cloudformation-coverage-roadmap icon indicating copy to clipboard operation
cloudformation-coverage-roadmap copied to clipboard
verified publisher icon aws-cloudformation

Drift detection for IPv6CidrBlock doesn't process correctly for AWS::EC2::Subnet

Open elliotsegler opened this issue 4 years ago • 3 comments

Name of the resource

AWS::EC2::Subnet

Resource Name

AWS::EC2::Subnet

Issue Description

When processing drift detection for the IPv6CidrBlock attribute on a AWS::EC2::Subnet resource, IPv6 shorthand addressing used in the cloudformation templates (say through the use of a string or the Fn::Cidr intrinsic) is not properly compared to the full IPv6 notation on the resource.

For example, the following are not treated as equal.

Expected Behavior

IPv6 addresses that mean the same thing (i.e. equivalent) to be treated as equal

Observed Behavior

Expected

{
  "AssignIpv6AddressOnCreation": true,
  "AvailabilityZone": "ap-southeast-2a",
  "CidrBlock": "10.0.0.0/24",
  "Ipv6CidrBlock": "2406:da1c:a1e:1234:0:0:0:0/64",
  "Tags": [
    {
      "Key": "Name",
      "Value": "MySubnet-A"
    }
  ],
  "VpcId": "vpc-aaaaaaaa"
}

Actual

{
  "AssignIpv6AddressOnCreation": true,
  "AvailabilityZone": "ap-southeast-2a",
  "CidrBlock": "10.0.0.0/24",
  "Ipv6CidrBlock": "2406:da1c:a1e:1234::/64",
  "Tags": [
    {
      "Key": "Name",
      "Value": "MySubnet-A"
    }
  ],
  "VpcId": "vpc-aaaaaaaa"
}

Test Cases

Specify IPv6 shorthand addresses in a cloudformation template, deploy the subnet and run drift detection. All subnets should drift.

Other Details

No response

elliotsegler avatar Oct 14 '21 06:10 elliotsegler

I don't know if the needed fix should be in drift detection or in Fn::Cidr, but concretely "natural" use cases for creating IPv6 subnets, such as AWS's own example, fail drift detection due to this issue.

phs avatar May 01 '23 00:05 phs

To work around the issue with Fn::Cidr, it is enough to

  • Fn::Split on :0:0:0:0/64
  • Fn::Select the 0th component
  • and Fn::Join that to ::/64

phs avatar May 01 '23 02:05 phs

I'm inclined to think there should be a fix both in the drift detection and in the Fn::Cidr. The canonical form of an IPv6 address is defined in RFC 5952. Any process comparing IPv6 addresses should compare them using the canonical form, and any function returning IPv6 addresses should return them in canonical form, in my humble opinion.

I'm using a similar fix, with a slight difference: Fn::Split on :0:0:0:0/, followed by Fn::Join with ::/ as the delimiter. That avoids an extra Fn::Select.

vonschultz avatar Jan 03 '24 09:01 vonschultz