From d6d9afbf30a55efaa24d4a081f0c21df68d8a4e1 Mon Sep 17 00:00:00 2001 From: John Seekins Date: Thu, 5 Dec 2024 14:46:55 -0700 Subject: [PATCH 1/5] allow for disabling private ipv6 only Signed-off-by: John Seekins --- main.tf | 2 +- variables.tf | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 6b43e3f..63b60a9 100644 --- a/main.tf +++ b/main.tf @@ -137,7 +137,7 @@ locals { public4_enabled = local.public_enabled && local.ipv4_enabled public6_enabled = local.public_enabled && local.ipv6_enabled private4_enabled = local.private_enabled && local.ipv4_enabled - private6_enabled = local.private_enabled && local.ipv6_enabled + private6_enabled = local.private_enabled && local.ipv6_enabled && ! var.disable_private_ipv6 public_dns64_enabled = local.public6_enabled && var.public_dns64_nat64_enabled # Set the default for private_dns64_enabled to true unless there is no IPv4 egress to enable it. diff --git a/variables.tf b/variables.tf index 6eb2e21..0ff8e8e 100644 --- a/variables.tf +++ b/variables.tf @@ -102,6 +102,13 @@ variable "ipv6_enabled" { nullable = false } +variable "disable_private_ipv6" { + type = bool + description = "Set `true` to disable IPv6 addresses in private subnets" + default = false + nullable = false +} + variable "ipv4_cidr_block" { type = list(string) description = <<-EOT From a313e077c6faf74830a90e88f08bc7776a4b06a9 Mon Sep 17 00:00:00 2001 From: John Seekins Date: Thu, 5 Dec 2024 14:48:07 -0700 Subject: [PATCH 2/5] also allow for disabling public ipv6 only Signed-off-by: John Seekins --- main.tf | 2 +- variables.tf | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 63b60a9..9a871ff 100644 --- a/main.tf +++ b/main.tf @@ -135,7 +135,7 @@ locals { ipv6_egress_only_configured = local.ipv6_enabled && length(var.ipv6_egress_only_igw_id) > 0 public4_enabled = local.public_enabled && local.ipv4_enabled - public6_enabled = local.public_enabled && local.ipv6_enabled + public6_enabled = local.public_enabled && local.ipv6_enabled && ! var.disable_public_ipv6 private4_enabled = local.private_enabled && local.ipv4_enabled private6_enabled = local.private_enabled && local.ipv6_enabled && ! var.disable_private_ipv6 diff --git a/variables.tf b/variables.tf index 0ff8e8e..c007520 100644 --- a/variables.tf +++ b/variables.tf @@ -109,6 +109,13 @@ variable "disable_private_ipv6" { nullable = false } +variable "disable_public_ipv6" { + type = bool + description = "Set `true` to disable IPv6 addresses in public subnets" + default = false + nullable = false +} + variable "ipv4_cidr_block" { type = list(string) description = <<-EOT From 2f9733ff18ac661851389095134f4fcfe5ec9c42 Mon Sep 17 00:00:00 2001 From: John Seekins Date: Mon, 9 Dec 2024 13:26:28 -0700 Subject: [PATCH 3/5] use simpler evals Signed-off-by: John Seekins --- main.tf | 4 ++-- variables.tf | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/main.tf b/main.tf index 9a871ff..fef13c6 100644 --- a/main.tf +++ b/main.tf @@ -135,9 +135,9 @@ locals { ipv6_egress_only_configured = local.ipv6_enabled && length(var.ipv6_egress_only_igw_id) > 0 public4_enabled = local.public_enabled && local.ipv4_enabled - public6_enabled = local.public_enabled && local.ipv6_enabled && ! var.disable_public_ipv6 + public6_enabled = local.public_enabled && local.ipv6_enabled && var.enable_public_ipv6 private4_enabled = local.private_enabled && local.ipv4_enabled - private6_enabled = local.private_enabled && local.ipv6_enabled && ! var.disable_private_ipv6 + private6_enabled = local.private_enabled && local.ipv6_enabled && var.enable_private_ipv6 public_dns64_enabled = local.public6_enabled && var.public_dns64_nat64_enabled # Set the default for private_dns64_enabled to true unless there is no IPv4 egress to enable it. diff --git a/variables.tf b/variables.tf index c007520..6db9164 100644 --- a/variables.tf +++ b/variables.tf @@ -102,17 +102,17 @@ variable "ipv6_enabled" { nullable = false } -variable "disable_private_ipv6" { +variable "enable_private_ipv6" { type = bool - description = "Set `true` to disable IPv6 addresses in private subnets" - default = false + description = "Set `false` to disable IPv6 addresses in private subnets" + default = true nullable = false } -variable "disable_public_ipv6" { +variable "enable_public_ipv6" { type = bool description = "Set `true` to disable IPv6 addresses in public subnets" - default = false + default = true nullable = false } From 3fcbcf2a57645d6b8ecd400dc5e10a7f226c599e Mon Sep 17 00:00:00 2001 From: John Seekins Date: Mon, 9 Dec 2024 13:27:23 -0700 Subject: [PATCH 4/5] fix typo Signed-off-by: John Seekins --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 6db9164..b75f054 100644 --- a/variables.tf +++ b/variables.tf @@ -111,7 +111,7 @@ variable "enable_private_ipv6" { variable "enable_public_ipv6" { type = bool - description = "Set `true` to disable IPv6 addresses in public subnets" + description = "Set `false` to disable IPv6 addresses in public subnets" default = true nullable = false } From bbaf22f5b75c0630d90ca058587400ce04027e1f Mon Sep 17 00:00:00 2001 From: John Seekins Date: Tue, 10 Dec 2024 07:50:13 -0700 Subject: [PATCH 5/5] more consistent naming Signed-off-by: John Seekins --- main.tf | 4 ++-- variables.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index fef13c6..6e64e6a 100644 --- a/main.tf +++ b/main.tf @@ -135,9 +135,9 @@ locals { ipv6_egress_only_configured = local.ipv6_enabled && length(var.ipv6_egress_only_igw_id) > 0 public4_enabled = local.public_enabled && local.ipv4_enabled - public6_enabled = local.public_enabled && local.ipv6_enabled && var.enable_public_ipv6 + public6_enabled = local.public_enabled && local.ipv6_enabled && var.public_ipv6_enabled private4_enabled = local.private_enabled && local.ipv4_enabled - private6_enabled = local.private_enabled && local.ipv6_enabled && var.enable_private_ipv6 + private6_enabled = local.private_enabled && local.ipv6_enabled && var.private_ipv6_enabled public_dns64_enabled = local.public6_enabled && var.public_dns64_nat64_enabled # Set the default for private_dns64_enabled to true unless there is no IPv4 egress to enable it. diff --git a/variables.tf b/variables.tf index b75f054..7d9b372 100644 --- a/variables.tf +++ b/variables.tf @@ -102,14 +102,14 @@ variable "ipv6_enabled" { nullable = false } -variable "enable_private_ipv6" { +variable "private_ipv6_enabled" { type = bool description = "Set `false` to disable IPv6 addresses in private subnets" default = true nullable = false } -variable "enable_public_ipv6" { +variable "public_ipv6_enabled" { type = bool description = "Set `false` to disable IPv6 addresses in public subnets" default = true