updated VPC with IPAM config

Author: yuvraj-revnue

README.md

@@ -205,6 +205,9 @@ In this module, we have implemented the following CIS Compliance checks for VPC:
 
 | Name | Type |
 |------|------|
+| [aws_vpc_ipam.ipam](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam) | resource |
+| [aws_vpc_ipam_pool.ipam_pool](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_pool) | resource |
+| [aws_vpc_ipam_pool_cidr.ipam_pool_cidr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_pool_cidr) | resource |
 | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_ec2_instance_type.arch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_instance_type) | data source |
 
@@ -214,19 +217,24 @@ In this module, we have implemented the following CIS Compliance checks for VPC:
 |------|-------------|------|---------|:--------:|
 | <a name="input_auto_assign_public_ip"></a> [auto\_assign\_public\_ip](#input\_auto\_assign\_public\_ip) | Specify true to indicate that instances launched into the subnet should be assigned a public IP address. | `bool` | `false` | no |
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | Number of Availability Zone to be used by VPC Subnets | `list(any)` | `[]` | no |
+| <a name="input_create_ipam_pool"></a> [create\_ipam\_pool](#input\_create\_ipam\_pool) | Whether create new IPAM pool | `bool` | `true` | no |
 | <a name="input_database_subnet_assign_ipv6_address_on_creation"></a> [database\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_database\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on database subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
 | <a name="input_database_subnet_cidrs"></a> [database\_subnet\_cidrs](#input\_database\_subnet\_cidrs) | Database Tier subnet CIDRs to be created | `list(any)` | `[]` | no |
 | <a name="input_database_subnet_enabled"></a> [database\_subnet\_enabled](#input\_database\_subnet\_enabled) | Set true to enable database subnets | `bool` | `false` | no |
 | <a name="input_default_network_acl_ingress"></a> [default\_network\_acl\_ingress](#input\_default\_network\_acl\_ingress) | List of maps of ingress rules to set on the Default Network ACL | `list(map(string))` | <pre>[<br>  {<br>    "action": "deny",<br>    "cidr_block": "0.0.0.0/0",<br>    "from_port": 22,<br>    "protocol": "tcp",<br>    "rule_no": 98,<br>    "to_port": 22<br>  },<br>  {<br>    "action": "deny",<br>    "cidr_block": "0.0.0.0/0",<br>    "from_port": 3389,<br>    "protocol": "tcp",<br>    "rule_no": 99,<br>    "to_port": 3389<br>  },<br>  {<br>    "action": "allow",<br>    "cidr_block": "0.0.0.0/0",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "rule_no": 100,<br>    "to_port": 0<br>  },<br>  {<br>    "action": "allow",<br>    "from_port": 0,<br>    "ipv6_cidr_block": "::/0",<br>    "protocol": "-1",<br>    "rule_no": 101,<br>    "to_port": 0<br>  }<br>]</pre> | no |
 | <a name="input_enable_database_subnet_group"></a> [enable\_database\_subnet\_group](#input\_enable\_database\_subnet\_group) | Whether create database subnet groups | `bool` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | Specify the environment indentifier for the VPC | `string` | `""` | no |
+| <a name="input_existing_ipam_managed_cidr"></a> [existing\_ipam\_managed\_cidr](#input\_existing\_ipam\_managed\_cidr) | The existing IPAM pool CIDR | `string` | `""` | no |
 | <a name="input_flow_log_cloudwatch_log_group_kms_key_arn"></a> [flow\_log\_cloudwatch\_log\_group\_kms\_key\_arn](#input\_flow\_log\_cloudwatch\_log\_group\_kms\_key\_arn) | The ARN of the KMS Key to use when encrypting log data for VPC flow logs | `string` | `null` | no |
 | <a name="input_flow_log_cloudwatch_log_group_retention_in_days"></a> [flow\_log\_cloudwatch\_log\_group\_retention\_in\_days](#input\_flow\_log\_cloudwatch\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs. | `number` | `null` | no |
 | <a name="input_flow_log_enabled"></a> [flow\_log\_enabled](#input\_flow\_log\_enabled) | Whether or not to enable VPC Flow Logs | `bool` | `false` | no |
 | <a name="input_flow_log_max_aggregation_interval"></a> [flow\_log\_max\_aggregation\_interval](#input\_flow\_log\_max\_aggregation\_interval) | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds. | `number` | `60` | no |
 | <a name="input_intra_subnet_assign_ipv6_address_on_creation"></a> [intra\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_intra\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on intra subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
 | <a name="input_intra_subnet_cidrs"></a> [intra\_subnet\_cidrs](#input\_intra\_subnet\_cidrs) | A list of intra subnets CIDR to be created | `list(any)` | `[]` | no |
 | <a name="input_intra_subnet_enabled"></a> [intra\_subnet\_enabled](#input\_intra\_subnet\_enabled) | Set true to enable intra subnets | `bool` | `false` | no |
+| <a name="input_ipam_enabled"></a> [ipam\_enabled](#input\_ipam\_enabled) | Whether enable IPAM managed VPC or not | `bool` | `false` | no |
+| <a name="input_ipam_pool_id"></a> [ipam\_pool\_id](#input\_ipam\_pool\_id) | The existing IPAM pool id if any | `string` | `null` | no |
+| <a name="input_ipv4_netmask_length"></a> [ipv4\_netmask\_length](#input\_ipv4\_netmask\_length) | The netmask length for IPAM managed VPC | `number` | `16` | no |
 | <a name="input_ipv6_enabled"></a> [ipv6\_enabled](#input\_ipv6\_enabled) | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. | `bool` | `false` | no |
 | <a name="input_ipv6_only"></a> [ipv6\_only](#input\_ipv6\_only) | Enable it for deploying native IPv6 network | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | Specify the name of the VPC | `string` | `""` | no |
@@ -237,6 +245,7 @@ In this module, we have implemented the following CIS Compliance checks for VPC:
 | <a name="input_public_subnet_assign_ipv6_address_on_creation"></a> [public\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_public\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on public subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
 | <a name="input_public_subnet_cidrs"></a> [public\_subnet\_cidrs](#input\_public\_subnet\_cidrs) | A list of public subnets CIDR to be created inside the VPC | `list(any)` | `[]` | no |
 | <a name="input_public_subnet_enabled"></a> [public\_subnet\_enabled](#input\_public\_subnet\_enabled) | Set true to enable public subnets | `bool` | `false` | no |
+| <a name="input_region"></a> [region](#input\_region) | The AWS region name | `string` | n/a | yes |
 | <a name="input_secondary_cidr_blocks"></a> [secondary\_cidr\_blocks](#input\_secondary\_cidr\_blocks) | List of the secondary CIDR blocks which can be at most 5 | `list(string)` | `[]` | no |
 | <a name="input_secondry_cidr_enabled"></a> [secondry\_cidr\_enabled](#input\_secondry\_cidr\_enabled) | Whether enable secondary CIDR with VPC | `bool` | `false` | no |
 | <a name="input_vpc_cidr"></a> [vpc\_cidr](#input\_vpc\_cidr) | The CIDR block of the VPC | `string` | `"10.0.0.0/16"` | no |

examples/ipam-managed-vpc/README.md

@@ -0,0 +1,52 @@
+# IPAM VPC
+
+Configuration in this directory creates set of VPC resources with IPAM managed CIDRs
+
+IPAM pool with desired CIDR and its allocation which restricts the overlapping of CIDRs
+
+[Read more about AWS regions, availability zones and local zones](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-regions-availability-zones).
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_vpc_ipam"></a> [vpc\_ipam](#module\_vpc\_ipam) | ../.. | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_public_subnets"></a> [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets |
+| <a name="output_region"></a> [region](#output\_region) | AWS Region |
+| <a name="output_vpc_cidr_block"></a> [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | AWS Region |
+| <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/ipam-managed-vpc/main.tf

@@ -0,0 +1,27 @@
+locals {
+  region      = "us-east-1"
+  environment = "stage"
+  name        = "skaf"
+  additional_aws_tags = {
+    Owner      = "SquareOps"
+    Expires    = "Never"
+    Department = "Engineering"
+  }
+  vpc_cidr     = "10.10.0.0/16"
+  ipam_enabled = true
+}
+
+module "vpc_ipam" {
+  source = "../.."
+
+  name = local.name
+
+  ipam_enabled       = local.ipam_enabled
+  region             = local.region
+  create_ipam_pool   = true
+  vpc_cidr           = local.vpc_cidr
+  availability_zones = ["ap-south-1a", "ap-south-1b"]
+
+  private_subnet_enabled = true
+  public_subnet_enabled  = true
+}

examples/ipam-managed-vpc/output.tf

@@ -0,0 +1,19 @@
+output "region" {
+  description = "AWS Region"
+  value       = local.region
+}
+
+output "vpc_id" {
+  description = "The ID of the VPC"
+  value       = module.vpc_ipam.vpc_id
+}
+
+output "vpc_cidr_block" {
+  description = "AWS Region"
+  value       = module.vpc_ipam.vpc_cidr_block
+}
+
+output "public_subnets" {
+  description = "List of IDs of public subnets"
+  value       = module.vpc_ipam.public_subnets
+}

examples/ipam-managed-vpc/providers.tf

@@ -0,0 +1,6 @@
+provider "aws" {
+  region = local.region
+  default_tags {
+    tags = local.additional_aws_tags
+  }
+}

examples/vpc-native-ipv6/README.md

@@ -1,7 +1,7 @@
-# VPC with IPv6 support
+# VPC with Native IPv6 support
 
 
-VPC with dual stack IP mode enabled IPv6 and IPv4 includes public and private subnet will be created per availability zone in addition to single NAT Gateway shared between all availability zones.
+VPC with native IPv6 which includes public and private subnet will be created per availability zone in addition to single NAT Gateway shared between all availability zones.
 
 ## Usage
 

examples/vpc-with-secondary-cidr/README.md

@@ -1,7 +1,7 @@
-# VPC with Private Subnets
+# VPC with Multiple CIDR Supports
 
 
-A public and private subnet will be created per availability zone in addition to single NAT Gateway shared between all availability zones.
+MUltiple CIDRs can be attached with a VPC in addition of increasing numbers of IPs. A public and private subnet will be created per availability zone in addition to single NAT Gateway shared between all availability zones.
 
 ## Usage
 

main.tf

@@ -1,5 +1,6 @@
 locals {
   azs                   = length(var.availability_zones)
+  region_name           = var.region
   public_subnets_native = var.public_subnet_enabled ? length(var.public_subnet_cidrs) > 0 ? var.public_subnet_cidrs : [for netnum in range(0, local.azs) : cidrsubnet(var.vpc_cidr, 8, netnum)] : []
   secondary_public_subnets = var.public_subnet_enabled && var.secondry_cidr_enabled ? [
     for cidr_block in var.secondary_cidr_blocks : [
@@ -69,6 +70,9 @@ module "vpc" {
   name                                            = format("%s-%s-vpc", var.environment, var.name)
   cidr                                            = var.vpc_cidr # CIDR FOR VPC
   azs                                             = [for n in range(0, local.azs) : data.aws_availability_zones.available.names[n]]
+  use_ipam_pool                                   = var.ipam_enabled ? true : false
+  ipv4_ipam_pool_id                               = var.create_ipam_pool ? aws_vpc_ipam_pool.ipam_pool[0].id : var.ipam_pool_id
+  ipv4_netmask_length                             = var.ipv4_netmask_length
   create_database_subnet_group                    = length(local.database_subnets) > 1 && var.enable_database_subnet_group ? true : false
   intra_subnets                                   = local.intra_subnets
   public_subnets                                  = local.public_subnets
@@ -186,3 +190,52 @@ module "vpn_server" {
   public_subnet            = module.vpc.public_subnets[0]
   vpn_server_instance_type = var.vpn_server_instance_type
 }
+
+resource "aws_vpc_ipam" "ipam" {
+  count = var.ipam_enabled && var.create_ipam_pool ? 1 : 0
+  operating_regions {
+    region_name = local.region_name
+  }
+
+  #tags = var.tags
+}
+
+# IPv4
+resource "aws_vpc_ipam_pool" "ipam_pool" {
+  count                             = var.ipam_enabled && var.create_ipam_pool ? 1 : 0
+  description                       = "IPv4 pool"
+  address_family                    = "ipv4"
+  ipam_scope_id                     = aws_vpc_ipam.ipam[0].private_default_scope_id
+  locale                            = local.region_name
+  allocation_default_netmask_length = 16
+
+  #tags = var.tags
+}
+
+resource "aws_vpc_ipam_pool_cidr" "ipam_pool_cidr" {
+  count        = var.ipam_enabled ? 1 : 0
+  ipam_pool_id = var.create_ipam_pool ? aws_vpc_ipam_pool.ipam_pool[0].id : var.ipam_pool_id
+  cidr         = var.create_ipam_pool ? var.vpc_cidr : var.existing_ipam_managed_cidr
+}
+
+# resource "aws_vpc_ipam_preview_next_cidr" "this" {
+#   ipam_pool_id = aws_vpc_ipam_pool.this.id
+
+#   depends_on = [
+#     aws_vpc_ipam_pool_cidr.this
+#   ]
+# }
+
+# IPv6
+# resource "aws_vpc_ipam_pool" "ipv6" {
+#   count =
+#   description                       = "IPv6 pool"
+#   address_family                    = "ipv6"
+#   ipam_scope_id                     = aws_vpc_ipam.this.public_default_scope_id
+#   locale                            = var.region
+#   allocation_default_netmask_length = 56
+#   publicly_advertisable             = false
+#   aws_service                       = "ec2"
+
+#   #tags = var.tags
+# }

variables.tf

@@ -221,3 +221,44 @@ variable "enable_database_subnet_group" {
   default     = false
   type        = bool
 }
+
+# variable "tags" {
+#   description = "The Tags attached with the resources"
+#   default = {}
+#   type = any
+# }
+
+variable "ipam_pool_id" {
+  description = "The existing IPAM pool id if any"
+  default     = null
+  type        = string
+}
+
+variable "ipam_enabled" {
+  description = "Whether enable IPAM managed VPC or not"
+  default     = false
+  type        = bool
+}
+
+variable "create_ipam_pool" {
+  description = "Whether create new IPAM pool"
+  default     = true
+  type        = bool
+}
+
+variable "ipv4_netmask_length" {
+  description = "The netmask length for IPAM managed VPC"
+  default     = 16
+  type        = number
+}
+
+variable "region" {
+  description = "The AWS region name"
+  type        = string
+}
+
+variable "existing_ipam_managed_cidr" {
+  description = "The existing IPAM pool CIDR"
+  default     = ""
+  type        = string
+}