Add BYOIP usage support to VPCs

[gwvandesteeg]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

There are a variety of components that need to be added and update to allow for the creation of VPCs when using BYOIP, especially since the support for IPv6 BYOIP was added. This feature request only defines the changes needed to utilise the BYOIP blocks not the loading and activation of the BYOIP blocks (as such we exclude the provision-byoip-cidr, advertise-byoip-cidr, and withdraw-byoip-cidr CLI command functionality)

User Stories

• As an IaC engineer I want to be able to explicitly specify my own IPv6 pool added to the AWS account via BYOIP when creating a VPC so that we can utilise the IP addresses from that range.
• As an IaC engineer I want to be able to get a list of IPv6 pools we've added to a specific AWS account via BYOIP so that we can utilise the ranges programatically in the remaining infrastructure.
• As an IaC engineer i want to be able to get a list of IPv4 address pools we've added to a specific AWS account via BYOIP so that we can utilise the ranges programatically in the remaining infrastructure.
• As an IaC engineer I want to be able to add an additional block from our IPv6 pool to an existing VPC so that we can add our BYOIP IPv6 pool to an existing VPC and add IPv6 functionality to these pre-existing VPCs.
• As an IaC engineer I want to be able to explicitly specify the IP address from our IPv4 BYOIP pools when creating an Elastic IP so that we can control which IPs are utilised instead of randomly having them allocated from the pool.

This last User story allows us to deal with certain network applications that do not function well behind NAT connections, by creating a VPC with the same network range as your public range you can then trick the application in thinking it is not behind NAT. Let's say you have 1.2.3.0/24 as your BYOIP block, you create a VPC that also has 1.2.3.0/24 as its subnet then you can spin up instances inside that VPC that have IPs in this IP range on the EC2 instance. By then allocating an EIP with the exact same IP to these instances to the world and the application they all believe they are on this IP and the network traffic gets routed correctly. (It looks crazy but it works).

New or Affected Resource(s)

• resource: aws_vpc - the ipv6-pool, ipv6-cidr-block parameters need to be added at a minimum
• data: aws_vpc_ipv6_pools - implement the DescribeIpv6Pools API
• data: aws_vpc_public_ipv4_pools - implement the DescribePublicIpv4Pools
• resource: aws_vpc_ipv6_cidr_block_association - implement the IPv6 variant of AssociateVpcCidrBlock
• resource: aws_eip - ability to explicitly specify the address from the IPv4 BYOIP pool(s)

Potential Terraform Configuration

data "aws_vpc_ipv6_pools" "pools"  {}

data "aws_vpc_public_ipv4_pools" "pools" {}

resource "aws_vpc" "vpc" {
  ipv6_cidr_block = data.aws_vpc_ipv6_pools.pools[0].cidr
  ipv6_pool = data.aws_vpc_ipv6_pools.pools[0].id
}

resource "aws_eip" "eip" {
  address = cidrhost(data.aws_vpc_public_ipv4_pools.pools[0].cidr, 1)
}

References

BYOIP

• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html

aws_vpc change:

• https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVpc.html

aws_vpc_ipv6_pools addition:

• https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeIpv6Pools.html

aws_vpc_public_ipv4_pools addtion:

• https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribePublicIpv4Pools.html

aws_vpc_ipv6_cidr_block_association addition:

• https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateVpcCidrBlock.html

aws_eip change:

• 8004

• 6521

• 6251

• https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AllocateAddress.html

[ewbankkit]

Support for a aws_vpc_ipv6_cidr_block_association resource also mentioned here.

[YakDriver]

See #8876 for partial fix to this.

[AdamTylerLynch]

Related #21998

Need to scope of effort to to finish BYOIP.

[hoo29]

You can achieve this by using terraform to provision a cloudformation stack with a AWS::EC2::VPCCidrBlock resource. e.g.

resource "aws_cloudformation_stack" "ipv6" {
  name = "terraform-cf"

  parameters = {
    IPv6Cidr   = local.ipv6_cidr
    IPv6Poolid = local.ipv6_pool_id
    VpcId      = local.vpc_id
  }

  template_body = <<STACK
{
  "Parameters": {
    "IPv6Cidr": {
      "Type": "String",
      "Description": "Enter the IPv6 CIDR block for the VPC."
    },
    "IPv6Poolid": {
      "Type": "String",
      "Description": "Enter the IPv6 Pool ID for the CIDR block."
    },
    "VpcId": {
      "Type": "String",
      "Description": "Enter the VPC ID."
    }
  },
  "Resources": {
    "myVpc": {
      "Type": "AWS::EC2::VPCCidrBlock",
      "Properties": {
        "Ipv6CidrBlock": {
          "Ref": "IPv6Cidr"
        },
        "Ipv6Pool": {
          "Ref": "IPv6Poolid"
        },
        "VpcId": {
          "Ref": "VpcId"
        }
      }
    }
  }
}
STACK
}

Then ensure you include a depends_on reference to this resource in your aws_subnet resources.

[andyshinn]

I didn't see it on the list. But I would like the ability to start advertising the BYOIP CIDR. You can currently bring it into IPAM> But you cannot advertise it in Terraform.