From aad42149d1eb59867b9ee8e38dcb178160162b01 Mon Sep 17 00:00:00 2001 From: xss Date: Fri, 4 Aug 2023 17:10:41 +1000 Subject: [PATCH] Dualstack subnets + v6 only subnets --- vpc.tf | 107 +++++++++++++++++++++++++++++++++++++++++++------- websockets.tf | 2 +- 2 files changed, 93 insertions(+), 16 deletions(-) diff --git a/vpc.tf b/vpc.tf index fb3f5bb..0b7da54 100644 --- a/vpc.tf +++ b/vpc.tf @@ -10,20 +10,36 @@ resource "aws_egress_only_internet_gateway" "main" { locals { private_subnets = { - "us-east-1a" = "172.31.128.0/24", - "us-east-1b" = "172.31.131.0/24", - "us-east-1c" = "172.31.130.0/24", - "us-east-1d" = "172.31.133.0/24", - "us-east-1e" = "172.31.129.0/24", - "us-east-1f" = "172.31.132.0/24" + "us-east-1a" = ["172.31.128.0/24", cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 13)], + "us-east-1b" = ["172.31.131.0/24", cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 14)], + "us-east-1c" = ["172.31.130.0/24", cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 15)], + "us-east-1d" = ["172.31.133.0/24", cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 16)], + "us-east-1e" = ["172.31.129.0/24", cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 17)], + "us-east-1f" = ["172.31.132.0/24", cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 18)] + } + private_v6 = { + "us-east-1a" = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 7), + "us-east-1b" = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 8), + "us-east-1c" = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 9), + "us-east-1d" = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 10), + "us-east-1e" = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 11), + "us-east-1f" = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 12) } public_subnets = { - "us-east-1a" = "172.31.80.0/20", - "us-east-1b" = "172.31.16.0/20", - "us-east-1c" = "172.31.32.0/20", - "us-east-1d" = "172.31.0.0/20", - "us-east-1e" = "172.31.48.0/20", - "us-east-1f" = "172.31.64.0/20" + "us-east-1a" = ["172.31.80.0/20",cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 19)], + "us-east-1b" = ["172.31.16.0/20",cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 20)], + "us-east-1c" = ["172.31.32.0/20",cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 21)], + "us-east-1d" = ["172.31.0.0/20",cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 22)], + "us-east-1e" = ["172.31.48.0/20",cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 23)], + "us-east-1f" = ["172.31.64.0/20",cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 24)] + } + public_v6 = { + "us-east-1a" = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 1), + "us-east-1b" = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 2), + "us-east-1c" = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 3), + "us-east-1d" = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 4), + "us-east-1e" = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 5), + "us-east-1f" = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 6) } } resource "aws_subnet" "private" { @@ -31,8 +47,8 @@ resource "aws_subnet" "private" { map_public_ip_on_launch = false vpc_id = aws_vpc.main.id - cidr_block = each.value - + cidr_block = each.value[0] + ipv6_cidr_block = each.value[1] tags = { Name = "${each.key} - private" } @@ -43,21 +59,70 @@ resource "aws_subnet" "public" { map_public_ip_on_launch = false vpc_id = aws_vpc.main.id - cidr_block = each.value + cidr_block = each.value[0] + ipv6_cidr_block = each.value[1] tags = { Name = "${each.key} - public" } } +resource "aws_subnet" "public_v6_only" { + for_each = local.public_v6 + + availability_zone = each.key + enable_resource_name_dns_aaaa_record_on_launch = true + assign_ipv6_address_on_creation = true + vpc_id = aws_vpc.main.id + ipv6_native = true + ipv6_cidr_block = each.value + tags = { + Name = "${each.key} - public v6 only" + } + +} + +resource "aws_subnet" "private_v6_only" { + for_each = local.private_v6 + + availability_zone = each.key + enable_resource_name_dns_aaaa_record_on_launch = true + assign_ipv6_address_on_creation = true + vpc_id = aws_vpc.main.id + ipv6_native = true + ipv6_cidr_block = each.value + tags = { + Name = "${each.key} - private v6 only" + } + +} + resource "aws_route_table" "main" { vpc_id = aws_vpc.main.id } + +resource "aws_route_table" "public_v6" { + vpc_id = aws_vpc.main.id +} + resource "aws_route_table_association" "public" { for_each = local.public_subnets subnet_id = aws_subnet.public[each.key].id + route_table_id = aws_route_table.public_v6.id +} + +resource "aws_route_table_association" "public_v6_only" { + for_each = local.public_v6 + subnet_id = aws_subnet.public_v6_only[each.key].id + route_table_id = aws_route_table.public_v6.id +} + +resource "aws_route_table_association" "private_v6_only" { + for_each = local.private_v6 + subnet_id = aws_subnet.private_v6_only[each.key].id route_table_id = aws_route_table.main.id } + resource "aws_route_table_association" "private" { for_each = local.private_subnets subnet_id = aws_subnet.private[each.key].id @@ -78,4 +143,16 @@ resource "aws_route" "main" { route_table_id = aws_route_table.main.id destination_cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.gw.id +} + +resource "aws_route" "public" { + route_table_id = aws_route_table.public_v6.id + destination_cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.gw.id +} + +resource "aws_route" "public_v6" { + route_table_id = aws_route_table.public_v6.id + destination_ipv6_cidr_block = "::/0" + gateway_id = aws_internet_gateway.gw.id } \ No newline at end of file diff --git a/websockets.tf b/websockets.tf index 4dddc5b..66fcd1e 100644 --- a/websockets.tf +++ b/websockets.tf @@ -541,7 +541,7 @@ resource "aws_ecs_service" "ws_reader_ec2" { task_definition = aws_ecs_task_definition.ws_reader_ec2.arn enable_ecs_managed_tags = true launch_type = "EC2" - desired_count = 9 + desired_count = 6 placement_constraints { type = "distinctInstance" }