Change in IPv6 handling; outputs

PaloAltoNetworks · Sep 16, 2024 · 10f078a · 10f078a
1 parent 11e8126
commit 10f078a
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 7 deletions.
diff --git a/modules/vmseries/README.md b/modules/vmseries/README.md
@@ -32,6 +32,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [google_compute_address.private](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_address) | resource |
+| [google_compute_address.private_v6](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_address) | resource |
 | [google_compute_address.public](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_address) | resource |
 | [google_compute_address.public_v6](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_address) | resource |
 | [google_compute_instance.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) | resource |
@@ -57,7 +58,7 @@ No modules.
 | <a name="input_min_cpu_platform"></a> [min\_cpu\_platform](#input\_min\_cpu\_platform) | Minimum CPU platform for the compute instance. Up to date version can be found [here](https://cloud.google.com/compute/docs/instances/specify-min-cpu-platform). | `string` | `"Intel Cascade Lake"` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of the VM-Series instance. | `string` | n/a | yes |
 | <a name="input_named_ports"></a> [named\_ports](#input\_named\_ports) | The list of named ports to create in the instance group:<pre>named_ports = [<br>  {<br>    name = "http"<br>    port = "80"<br>  },<br>  {<br>    name = "app42"<br>    port = "4242"<br>  },<br>]</pre>The name identifies the backend port to receive the traffic from the global load balancers.<br>Practically, tcp port 80 named "http" works even when not defined here, but it's not a documented provider's behavior. | `list` | `[]` | no |
-| <a name="input_network_interfaces"></a> [network\_interfaces](#input\_network\_interfaces) | List of the network interface specifications.<br>Available options:<br>- `subnetwork`                  - (Required\|string) Self-link of a subnetwork to create interface in.<br>- `stack_type`                  - (Optional\|string) IP stack to use: IPV4\_ONLY (default) or IPV4\_IPV6.<br>- `private_ip_name`             - (Optional\|string) Name for a private IPv4 address to reserve.<br>- `private_ip`                  - (Optional\|string) Private IPv4 address to reserve.<br>- `create_public_ip`            - (Optional\|boolean) Whether to reserve public IPv4 address for the interface. Ignored if `public_ip` is provided. Defaults to 'false'.<br>- `public_ip_name`              - (Optional\|string) Name for a public IPv4 address to reserve.<br>- `public_ip`                   - (Optional\|string) Existing public IPv4 address to use.<br>- `public_ptr_domain_name`      - (Optional\|string) Existing public IPv4 address PTR name to use.<br>- `alias_ip_ranges`             - (Optional\|list) List of objects that define additional IP ranges for an interface, as specified [here](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#ip_cidr_range)<br>- `create_public_ipv6`          - (Optional\|boolean) Whether to reserve public IPv6 address for the interface. Ignored if `public_ipv6` is provided. Defaults to 'false'.<br>- `public_ipv6_name`            - (Optional\|string) Name for a public IPv6 address to reserve.<br>- `public_ipv6`                 - (Optional\|string) Existing public IPv6 address to use.<br>- `public_ipv6_ptr_domain_name` - (Optional\|string) Existing public IPv6 address PTR name to use. | `list(any)` | n/a | yes |
+| <a name="input_network_interfaces"></a> [network\_interfaces](#input\_network\_interfaces) | List of the network interface specifications.<br>Available options:<br>- `subnetwork`                  - (Required\|string) Self-link of a subnetwork to create interface in.<br>- `stack_type`                  - (Optional\|string) IP stack to use: IPV4\_ONLY (default) or IPV4\_IPV6.<br>- `private_ip_name`             - (Optional\|string) Name for a private IPv4 address to reserve.<br>- `private_ip`                  - (Optional\|string) Private IPv4 address to reserve.<br>- `create_public_ip`            - (Optional\|boolean) Whether to reserve public IPv4 address for the interface. Ignored if `public_ip` is provided. Defaults to 'false'.<br>- `public_ip_name`              - (Optional\|string) Name for a public IPv4 address to reserve.<br>- `public_ip`                   - (Optional\|string) Existing public IPv4 address to use.<br>- `public_ptr_domain_name`      - (Optional\|string) Existing public IPv4 address PTR name to use.<br>- `alias_ip_ranges`             - (Optional\|list) List of objects that define additional IP ranges for an interface, as specified [here](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#ip_cidr_range)<br>- `create_public_ipv6`          - (Optional\|boolean) Whether to reserve public IPv6 address for the interface. Ignored if `public_ipv6` is provided. Defaults to 'false'.<br>- `private_ipv6_name`           - (Optional\|string) Name for a private IPv6 address to reserve. Is relevant when a VPC has IPv6 ULA range.<br>- `create_private_ipv6`         - (Optional\|boolean) Whether to reserve private IPv6 address for the interface. Is relevant when a VPC has IPv6 ULA range. If not specified or is 'false' (default) an ephemeral IPv6 address is assigned to the interface.<br>- `public_ipv6_name`            - (Optional\|string) Name for a public IPv6 address to reserve.<br>- `public_ipv6`                 - (Optional\|string) Existing public IPv6 address to use. Specify address with a netmask, for example: 2600:1900:4020:bd2:8000:1::/96.<br>- `public_ipv6_ptr_domain_name` - (Optional\|string) Existing public IPv6 address PTR name to use. | `list(any)` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | n/a | `string` | `null` | no |
 | <a name="input_resource_policies"></a> [resource\_policies](#input\_resource\_policies) | n/a | `list(string)` | `[]` | no |
 | <a name="input_scopes"></a> [scopes](#input\_scopes) | n/a | `list(string)` | <pre>[<br>  "https://www.googleapis.com/auth/compute.readonly",<br>  "https://www.googleapis.com/auth/cloud.useraccounts.readonly",<br>  "https://www.googleapis.com/auth/devstorage.read_only",<br>  "https://www.googleapis.com/auth/logging.write",<br>  "https://www.googleapis.com/auth/monitoring.write"<br>]</pre> | no |
@@ -74,6 +75,8 @@ No modules.
 | <a name="output_instance"></a> [instance](#output\_instance) | n/a |
 | <a name="output_instance_group"></a> [instance\_group](#output\_instance\_group) | n/a |
 | <a name="output_instance_group_self_link"></a> [instance\_group\_self\_link](#output\_instance\_group\_self\_link) | n/a |
+| <a name="output_ipv6_private_ips"></a> [ipv6\_private\_ips](#output\_ipv6\_private\_ips) | n/a |
+| <a name="output_ipv6_public_ips"></a> [ipv6\_public\_ips](#output\_ipv6\_public\_ips) | n/a |
 | <a name="output_private_ips"></a> [private\_ips](#output\_private\_ips) | n/a |
 | <a name="output_public_ips"></a> [public\_ips](#output\_public\_ips) | n/a |
 | <a name="output_self_link"></a> [self\_link](#output\_self\_link) | n/a |

diff --git a/modules/vmseries/main.tf b/modules/vmseries/main.tf
@@ -14,8 +14,8 @@ locals {
   }
   ipv6_access_configs = {
     for k, v in var.network_interfaces : k => {
-      external_ipv6               = try(v.public_ipv6, null) != null ? v.public_ipv6 : local.create_public_ipv6[k]
-      external_ipv6_prefix_length = try(v.public_ipv6, null) != null ? try(v.public_ipv6_prefix_length, null) : google_compute_address.public_v6[k].prefix_length
+      external_ipv6               = try(split("/", v.public_ipv6)[0], google_compute_address.public_v6[k].address, null)
+      external_ipv6_prefix_length = try(split("/", v.public_ipv6)[1], google_compute_address.public_v6[k].prefix_length, null)
       public_ptr_domain_name      = try(v.public_ipv6_ptr_domain_name, null)
     }
     if try(v.public_ipv6, null) != null || local.create_public_ipv6[k]
@@ -52,6 +52,17 @@ resource "google_compute_address" "private" {
   region       = data.google_compute_subnetwork.this[each.key].region
 }
 
+resource "google_compute_address" "private_v6" {
+  for_each = { for k, v in var.network_interfaces : k => v if try(v.stack_type, "IPV4_ONLY") == "IPV4_IPV6" && try(v.create_private_ipv6, false) == true }
+
+  name         = try(each.value.private_ipv6_name, "${var.name}-${each.key}-private-v6")
+  address_type = "INTERNAL"
+  ip_version   = "IPV6"
+  project      = var.project
+  subnetwork   = each.value.subnetwork
+  region       = data.google_compute_subnetwork.this[each.key].region
+}
+
 resource "google_compute_address" "public" {
   for_each = { for k, v in var.network_interfaces : k => v if local.create_public_ip[k] && try(v.public_ip, null) == null }
 
@@ -105,9 +116,10 @@ resource "google_compute_instance" "this" {
     for_each = var.network_interfaces
 
     content {
-      stack_type = try(network_interface.value.stack_type, "IPV4_ONLY")
-      network_ip = google_compute_address.private[network_interface.key].address
-      subnetwork = network_interface.value.subnetwork
+      stack_type   = try(network_interface.value.stack_type, "IPV4_ONLY")
+      network_ip   = google_compute_address.private[network_interface.key].address
+      ipv6_address = try(google_compute_address.private_v6[network_interface.key].address, null)
+      subnetwork   = network_interface.value.subnetwork
 
       dynamic "access_config" {
         for_each = try(local.access_configs[network_interface.key] != null, false) ? ["one"] : []

diff --git a/modules/vmseries/outputs.tf b/modules/vmseries/outputs.tf
@@ -18,6 +18,15 @@ output "private_ips" {
   value = { for k, v in google_compute_instance.this.network_interface : k => v.network_ip }
 }
 
+output "ipv6_private_ips" {
+  value = { for k, v in google_compute_instance.this.network_interface : k => v.ipv6_address }
+}
+
 output "public_ips" {
   value = { for k, v in google_compute_instance.this.network_interface : k => v.access_config[0].nat_ip if length(v.access_config) != 0 }
 }
+
+output "ipv6_public_ips" {
+  value = { for k, v in google_compute_instance.this.network_interface :
+  k => "${v.ipv6_access_config[0].external_ipv6}/${v.ipv6_access_config[0].external_ipv6_prefix_length}" if length(v.ipv6_access_config) != 0 }
+}
diff --git a/modules/vmseries/variables.tf b/modules/vmseries/variables.tf
@@ -27,8 +27,10 @@ variable "network_interfaces" {
   - `public_ptr_domain_name`      - (Optional|string) Existing public IPv4 address PTR name to use.
   - `alias_ip_ranges`             - (Optional|list) List of objects that define additional IP ranges for an interface, as specified [here](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#ip_cidr_range)
   - `create_public_ipv6`          - (Optional|boolean) Whether to reserve public IPv6 address for the interface. Ignored if `public_ipv6` is provided. Defaults to 'false'.
+  - `private_ipv6_name`           - (Optional|string) Name for a private IPv6 address to reserve. Is relevant when a VPC has IPv6 ULA range.
+  - `create_private_ipv6`         - (Optional|boolean) Whether to reserve private IPv6 address for the interface. Is relevant when a VPC has IPv6 ULA range. If not specified or is 'false' (default) an ephemeral IPv6 address is assigned to the interface.
   - `public_ipv6_name`            - (Optional|string) Name for a public IPv6 address to reserve.
-  - `public_ipv6`                 - (Optional|string) Existing public IPv6 address to use.
+  - `public_ipv6`                 - (Optional|string) Existing public IPv6 address to use. Specify address with a netmask, for example: 2600:1900:4020:bd2:8000:1::/96.
   - `public_ipv6_ptr_domain_name` - (Optional|string) Existing public IPv6 address PTR name to use.
   EOF
   type        = list(any)