Add IPv6 Support

Author: robo-cap

docs/terraformoptions.adoc

@@ -24,6 +24,7 @@
 | create_nat_gateway | Whether to create an NAT gateway. | bool | false|
 | create_service_gateway | Whether to create a service gateway to use Oracle Services. | bool | false|
 | enable_ipv6 | (Updatable) Whether IPv6 is enabled for the VCN. If enabled, Oracle will assign the VCN a IPv6 /56 CIDR block. | bool | false|
+| igw_ngw_mixed_route_table_display_name | (Updatable) Name of the Mixed Route Table (NGW for IPv4, IGW for IPv6). Does not have to be unique. | string | igw-ngw-mixed-gateway |
 | internet_gateway_display_name | (Updatable) Name of Internet Gateway. Does not have to be unique.| string | internet-gateway|
 | internet_gateway_route_rules | (Updatable) List of routing rules to add to Internet Gateway Route Table.| list(map(string)) | null|
 | local_peering_gateways | Map of Local Peering Gateways to attach to the VCN | map(any) | null|
@@ -32,8 +33,11 @@
 | nat_gateway_public_ip_id | OCID of reserved IP address for NAT gateway. If default value "none" is used, then a public IP address is selected from Oracle’s public IP pool. | string | none|
 | nat_gateway_route_rules | (Updatable) List of routing rules to add to NAT Gateway Route Table | list(map(string)) | null|
 | service_gateway_display_name | (Updatable) Name of Service Gateway. Does not have to be unique. | string | service-gateway|
+| vcn_byoipv6cidr_details | (Optional)List of BYOIPv6 CIDR blocks to be used for the VCN. | list(object) | [] |
 | vcn_cidrs | (Updatable) The list of IPv4 CIDR blocks the VCN will use. The CIDR block specified for the VCN must not overlap with the CIDR block of another network. | string | ["10.0.0.0/16"]|
 | vcn_dns_label | (Optional)A DNS label for the VCN, used in conjunction with the VNIC’s hostname and subnet’s DNS label to form a fully qualified domain name (FQDN) for each VNIC within this subnet. DNS resolution for hostnames in the VCN is disabled if null. | string | vcnmodule|
+| vcn_ipv6private_cidr_blocks | (Optional)List of IPv6 private CIDR blocks to be used for the VCN. | list(string) | []|
+| vcn_is_oracle_gua_allocation_enabled | (Optional)If Oracle will assign the VCN a IPv6 /56 CIDR block when IPv6 is enabled. | bool | true|
 | vcn_name | (Optional)(Updatable) The name of the VCN that will be appended to the label_prefix. | string | vcn|
 
 ### Subnets

docs/terraformoptions.md

@@ -24,6 +24,7 @@
 | create_nat_gateway | Whether to create an NAT gateway. | bool | false|
 | create_service_gateway | Whether to create a service gateway to use Oracle Services. | bool | false|
 | enable_ipv6 | (Updatable) Whether IPv6 is enabled for the VCN. If enabled, Oracle will assign the VCN a IPv6 /56 CIDR block. | bool | false|
+| igw_ngw_mixed_route_table_display_name | (Updatable) Name of the Mixed Route Table (NGW for IPv4, IGW for IPv6). Does not have to be unique. | string | igw-ngw-mixed-gateway |
 | internet_gateway_display_name | (Updatable) Name of Internet Gateway. Does not have to be unique.| string | internet-gateway|
 | internet_gateway_route_rules | (Updatable) List of routing rules to add to Internet Gateway Route Table.| list(map(string)) | null|
 | local_peering_gateways | Map of Local Peering Gateways to attach to the VCN | map(any) | null|
@@ -32,8 +33,11 @@
 | nat_gateway_public_ip_id | OCID of reserved IP address for NAT gateway. If default value "none" is used, then a public IP address is selected from Oracle’s public IP pool. | string | none|
 | nat_gateway_route_rules | (Updatable) List of routing rules to add to NAT Gateway Route Table | list(map(string)) | null|
 | service_gateway_display_name | (Updatable) Name of Service Gateway. Does not have to be unique. | string | service-gateway|
+| vcn_byoipv6cidr_details | (Optional)List of BYOIPv6 CIDR blocks to be used for the VCN. | list(object) | [] |
 | vcn_cidrs | (Updatable) The list of IPv4 CIDR blocks the VCN will use. The CIDR block specified for the VCN must not overlap with the CIDR block of another network. | string | ["10.0.0.0/16"]|
 | vcn_dns_label | (Optional)A DNS label for the VCN, used in conjunction with the VNIC’s hostname and subnet’s DNS label to form a fully qualified domain name (FQDN) for each VNIC within this subnet. DNS resolution for hostnames in the VCN is disabled if null. | string | vcnmodule|
+| vcn_ipv6private_cidr_blocks | (Optional)List of IPv6 private CIDR blocks to be used for the VCN. | list(string) | []|
+| vcn_is_oracle_gua_allocation_enabled | (Optional)If Oracle will assign the VCN a IPv6 /56 CIDR block when IPv6 is enabled. | bool | true|
 | vcn_name | (Optional)(Updatable) The name of the VCN that will be appended to the label_prefix. | string | vcn|
 
 ### Subnets

examples/drg/version.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     oci = {
       source  = "oracle/oci"
-      version = ">=4.67.3"
+      version = ">=6.32.0"
     }
   }
   required_version = ">= 1.0.0"

examples/hub-spoke/version.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     oci = {
       source  = "oracle/oci"
-      version = ">=4.67.3"
+      version = ">=6.32.0"
     }
   }
   required_version = ">= 1.0.0"

examples/module_composition/README.md

@@ -66,6 +66,12 @@ module "vcn" {
   vcn_name                 = var.vcn_name
   lockdown_default_seclist = var.lockdown_default_seclist
   attached_drg_id          = var.attached_drg_id
+
+  # IPv6 parameters (Optional)
+  vcn_is_oracle_gua_allocation_enabled         = var.vcn_is_oracle_gua_allocation_enabled # Enable Global Unicast Address (GUA) VCN allocation
+  vcn_ipv6private_cidr_blocks                  = var.vcn_ipv6private_cidr_blocks # List with IPv6 private CIDR blocks
+  vcn_byoipv6cidr_details                      = var.vcn_byoipv6cidr_details # List with BYOIPv6 CIDR blocks
+  ipv6_private_subnet_route_table_display_name = var.ipv6_private_subnet_route_table_display_name # Name of the route table used for private subnets 
 }
 ```
 

examples/module_composition/main.tf

@@ -18,20 +18,24 @@ module "vcn" {
   defined_tags   = var.defined_tags
 
   # vcn parameters
-  create_internet_gateway  = var.create_internet_gateway  # boolean: true or false
-  lockdown_default_seclist = var.lockdown_default_seclist # boolean: true or false
-  create_nat_gateway       = var.create_nat_gateway       # boolean: true or false
-  create_service_gateway   = var.create_service_gateway   # boolean: true or false
-  enable_ipv6              = var.enable_ipv6
-  vcn_cidrs                = var.vcn_cidrs # List of IPv4 CIDRs
-  vcn_dns_label            = var.vcn_dns_label
-  vcn_name                 = var.vcn_name
+  create_internet_gateway              = var.create_internet_gateway  # boolean: true or false
+  lockdown_default_seclist             = var.lockdown_default_seclist # boolean: true or false
+  create_nat_gateway                   = var.create_nat_gateway       # boolean: true or false
+  create_service_gateway               = var.create_service_gateway   # boolean: true or false
+  enable_ipv6                          = var.enable_ipv6
+  vcn_cidrs                            = var.vcn_cidrs # List of IPv4 CIDRs
+  vcn_dns_label                        = var.vcn_dns_label
+  vcn_name                             = var.vcn_name
+  vcn_is_oracle_gua_allocation_enabled = var.vcn_is_oracle_gua_allocation_enabled # boolean: true or false
+  vcn_ipv6private_cidr_blocks          = var.vcn_ipv6private_cidr_blocks          # List of IPv6 private CIDRs
+  vcn_byoipv6cidr_details              = var.vcn_byoipv6cidr_details              # List of IPv6 BYO CIDR details
 
   # gateways parameters
-  internet_gateway_display_name = var.internet_gateway_display_name
-  nat_gateway_display_name      = var.nat_gateway_display_name
-  service_gateway_display_name  = var.service_gateway_display_name
-  attached_drg_id               = var.attached_drg_id
+  internet_gateway_display_name                = var.internet_gateway_display_name
+  nat_gateway_display_name                     = var.nat_gateway_display_name
+  service_gateway_display_name                 = var.service_gateway_display_name
+  igw_ngw_mixed_route_table_display_name = var.igw_ngw_mixed_route_table_display_name
+  attached_drg_id                              = var.attached_drg_id
 }
 
 # Outputs

examples/module_composition/variables.tf

@@ -139,3 +139,29 @@ variable "service_gateway_display_name" {
   default     = "sgw"
 }
 
+variable "vcn_is_oracle_gua_allocation_enabled" {
+  description = "If Oracle will assign the VCN a IPv6 /56 CIDR block when IPv6 is enabled."
+  type        = bool
+  default     = false
+}
+
+variable "vcn_ipv6private_cidr_blocks" {
+  description = "List of private IPv6 CIDR blocks to be used for the VCN."
+  type        = list(string)
+  default     = []
+}
+
+variable "vcn_byoipv6cidr_details" {
+  description = "List of BYOIPv6 CIDR blocks to be used for the VCN."
+  type = list(object({
+    byoipv6range_id = string
+    ipv6cidr_block  = string
+  }))
+  default = []
+}
+
+variable "igw_ngw_mixed_route_table_display_name" {
+  description = "(Updatable) Name of Route Table. Does not have to be unique."
+  type        = string
+  default     = "igw-ngw-mixed-gateway"
+}

examples/module_composition/version.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     oci = {
       source  = "oracle/oci"
-      version = ">=4.67.3"
+      version = ">=6.32.0"
     }
   }
   required_version = ">= 1.0.0"

modules/subnet/subnet.tf

@@ -3,14 +3,14 @@
 
 locals {
   dhcp_default_options = data.oci_core_dhcp_options.dhcp_options.options.0.id
-   // Tenancy-specific availability domains in region
+  // Tenancy-specific availability domains in region
   // Common reference for data source re-used throughout module
   ads = data.oci_identity_availability_domains.all.availability_domains
 
   // Map of parsed availability domain numbers to tenancy-specific names
   // Used by resources with AD placement for generic selection
   ad_numbers_to_names = local.ads != null ? {
-  for ad in local.ads : parseint(substr(ad.name, -1, -1), 10) => ad.name
+    for ad in local.ads : parseint(substr(ad.name, -1, -1), 10) => ad.name
   } : { -1 : "" } # Fallback handles failure when unavailable but not required
 
   // List of availability domain numbers in region
@@ -23,24 +23,30 @@ data "oci_identity_availability_domains" "all" {
 }
 
 resource "oci_core_subnet" "vcn_subnet" {
-  for_each       = var.subnets
-  cidr_block     = each.value.cidr_block
-  compartment_id = var.compartment_id
-  vcn_id         = var.vcn_id
+  for_each = var.subnets
+
+  cidr_block          = each.value.cidr_block
+  compartment_id      = var.compartment_id
+  vcn_id              = var.vcn_id
   availability_domain = lookup(each.value, "availability_domain", null) != null ? local.ad_numbers_to_names[each.value.availability_domain] : null
-  
+
   defined_tags    = var.defined_tags
   dhcp_options_id = local.dhcp_default_options
   display_name    = lookup(each.value, "name", each.key)
   dns_label       = lookup(each.value, "dns_label", null)
   freeform_tags   = var.freeform_tags
   #commented for IPV6 support
-  #ipv6cidr_block             = var.enable_ipv6 == false ? null : each.value.ipv6cidr_block
-  #ipv6cidr_blocks            = var.enable_ipv6 == false ? null : [each.value.ipv6cidr_block]
-  #prohibit_internet_ingress  = var.enable_ipv6 && lookup(each.value,"type","public") == "public" ? each.value.prohibit_internet_ingress : false
-  prohibit_public_ip_on_vnic = lookup(each.value, "type", "public") == "public" ? false : true
-  route_table_id             = lookup(each.value, "type", "public") == "public" ? var.ig_route_id : var.nat_route_id
-  security_list_ids          = null
+  # ipv6cidr_block             = var.enable_ipv6 == false ? null : each.value.ipv6cidr_block
+  ipv6cidr_blocks            = var.enable_ipv6 == false ? null : each.value.ipv6cidr_blocks
+  prohibit_internet_ingress  = lookup(each.value, "type", "public") == "public" ? false : true
+  # prohibit_public_ip_on_vnic = lookup(each.value, "type", "public") == "public" ? false : true
+  route_table_id = lookup(each.value, "type", "public") == "public" ? (
+    lookup(each.value, "igw_ngw_mixed_rt", false)  == true ? 
+      var.igw_ngw_mixed_route_id : 
+      var.ig_route_id
+    ) : var.nat_route_id
+
+  security_list_ids = null
 
   lifecycle {
     ignore_changes = [defined_tags, dns_label, freeform_tags]

modules/subnet/variables.tf

@@ -34,6 +34,12 @@ variable "nat_route_id" {
   type        = string
 }
 
+variable "igw_ngw_mixed_route_id" {
+  description = "IPv6 route table id with IGW for IPv6 and NGW for IPv4."
+  type        = string
+  default     = null
+}
+
 variable "defined_tags" {
   description = "predefined and scoped to a namespace to tag the resources created using defined tags."
   type        = map(string)

modules/subnet/versions.tf

@@ -5,7 +5,7 @@ terraform {
   required_providers {
     oci = {
       source  = "oracle/oci"
-      version = ">=4.67.3"
+      version = ">=6.32.0"
     }
   }
   required_version = ">= 1.0.0"

outputs.tf

@@ -27,6 +27,11 @@ output "ig_route_id" {
   value       = join(",", oci_core_route_table.ig[*].id)
 }
 
+output "igw_ngw_mixed_route_id" {
+  description = "id of the internet gateway & nat gateway mixed route table"
+  value       = one(oci_core_route_table.igw_ngw_mixed_route_id[*].id)
+}
+
 output "nat_route_id" {
   description = "id of VCN NAT gateway route table"
   value       = join(",", oci_core_route_table.nat[*].id)
@@ -37,6 +42,7 @@ output "sgw_route_id" {
   value       = join(",", oci_core_route_table.service_gw[*].id)
 }
 
+
 # New complete outputs for each resources with provider parity. Auto-updating.
 # Usefull for module composition.
 

terraform.tfvars.example

@@ -115,6 +115,15 @@ attached_drg_id = null
 #  sub3 = {cidr_block="10.0.6.0/24",availability_domain=1}
 #}
 
+#Subnets when `enable_ipv6 = true`
+## Supported notation for ipv6cidr_blocks is "newbits, netnum" or "IPv6_CIDR"
+## E.g.: ipv6cidr_blocks=["8, 0", "FC00::/64"]
+#subnets = {
+#  sub1 = {name = "subnet1", type="public", cidr_block = "10.0.4.0/24"}
+#  sub2 = {cidr_block="10.0.5.0/24",ipv6cidr_blocks=["8, 0"], igw_ngw_mixed_rt=true} 
+#  sub3 = {cidr_block="10.0.7.0/24",type="private",ipv6cidr_blocks=["8, 1"]}
+#}
+
 #Logging
 #enable_vcn_logging = true
 #log_retention_duration = 30

variables.tf

@@ -64,6 +64,27 @@ variable "enable_ipv6" {
   default     = false
 }
 
+variable "vcn_is_oracle_gua_allocation_enabled" {
+  description = "If Oracle will assign the VCN a IPv6 /56 CIDR block when IPv6 is enabled."
+  type        = bool
+  default     = true
+}
+
+variable "vcn_ipv6private_cidr_blocks" {
+  description = "List of IPv6 private CIDR blocks to be used for the VCN."
+  type        = list(string)
+  default     = []
+}
+
+variable "vcn_byoipv6cidr_details" {
+  description = "List of BYOIPv6 CIDR blocks to be used for the VCN."
+  type = list(object({
+    byoipv6range_id = string
+    ipv6cidr_block  = string
+  }))
+  default = []
+}
+
 variable "lockdown_default_seclist" {
   description = "whether to remove all default security rules from the VCN Default Security List"
   default     = true
@@ -143,6 +164,17 @@ variable "service_gateway_display_name" {
   }
 }
 
+variable "igw_ngw_mixed_route_table_display_name" {
+  description = "(Updatable) Name of the Mixed Route Table (NGW for IPv4, IGW for IPv6). Does not have to be unique."
+  type        = string
+  default     = "igw-ngw-mixed-gateway"
+
+  validation {
+    condition     = length(var.igw_ngw_mixed_route_table_display_name) > 0
+    error_message = "The igw_ngw_mixed_route_table_display_name value cannot be an empty string."
+  }
+}
+
 variable "internet_gateway_route_rules" {
   description = "(Updatable) List of routing rules to add to Internet Gateway Route Table"
   type        = list(map(string))

vcn.tf

@@ -4,31 +4,42 @@
 resource "oci_core_vcn" "vcn" {
   # We still allow module users to declare a cidr using `vcn_cidr` instead of the now recommended `vcn_cidrs`, but internally we map both to `cidr_blocks`
   # The module always use the new list of string structure and let the customer update his module definition block at his own pace.
-  cidr_blocks    = var.vcn_cidrs[*]
-  compartment_id = var.compartment_id
-  display_name   = var.label_prefix == "none" ? var.vcn_name : "${var.label_prefix}-${var.vcn_name}"
-  dns_label      = var.vcn_dns_label
-  is_ipv6enabled = var.enable_ipv6
+  cidr_blocks                      = var.vcn_cidrs[*]
+  compartment_id                   = var.compartment_id
+  display_name                     = var.label_prefix == "none" ? var.vcn_name : "${var.label_prefix}-${var.vcn_name}"
+  dns_label                        = var.vcn_dns_label
+  is_ipv6enabled                   = var.enable_ipv6
+  is_oracle_gua_allocation_enabled = var.enable_ipv6 ? var.vcn_is_oracle_gua_allocation_enabled : null
+  ipv6private_cidr_blocks          = var.enable_ipv6 ? var.vcn_ipv6private_cidr_blocks : null
+
+  dynamic "byoipv6cidr_details" {
+    for_each = var.enable_ipv6 ? var.vcn_byoipv6cidr_details : []
+    content {
+      byoipv6range_id = byoipv6cidr_details.value.byoipv6range_id
+      ipv6cidr_block  = byoipv6cidr_details.value.ipv6cidr_block
+    }
+  }
 
   freeform_tags = var.freeform_tags
   defined_tags  = var.defined_tags
 
   lifecycle {
-    ignore_changes = [defined_tags, dns_label, freeform_tags]
+    ignore_changes = [defined_tags, dns_label, freeform_tags, is_oracle_gua_allocation_enabled]
   }
 }
 
 #Module for Subnet
 module "subnet" {
   source = "./modules/subnet"
 
-  compartment_id = var.compartment_id
-  tenancy_id     = var.tenancy_id
-  subnets        = var.subnets
-  enable_ipv6    = var.enable_ipv6
-  vcn_id         = oci_core_vcn.vcn.id
-  ig_route_id    = var.create_internet_gateway ? oci_core_route_table.ig[0].id : null
-  nat_route_id   = var.create_nat_gateway ? oci_core_route_table.nat[0].id : null
+  compartment_id         = var.compartment_id
+  tenancy_id             = var.tenancy_id
+  subnets                = local.enriched_subnets
+  enable_ipv6            = var.enable_ipv6
+  vcn_id                 = oci_core_vcn.vcn.id
+  ig_route_id            = var.create_internet_gateway ? oci_core_route_table.ig[0].id : null
+  nat_route_id           = var.create_nat_gateway ? oci_core_route_table.nat[0].id : null
+  igw_ngw_mixed_route_id = var.enable_ipv6 && var.create_internet_gateway && var.create_nat_gateway ? oci_core_route_table.igw_ngw_mixed_route_id[0].id : null
 
   freeform_tags = var.freeform_tags
 
@@ -41,6 +52,17 @@ locals {
   subnet = {
     for key, value in var.subnets : key => contains(keys(value), "name") ? value.name : key
   }
+
+  subnet_ipv6_cidr_blocks = var.enable_ipv6 && var.vcn_is_oracle_gua_allocation_enabled ? {
+    for key, value in var.subnets : key => contains(keys(value), "ipv6cidr_blocks") ?
+    { "ipv6cidr_blocks" : [for entry in value["ipv6cidr_blocks"] : length(regexall("^\\d+,[ ]?\\d+$", entry)) > 0 ? cidrsubnet(coalesce([for cidr in oci_core_vcn.vcn.ipv6cidr_blocks : cidr]...), tonumber(split(",", entry)[0]), tonumber(trim(split(",", entry)[1], " "))) : entry] } :
+    { "ipv6cidr_blocks" : [] }
+  } : {}
+
+  enriched_subnets = { for k, v in var.subnets :
+    k => merge(v, lookup(local.subnet_ipv6_cidr_blocks, k, null))
+  }
+
   service_logdef = { for k in local.subnet : format("%s_%s", k, "log") => { loggroup = "loggrp", service = "flowlogs", resource = k } }
 }