Excluding CIDRs when creating pools

[oponomarov-tu]

Hi,

cidr_allocations input variable has been removed in https://github.com/aws-ia/terraform-aws-ipam/commit/d04f955cca1c9e96ba00af70ea4079496d45154f (https://github.com/aws-ia/terraform-aws-ipam/pull/10). How one does ensure that certain CIDR is excluded from the top-level root pool?

Something like this does not work:

module "ipam" {
  source  = "aws-ia/ipam/aws"
  version = "2.1.0"

  top_name = "root ipam"
  top_cidr = ["172.16.0.0/12"]

  pool_configurations = {
    (data.aws_region.current.name) = {

      description    = "${data.aws_region.current.name} top level pool"
      netmask_length = 16
      locale         = data.aws_region.current.name
      sub_pools = {

        development = {
          name                     = "development"
          netmask_length           = 18
          ram_share_principals     = ["<redacted>"]
          allocation_resource_tags = { env = "development" }
        }

        ...

      }
    }
  }
}

resource "aws_vpc_ipam_pool_cidr_allocation" "on_prem_172_networks" {
  ipam_pool_id = module.ipam.pool_level_0.id

  cidr  = "172.16.0.0/20"
}

[drewmullen]

try setting top_locale

allocations are only made in the pools with a locale and… iirc you must also be constructing your provider in the same region where the locale is (i could be wrong on this point)

[rwejdling]

It's a timing issue. The sub-pools are allocated when the module is applied and the CIDR that we want to allocate (exclude) is already allocated to the first sub-pool.

So we get this error when trying to allocate the CIDR we want to exclude:

So either we need to:

1. Add a feature to the module so CIDR's that should be excluded are allocated in the top-pool before the sub-pools are applied. I.e., add a top_cidr_allocations input var to the module.
2. Create a sub-pool that we must no use, to allocate the space in the top-pool.
3. Create the IPAM top-pool, allocation the exclusion, and then add the sub-pools (this will leave us in a state that can't easily be reapplied).

Would option 1. make sense to add to this module as a general feature going forward? Otherwise we'll just go with one of our workarounds.

[drewmullen]

Initially I had set the allocations inside but it ended up being impossible because of how the TF provider client and subsequent calls are made to regions :/ which is how you found the PR where I took it out.

your best bet may be to use the sub-pool module and roll your own graph with the structure forced by the parent module.

I am sorry! I really wish this was possible… The problem has to do with the fact that I Pam as a service is managed from a single region, but then also add items that are accessible via other regions. The resource for an allocation has to call the region directly, which is not possible with a module since we’re speaking to the “parent region”. Or, rather, it’s only possible in the parent region

some hope… there’s a proposal to allow for setting region on a resource, individually… if this ever gets merged that would help resolve this type of issue: https://github.com/hashicorp/terraform-provider-aws/pull/31517