packer-plugin-amazon icon indicating copy to clipboard operation
packer-plugin-amazon copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Provisioning over IPv6 not possible

Open A1bi opened this issue 2 years ago • 1 comments

Currently provisioning instances via IPv6 is not possible. I encountered the following issues:

  1. No IPv6 address is assigned to the EC2 instance (in case IPv6 subnets exist) and there is no way to force it.
  2. The plugin by default creates a security group rule to allow SSH only for 0.0.0.0/0. It needs to create the same rule for ::/0 for IPv6, too.
  3. You can also not explicitly force this by setting temporary_security_group_source_cidrs to ::/0, because that configuration option does not support IPv6 prefixes which is not documented.
  4. The plugin never tries to connect to SSH via IPv6 if available. When ssh_interface is set to public_ip (default) or private_ip it should choose the assigned IPv6 address first.

This makes it impossible to use this plugin in IPv6-only environments.

A1bi avatar Dec 07 '22 14:12 A1bi

After further investigation I suggest the following solutions:

  1. Automatically assigning an IPv6 address to the instance can only be done if we also check whether the used subnet has an IPv6 prefix assigned. As a first step we could instead add a new config option associate_ipv6_address (false by default so we don't break existing setups with IPv4-only VPCs/subnets) that would eliminate the need for an automatic check.
  2. Just always add ::/0 to the security group rules by default even if we don't use IPv6.
  3. Parse the prefixes in temporary_security_group_source_cidrs and add them to a new list containing instances of ec2.Ipv6Range if they are IPv6. That list can then be added to the ec2.IpPermission (field Ipv6Ranges).
  4. Connecting to SSH via IPv6 is tricky since it depends on whether the host running Packer has IPv6 connectivity and we cannot easily check for that. Normally you would simply achieve that with dualstack DNS hostnames and Happy Eyeballs (RFC 6555, trying IPv6 first with IPv4 as fallback), but since AWS does not provide a public dualstack hostname for EC2 instances this won't work. Instead I suggest to add a new value for ssh_interface, something like public_ipv6 or just ipv6. That way Packer will specifically choose the instance's IPv6 address to connect to it which should work together with the aforementioned associate_ipv6_address option.

This of course means IPv6 will still be opt-in, because the mentioned config options need to be set accordingly, but it's better than not being able to connect via IPv6 at all.

I'll have a look if I can provide a PR.

A1bi avatar Dec 08 '22 09:12 A1bi