[0]
 
@@ -180,7 +186,7 @@ module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "~> 3.0"
 
-  enable_vpn_gateway = true
+  enable_vpn_gateway = false
   amazon_side_asn    = 64620
 
   customer_gateways = {
@@ -271,7 +277,9 @@ No modules.
 | <a name="input_create_vpn_gateway_attachment"></a> [create\_vpn\_gateway\_attachment](#input\_create\_vpn\_gateway\_attachment) | Set to false to prevent attachment of the VGW to the VPC | `bool` | `true` | no |
 | <a name="input_customer_gateway_id"></a> [customer\_gateway\_id](#input\_customer\_gateway\_id) | The id of the Customer Gateway. | `string` | n/a | yes |
 | <a name="input_local_ipv4_network_cidr"></a> [local\_ipv4\_network\_cidr](#input\_local\_ipv4\_network\_cidr) | (Optional) The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection. | `string` | `"0.0.0.0/0"` | no |
+| <a name="input_local_ipv6_network_cidr"></a> [local\_ipv6\_network\_cidr](#input\_local\_ipv6\_network\_cidr) | (Optional) The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection. | `string` | `"::/0"` | no |
 | <a name="input_remote_ipv4_network_cidr"></a> [remote\_ipv4\_network\_cidr](#input\_remote\_ipv4\_network\_cidr) | (Optional) The IPv4 CIDR on the AWS side of the VPN connection. | `string` | `"0.0.0.0/0"` | no |
+| <a name="input_remote_ipv6_network_cidr"></a> [remote\_ipv6\_network\_cidr](#input\_remote\_ipv6\_network\_cidr) | (Optional) The IPv6 CIDR on AWS side of the VPN connection. | `string` | `"::/0"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Set of tags to be added to the VPN Connection resource (only if `create_vpn_connection = true`). | `map(string)` | `{}` | no |
 | <a name="input_transit_gateway_id"></a> [transit\_gateway\_id](#input\_transit\_gateway\_id) | The ID of the Transit Gateway. | `string` | `null` | no |
 | <a name="input_tunnel1_dpd_timeout_action"></a> [tunnel1\_dpd\_timeout\_action](#input\_tunnel1\_dpd\_timeout\_action) | (Optional, Default clear) The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear \| none \| restart | `string` | `null` | no |
@@ -308,6 +316,7 @@ No modules.
 | <a name="input_tunnel2_rekey_margin_time_seconds"></a> [tunnel2\_rekey\_margin\_time\_seconds](#input\_tunnel2\_rekey\_margin\_time\_seconds) | (Optional, Default 540) The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel2\_rekey\_fuzz\_percentage. Valid value is between 60 and half of tunnel2\_phase2\_lifetime\_seconds | `number` | `null` | no |
 | <a name="input_tunnel2_replay_window_size"></a> [tunnel2\_replay\_window\_size](#input\_tunnel2\_replay\_window\_size) | (Optional, Default 1024) The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between 64 and 2048. | `number` | `null` | no |
 | <a name="input_tunnel2_startup_action"></a> [tunnel2\_startup\_action](#input\_tunnel2\_startup\_action) | (Optional, Default add) The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add \| start | `string` | `null` | no |
+| <a name="input_tunnel_inside_ip_version"></a> [tunnel\_inside\_ip\_version](#input\_tunnel\_inside\_ip\_version) | (Optional) Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are ipv4 \| ipv6. ipv6 Supports only EC2 Transit Gateway. | `string` | `"ipv4"` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The id of the VPC where the VPN Gateway lives. | `string` | `null` | no |
 | <a name="input_vpc_subnet_route_table_count"></a> [vpc\_subnet\_route\_table\_count](#input\_vpc\_subnet\_route\_table\_count) | The number of subnet route table ids being passed in via `vpc_subnet_route_table_ids`. | `number` | `0` | no |
 | <a name="input_vpc_subnet_route_table_ids"></a> [vpc\_subnet\_route\_table\_ids](#input\_vpc\_subnet\_route\_table\_ids) | The ids of the VPC subnets for which routes from the VPN Gateway will be propagated. | `list(string)` | `[]` | no |

diff --git a/examples/complete-dual-vpn-gateway/README.md b/examples/complete-dual-vpn-gateway/README.md
@@ -39,7 +39,7 @@ Run `terraform destroy` when you don't need these resources.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 2.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
 | <a name="module_vpn_gateway"></a> [vpn\_gateway](#module\_vpn\_gateway) | ../../ | n/a |
 | <a name="module_vpn_gateway2"></a> [vpn\_gateway2](#module\_vpn\_gateway2) | ../../ | n/a |
 

diff --git a/examples/complete-dual-vpn-gateway/main.tf b/examples/complete-dual-vpn-gateway/main.tf
@@ -48,7 +48,7 @@ resource "aws_customer_gateway" "secondary" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 2.0"
+  version = "~> 3.0"
 
   name = "complete-dual-vpn-gateway"
 

diff --git a/examples/complete-vpn-connection-transit-gateway/README.md b/examples/complete-vpn-connection-transit-gateway/README.md
@@ -32,7 +32,7 @@ Run `terraform destroy` when you don't need these resources.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 2.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
 | <a name="module_vpn_gateway_1"></a> [vpn\_gateway\_1](#module\_vpn\_gateway\_1) | ../../ | n/a |
 | <a name="module_vpn_gateway_2"></a> [vpn\_gateway\_2](#module\_vpn\_gateway\_2) | ../../ | n/a |
 

diff --git a/examples/complete-vpn-connection-transit-gateway/main.tf b/examples/complete-vpn-connection-transit-gateway/main.tf
@@ -5,32 +5,44 @@ provider "aws" {
 module "vpn_gateway_1" {
   source = "../../"
 
+  vpc_id              = module.vpc.vpc_id
   transit_gateway_id  = aws_ec2_transit_gateway.this.id
   customer_gateway_id = module.vpc.cgw_ids[0]
 
+  tunnel_inside_ip_version = "ipv6"
+
   # tunnel inside cidr & preshared keys (optional)
   tunnel1_inside_cidr   = "169.254.44.88/30"
   tunnel2_inside_cidr   = "169.254.44.100/30"
   tunnel1_preshared_key = "1234567890abcdefghijklmn"
   tunnel2_preshared_key = "abcdefghijklmn1234567890"
+
+  create_vpn_gateway_attachment = false
+  connect_to_transit_gateway    = true
 }
 
 module "vpn_gateway_2" {
   source = "../../"
 
+  vpc_id              = module.vpc.vpc_id
   transit_gateway_id  = aws_ec2_transit_gateway.this.id
   customer_gateway_id = module.vpc.cgw_ids[1]
 
+  tunnel_inside_ip_version = "ipv6"
+
   # tunnel inside cidr & preshared keys (optional)
   tunnel1_inside_cidr   = "169.254.33.88/30"
   tunnel2_inside_cidr   = "169.254.33.100/30"
   tunnel1_preshared_key = "1234567890abcdefghijklmn"
   tunnel2_preshared_key = "abcdefghijklmn1234567890"
+
+  create_vpn_gateway_attachment = false
+  connect_to_transit_gateway    = true
 }
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 2.0"
+  version = "~> 3.0"
 
   name = "complete-vpn-gateway-transit-gateway"
 

diff --git a/examples/complete-vpn-gateway/README.md b/examples/complete-vpn-gateway/README.md
@@ -34,7 +34,7 @@ Run `terraform destroy` when you don't need these resources.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 2.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
 | <a name="module_vpn_gateway"></a> [vpn\_gateway](#module\_vpn\_gateway) | ../../ | n/a |
 
 ## Resources

diff --git a/examples/complete-vpn-gateway/main.tf b/examples/complete-vpn-gateway/main.tf
@@ -27,7 +27,7 @@ resource "aws_customer_gateway" "main" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 2.0"
+  version = "~> 3.0"
 
   name = "complete-vpn-gateway"
 

diff --git a/examples/minimal-vpn-gateway/README.md b/examples/minimal-vpn-gateway/README.md
@@ -34,7 +34,7 @@ Run `terraform destroy` when you don't need these resources.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 2.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
 | <a name="module_vpn_gateway"></a> [vpn\_gateway](#module\_vpn\_gateway) | ../../ | n/a |
 
 ## Resources

diff --git a/examples/minimal-vpn-gateway/main.tf b/examples/minimal-vpn-gateway/main.tf
@@ -27,7 +27,7 @@ resource "aws_customer_gateway" "main" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 2.0"
+  version = "~> 3.0"
 
   name = "minimal-vpn-gateway"
 

diff --git a/main.tf b/main.tf
@@ -71,9 +71,14 @@ resource "aws_vpn_connection" "default" {
   tunnel1_ike_versions = var.tunnel1_ike_versions
   tunnel2_ike_versions = var.tunnel2_ike_versions
 
+  tunnel_inside_ip_version = var.tunnel_inside_ip_version
+
   local_ipv4_network_cidr  = var.local_ipv4_network_cidr
   remote_ipv4_network_cidr = var.remote_ipv4_network_cidr
 
+  local_ipv6_network_cidr  = var.local_ipv6_network_cidr
+  remote_ipv6_network_cidr = var.remote_ipv6_network_cidr
+
   tags = merge(
     {
       "Name" = local.name_tag
@@ -142,9 +147,14 @@ resource "aws_vpn_connection" "tunnel" {
   tunnel1_ike_versions = var.tunnel1_ike_versions
   tunnel2_ike_versions = var.tunnel2_ike_versions
 
+  tunnel_inside_ip_version = var.tunnel_inside_ip_version
+
   local_ipv4_network_cidr  = var.local_ipv4_network_cidr
   remote_ipv4_network_cidr = var.remote_ipv4_network_cidr
 
+  local_ipv6_network_cidr  = var.local_ipv6_network_cidr
+  remote_ipv6_network_cidr = var.remote_ipv6_network_cidr
+
   tags = merge(
     {
       "Name" = local.name_tag
@@ -210,9 +220,14 @@ resource "aws_vpn_connection" "preshared" {
   tunnel1_ike_versions = var.tunnel1_ike_versions
   tunnel2_ike_versions = var.tunnel2_ike_versions
 
+  tunnel_inside_ip_version = var.tunnel_inside_ip_version
+
   local_ipv4_network_cidr  = var.local_ipv4_network_cidr
   remote_ipv4_network_cidr = var.remote_ipv4_network_cidr
 
+  local_ipv6_network_cidr  = var.local_ipv6_network_cidr
+  remote_ipv6_network_cidr = var.remote_ipv6_network_cidr
+
   tags = merge(
     {
       "Name" = local.name_tag
@@ -281,9 +296,14 @@ resource "aws_vpn_connection" "tunnel_preshared" {
   tunnel1_ike_versions = var.tunnel1_ike_versions
   tunnel2_ike_versions = var.tunnel2_ike_versions
 
+  tunnel_inside_ip_version = var.tunnel_inside_ip_version
+
   local_ipv4_network_cidr  = var.local_ipv4_network_cidr
   remote_ipv4_network_cidr = var.remote_ipv4_network_cidr
 
+  local_ipv6_network_cidr  = var.local_ipv6_network_cidr
+  remote_ipv6_network_cidr = var.remote_ipv6_network_cidr
+
   tags = merge(
     {
       "Name" = local.name_tag