From 0530be825baee34c0af6942e55585bd935e6370a Mon Sep 17 00:00:00 2001
From: briskt <3172830+briskt@users.noreply.github.com>
Date: Wed, 27 Nov 2024 15:44:07 +0800
Subject: [PATCH] add IPv6 capability for ingress traffic

---
 terraform/010-cluster/README.md |  2 ++
 terraform/010-cluster/main.tf   | 21 ++++++++++++---------
 terraform/010-cluster/vars.tf   | 12 ++++++++++++
 3 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/terraform/010-cluster/README.md b/terraform/010-cluster/README.md
index 63a6ace..35e607a 100644
--- a/terraform/010-cluster/README.md
+++ b/terraform/010-cluster/README.md
@@ -27,6 +27,8 @@ ssl certificate, core application load balancer, and a CloudWatch log group
 ## Optional Inputs
 
 - `create_nat_gateway` - default `true`
+- `disable_public_ipv4` - Set to true to remove the public IPv4 addresses from the ALB. Requires enable_ipv6 = true.
+- `enable_ipv6` - Set to true to enable IPv6 in the ALB and VPC
 - `private_subnet_cidr_blocks`
 - `public_subnet_cidr_blocks`
 - `vpc_cidr_block`
diff --git a/terraform/010-cluster/main.tf b/terraform/010-cluster/main.tf
index ce5df0a..f627113 100644
--- a/terraform/010-cluster/main.tf
+++ b/terraform/010-cluster/main.tf
@@ -9,6 +9,7 @@ module "vpc" {
   app_env                                         = var.app_env
   aws_zones                                       = var.aws_zones
   create_nat_gateway                              = var.create_nat_gateway
+  enable_ipv6                                     = var.enable_ipv6
   private_subnet_cidr_blocks                      = var.private_subnet_cidr_blocks
   public_subnet_cidr_blocks                       = var.public_subnet_cidr_blocks
   vpc_cidr_block                                  = var.vpc_cidr_block
@@ -68,15 +69,17 @@ data "aws_acm_certificate" "wildcard" {
  */
 module "alb" {
   source  = "silinternational/alb/aws"
-  version = "~> 1.0"
-
-  app_name        = var.app_name
-  app_env         = var.app_env
-  internal        = "false"
-  vpc_id          = module.vpc.id
-  security_groups = [module.vpc.vpc_default_sg_id, module.cloudflare-sg.id]
-  subnets         = module.vpc.public_subnet_ids
-  certificate_arn = data.aws_acm_certificate.wildcard.arn
+  version = "~> 1.1"
+
+  app_name            = var.app_name
+  app_env             = var.app_env
+  enable_ipv6         = var.enable_ipv6
+  disable_public_ipv4 = var.disable_public_ipv4
+  internal            = "false"
+  vpc_id              = module.vpc.id
+  security_groups     = [module.vpc.vpc_default_sg_id, module.cloudflare-sg.id]
+  subnets             = module.vpc.public_subnet_ids
+  certificate_arn     = data.aws_acm_certificate.wildcard.arn
 }
 
 /*
diff --git a/terraform/010-cluster/vars.tf b/terraform/010-cluster/vars.tf
index 40c1da4..e55ae82 100644
--- a/terraform/010-cluster/vars.tf
+++ b/terraform/010-cluster/vars.tf
@@ -33,6 +33,18 @@ variable "create_nat_gateway" {
   default     = true
 }
 
+variable "disable_public_ipv4" {
+  description = "Set to true to remove the public IPv4 addresses from the ALB. Requires enable_ipv6 = true"
+  type        = bool
+  default     = false
+}
+
+variable "enable_ipv6" {
+  description = "Set to true to enable IPV6 in the ALB and VPC"
+  type        = bool
+  default     = false
+}
+
 variable "use_transit_gateway" {
   description = "Set to true to attach a transit gateway to this VPC and route traffic to it. Use in conjunction with transit_gateway_id and create_nat_gateway=false."
   type        = bool