Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: IPAM - The request can only contain PubliclyAdvertisable if the AddressFamily is IPv6 and PublicIpSource is byoip. #39967

Open
kverstr opened this issue Oct 31, 2024 · 3 comments
Open

[Bug]: IPAM - The request can only contain PubliclyAdvertisable if the AddressFamily is IPv6 and PublicIpSource is byoip. #39967

kverstr opened this issue Oct 31, 2024 · 3 comments
Labels
bug Addresses a defect in current functionality. prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. service/ipam Issues and PRs that pertain to the ipam service.

Comments

@kverstr
Copy link

kverstr commented Oct 31, 2024
edited by justinretzolk
Loading

Terraform Core Version

1.9.8

AWS Provider Version

5.72.x

Affected Resource(s)

aws_vpc_ipam_pool

Expected Behavior

with following parameters:
public_ip_source = amazon
ip_scope_type = public
address_family = ipv6
aws_service = ec2

"publicly_advertisable" parameter should not be passed in this case

I expect to be able to create an IPAM pool that allocates an AWS generated CIDR block.

Actual Behavior

publicly_advertisable parameter is passed, doesn't matter which value it has.
you get the error 'The request can only contain PubliclyAdvertisable if the AddressFamily is IPv6 and PublicIpSource is byoip.'

seems like the wrong checks are done here:

terraform-provider-aws/internal/service/ec2/ipam_pool.go

Line 207 in ce1c31d

// PubliclyAdvertisable must be set if if the AddressFamily is IPv6 and PublicIpSource is byoip.

a check should be done on PublicIpSource instead of IpamScopeType?

Relevant Error/Panic Output Snippet

Error: creating IPAM Pool: operation error EC2: CreateIpamPool, https response error StatusCode: 400, RequestID: blabla, api error InvalidParameterCombination: The request can only contain PubliclyAdvertisable if the AddressFamily is IPv6 and PublicIpSource is byoip.

Terraform Configuration Files

terraform {
  required_version = "~> 1.0"
  required_providers {
    aws = {
      source                = "hashicorp/aws"
      #version             = "5.56.1" #this works
     version             = "~> 5.0"  #doesnt work 
    }
  }

module "ipv6_aws_eu_west_1" {
  source  = "aws-ia/ipam/aws"
  version = "~> 2.0"

  top_name                  = "AWS IPv6 pool eu-west-1"
  top_netmask_length        = "45"
  address_family            = "ipv6"
  ipam_scope_type           = "public"
  top_aws_service           = "ec2"
  top_publicly_advertisable = null # or true or false; doesn't matter what value
  top_public_ip_source      = "amazon"
  top_locale                = "eu-west-1"

  pool_configurations = {
    eu-west-1 = {
      name                  = "AWS IPv6 pool eu-west-1"
      description           = "Pool for ipv6 eu-west-1"
      netmask_length        = "45"
      locale                = "eu-west-1"
      aws_service           = "ec2"
      public_ip_source      = "amazon"

      sub_pools = {
        lab-public = {
          name                  = "AWS public IPv6 pool eu-west-1 lab"
          netmask_length        = "49"
          aws_service           = "ec2"
          ram_share_principals  = []
          public_ip_source      = "amazon"
        }
        lab-private = {
          name                  = "AWS private IPv6 pool eu-west-1 lab"
          netmask_length        = "49"
          aws_service           = "ec2"
          ram_share_principals  = []
          public_ip_source      = "amazon"
        }
        nprd-public = {
          name                  = "AWS public IPv6 pool eu-west-1 nprd"
          netmask_length        = "47"
          aws_service           = "ec2"
          ram_share_principals  = []
          public_ip_source      = "amazon"
        }
        nprd-private = {
          name                  = "AWS private IPv6 pool eu-west-1 nprd"
          netmask_length        = "47"
          aws_service           = "ec2"
          ram_share_principals  = []
          public_ip_source      = "amazon"
        }
        prod-public = {
          name                  = "AWS public IPv6 pool eu-west-1 prod"
          netmask_length        = "48"
          aws_service           = "ec2"
          ram_share_principals  = []
          public_ip_source      = "amazon"
        }
        prod-private = {
          name                  = "AWS private IPv6 pool eu-west-1 prod"
          netmask_length        = "48"
          aws_service           = "ec2"
          ram_share_principals  = []
          public_ip_source      = "amazon"
        }
      }
    }
  }
}

Steps to Reproduce

run this code with the AWS provider on ~> 5.0 and with provider version 5.56.1 for example (I used this version because it was in my local .terraform providers and I knew at some point my configuration worked)

Debug Output

#failing request: it has PubliclyAdvertisable passed.

{
    "eventVersion": "1.10",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": ,
        "accountId": "",
        "accessKeyId": "",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "",
                "arn": "",
                "accountId": "",
                "userName": ""
            },
            "attributes": {
                "creationDate": "2024-10-31T12:51:43Z",
                "mfaAuthenticated": "false"
            }
        }
    },
    "eventTime": "2024-10-31T12:51:44Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "CreateIpamPool",
    "awsRegion": "eu-west-1",
    "sourceIPAddress": "",
    "userAgent": "APN/1.0 HashiCorp/1.0 Terraform/1.9.8 (+https://www.terraform.io) terraform-provider-aws/5.72.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.32.2 os/macos lang/go#1.23.2 md/GOOS#darwin md/GOARCH#arm64 api/ec2#1.182.0",
    "errorCode": "Client.InvalidParameterCombination",
    "errorMessage": "The request can only contain PubliclyAdvertisable if the AddressFamily is IPv6 and PublicIpSource is byoip.",
    "requestParameters": {
        "CreateIpamPoolRequest": {
            "AwsService": "ec2",
            "IpamScopeId": "ipam-scope-12345",
            "Locale": "eu-west-1",
            "PublicIpSource": "amazon",
            "AddressFamily": "ipv6",
            "ClientToken": "",
            "TagSpecification": {
                "ResourceType": "ipam-pool",
                "tag": 1,
                "Tag": {
                    "Value": "AWS IPv6 pool eu-west-1",
                    "tag": 1,
                    "Key": "Name"
                }
            },
            "PubliclyAdvertisable": true
        }
    },
    "responseElements": null,
    "requestID": "",
    "eventID": "",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.3",
        "cipherSuite": "TLS_AES_128_GCM_SHA256",
        "clientProvidedHostHeader": "ec2.eu-west-1.amazonaws.com"
    }
}

#working request (provider 5.56.1): PubliclyAdvertisable is not passed, however in my TF configuration I didn't change anything

{
    "eventVersion": "1.10",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "",
        "arn": "",
        "accountId": "",
        "accessKeyId": "",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "",
                "arn": "",
                "accountId": "",
                "userName": ""
            },
            "attributes": {
                "creationDate": "2024-10-31T12:54:22Z",
                "mfaAuthenticated": "false"
            }
        }
    },
    "eventTime": "2024-10-31T12:54:23Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "CreateIpamPool",
    "awsRegion": "eu-west-1",
    "sourceIPAddress": "",
    "userAgent": "APN/1.0 HashiCorp/1.0 Terraform/1.9.8 (+https://www.terraform.io) terraform-provider-aws/5.56.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.30.0 os/macos lang/go#1.22.4 md/GOOS#darwin md/GOARCH#arm64 api/ec2#1.166.0",
    "requestParameters": {
        "CreateIpamPoolRequest": {
            "AwsService": "ec2",
            "IpamScopeId": "ipam-scope-1234",
            "Locale": "eu-west-1",
            "PublicIpSource": "amazon",
            "AddressFamily": "ipv6",
            "ClientToken": "",
            "TagSpecification": {
                "ResourceType": "ipam-pool",
                "tag": 1,
                "Tag": {
                    "Value": "AWS IPv6 pool eu-west-1",
                    "tag": 1,
                    "Key": "Name"
                }
            }
        }
    },
    "responseElements": {
        "CreateIpamPoolResponse": {
            "xmlns": "http://ec2.amazonaws.com/doc/2016-11-15/",
            "requestId": "",
            "ipamPool": {
                "autoImport": false,
                "ipamPoolArn": "",
                "publicIpSource": "amazon",
                "ipamScopeType": "public",
                "locale": "eu-west-1",
                "ownerId": "",
                "ipamRegion": "eu-west-1",
                "tagSet": {
                    "item": {
                        "value": "AWS IPv6 pool eu-west-1",
                        "key": "Name"
                    }
                },
                "ipamScopeArn": "",
                "ipamPoolId": "",
                "poolDepth": 1,
                "state": "create-in-progress",
                "ipamArn": "",
                "addressFamily": "ipv6",
                "awsService": "ec2"
            }
        }
    },
    "requestID": "",
    "eventID": "",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.3",
        "cipherSuite": "TLS_AES_128_GCM_SHA256",
        "clientProvidedHostHeader": "ec2.eu-west-1.amazonaws.com"
    }
}

Panic Output

No response

Important Factoids

you probably need to decrease the CIDR sizes in order to run this, I had my quote increased by AWS. (default limit is /52)

References

No response

Would you like to implement a fix?

None
@kverstr kverstr added the bug Addresses a defect in current functionality. label Oct 31, 2024
@github-actions GitHub Actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Oct 31, 2024
@justinretzolk
Copy link
Member

Relates #39600

@justinretzolk justinretzolk added regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. service/ipam Issues and PRs that pertain to the ipam service. and removed needs-triage Waiting for first response or review from a maintainer. labels Oct 31, 2024
@terraform-aws-provider terraform-aws-provider bot added the prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. label Oct 31, 2024
@kverstr
Copy link
Author

kverstr commented Oct 31, 2024

Yeah, I guess that is the change that broke this.
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. service/ipam Issues and PRs that pertain to the ipam service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kverstr @justinretzolk