Open fluxth opened 7 months ago
Voting for Prioritization
Volunteering to Work on This Issue
Both the OpenInstancePublicPorts API reference and the Go V2 SDK code do not list icmpv6
as a valid protocol value. I suspect that you'd just specify icmp
for protocol
and ipv6_cidrs
to allow ICMP v6 traffic. This note that I saw from the documentation may also be relevant:
ICMPv6 - The ICMP type for IPv6 addresses. For example, specify 128 as the fromPort (ICMPv6 type), and 0 as toPort (ICMPv6 code).
Could you please try it out if you haven't and post back on the results? If it works, we can improve the documentation with this information.
api error InvalidParams: ICMP supports only IPv4 CIDRs
I also tried aws-cli:
An error occurred (InvalidInputException) when calling the OpenInstancePublicPorts operation: ICMP supports only IPv4 CIDRs.
Edit: I misspoke about the Terraform code using OpenInstancePublicPorts
- it's actually using PutInstancePublicPorts
. But it would still fail with the AWS Go SDK v2 because the enum for the protocols doesn't include icmpv6
resulting in a pre-request validation error.
I decided to apply the same change in the UI and then look at the CloudTrail event, and indeed the API supports the type icmpv6
. Here is the relevant portInfos
list entry:
{
"toPort": -1,
"cidrs": [],
"ipv6Cidrs": [
"::/0"
],
"protocol": "icmpv6",
"cidrListAliases": [],
"fromPort": -1
},
I also see that the UI uses PutInstancePublicPorts
behind the scenes vs. OpenInstancePublicPorts
in the Terraform resource code, but I suspect that it doesn't really matter as long as the two APIs are used correctly.
At this point, I would recommend either opening an AWS support ticket (since all tools/SDKs + docs don't seem to support icmpv6
), or an issue at the aws-sdk-go-v2 GitHub repository. Only then we can make the downstream changes in the Terraform AWS Provider.
Oh. It indeed works ok using aws-cli and put-instance-public-ports
aws lightsail put-instance-public-ports --cli-input-json '{"portInfos":[{"fromPort":128,"toPort":0,"protocol":"icmpv6","cidrs":[],"ipv6Cidrs":["::/0"],"cidrListAliases":[]}],"instanceName":"my-lightsail-instance"}'
I got a success response:
{
"operation": {
"id": "5ee6b65c-0252-44c6-a4dc-d19a76fd1932",
"resourceName": "my-lightsail-instance",
"resourceType": "Instance",
"createdAt": "2024-04-03T02:22:24.971000-03:00",
"location": {
"availabilityZone": "us-east-2a",
"regionName": "us-east-2"
},
"isTerminal": true,
"operationDetails": "128-0/icmpv6",
"operationType": "PutInstancePublicPorts",
"status": "Succeeded",
"statusChangedAt": "2024-04-03T02:22:24.971000-03:00"
}
}
Thanks @nbensa for the additional info. Since there just seems to be inconsistent support, I've opened an AWS support case from my own account asking for the following:
- Check and make sure that both OpenInstancePublicPorts and PutInstancePublicPorts APIs do indeed support icmpv6 as the protocol.
- Update the API reference for the icmpv6 protcol as appropriate.
- Ensure that AWS CLI supports both.
- Ensure that AWS Go SDK v2 supports both. Also ensure that all other SDKs support the same.
This issue will probably take some time to resolve but we should be on the right track.
Terraform Core Version
1.7.1
AWS Provider Version
5.34.0
Affected Resource(s)
aws_lightsail_instance_public_ports
Expected Behavior
icmpv6
protocol should be allowed inaws_lightsail_instance_public_ports
resources.This is the diff when setting
icmpv6
from the web console:Actual Behavior
When
icmpv6
protocol is configured as a rule inaws_lightsail_instance_public_ports
, terraform throws an error and refuses to continue.Relevant Error/Panic Output Snippet
Terraform Configuration Files
Steps to Reproduce
Configure
icmpv6
protocol in a rule inaws_lightsail_instance_public_ports
resource, terraform will throw an error and refuse to continue.Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response
Would you like to implement a fix?
None