From 6cff889df1df2e960a80a487c82ea2758d76766c Mon Sep 17 00:00:00 2001
From: Pavel Raunou <praunou@paloaltonetworks.com>
Date: Thu, 12 Sep 2024 22:36:34 +0200
Subject: [PATCH] Add IPv6 support to the lb_external module

---
 modules/lb_external/README.md    |  2 +-
 modules/lb_external/main.tf      | 12 ++++++------
 modules/lb_external/variables.tf |  9 ++++++---
 3 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/modules/lb_external/README.md b/modules/lb_external/README.md
index 6762339..b5e67d3 100644
--- a/modules/lb_external/README.md
+++ b/modules/lb_external/README.md
@@ -65,7 +65,7 @@ No modules.
 | <a name="input_network_tier"></a> [network\_tier](#input\_network\_tier) | The networking tier used for configuring this address. If this field is not specified, it is assumed to be PREMIUM. Possible values are PREMIUM and STANDARD. | `string` | `"PREMIUM"` | no |
 | <a name="input_project"></a> [project](#input\_project) | The project to deploy to. If unset the default provider project is used. | `string` | `""` | no |
 | <a name="input_region"></a> [region](#input\_region) | GCP region to deploy to. If unset the default provider region is used. | `string` | `null` | no |
-| <a name="input_rules"></a> [rules](#input\_rules) | Map of objects, the keys are names of the external forwarding rules, each of the objects has the following attributes:<br><br>- `port_range`: (Required) The port your service is listening on. Can be a number (80) or a range (8080-8089, or even 1-65535).<br>- `ip_address`: (Optional) A public IP address on which to listen, must be in the same region as the LB and must be IPv4. If empty, automatically generates a new non-ephemeral IP on a PREMIUM tier.<br>- `ip_protocol`: (Optional) The IP protocol for the frontend forwarding rule: TCP, UDP, ESP, ICMP, or L3\_DEFAULT. Default is TCP.<br>- `all_ports`: (Optional) Allows all ports to be forwarded to the Backend Service | `any` | n/a | yes |
+| <a name="input_rules"></a> [rules](#input\_rules) | Map of objects, the keys are names of the external forwarding rules, each of the objects has the following attributes:<br><br>- `port_range` : (Required) The port your service is listening on. Can be a number (80) or a range (8080-8089, or even 1-65535).<br>- `ip_version` : (Optional) The IP version that will be used by this Load Balancer rule. Possible values are: IPV4 (default), IPV6.<br>- `ip_address` : (Optional) An existing public IP address on which to listen, must be in the same region as the LB. IP version must correspond `ip_version`. <br>                 In case of IPv6 address specify address with a netmask, for example: 2600:1900:4020:bd2:8000:1::/96.<br>                 If empty, a new non-ephemeral IP address is created on the PREMIUM tier.<br>- `ip_protocol`: (Optional) The IP protocol for the frontend forwarding rule: TCP, UDP, ESP, ICMP, or L3\_DEFAULT. Default is TCP.<br>- `all_ports`  : (Optional) Allows all ports to be forwarded to the Backend Service. | `any` | n/a | yes |
 | <a name="input_session_affinity"></a> [session\_affinity](#input\_session\_affinity) | Controls distribution of new connections (or fragmented UDP packets) from clients to the backends, can influence available connection tracking configurations.<br>Valid values are: NONE (default), CLIENT\_IP, CLIENT\_IP\_PROTO, CLIENT\_IP\_PORT\_PROTO (only available for backend service based rules). | `string` | `"NONE"` | no |
 | <a name="input_subnetwork"></a> [subnetwork](#input\_subnetwork) | Subnetwork for an IPv6 address creation. Required only for IPv6 load balancer rules. | `string` | `null` | no |
 
diff --git a/modules/lb_external/main.tf b/modules/lb_external/main.tf
index ae26326..cae1179 100755
--- a/modules/lb_external/main.tf
+++ b/modules/lb_external/main.tf
@@ -20,9 +20,9 @@ resource "google_compute_address" "this" {
   address_type       = "EXTERNAL"
   region             = var.region
   project            = var.project
-  ip_version         = try(each.value.ip_version, null)
-  ipv6_endpoint_type = try(each.value.ip_version, null) == "IPV6" ? "NETLB" : null
-  subnetwork         = try(each.value.ip_version, null) == "IPV6" ? var.subnetwork : null
+  ip_version         = try(each.value.ip_version, "IPV4")
+  ipv6_endpoint_type = try(each.value.ip_version, "IPV4") == "IPV6" ? "NETLB" : null
+  subnetwork         = try(each.value.ip_version, "IPV4") == "IPV6" ? var.subnetwork : null
 }
 
 # Create forwarding rule for each specified rule
@@ -50,14 +50,14 @@ resource "google_compute_forwarding_rule" "rule" {
   #   If false set value to the value of `port_range`. If `port_range` isn't specified, then set the value to `null`.
   port_range = lookup(each.value, "ip_protocol", "TCP") == "L3_DEFAULT" ? null : lookup(each.value, "port_range", null)
 
-  ip_address = try(each.value.ip_address, each.value.ip_version == "IPV4" ? (
+  ip_address = try(each.value.ip_address, try(each.value.ip_version, "IPV4") == "IPV4" ? (
     google_compute_address.this[each.key].address
     ) : (
     "${google_compute_address.this[each.key].address}/${google_compute_address.this[each.key].prefix_length}"
   ))
   ip_protocol = lookup(each.value, "ip_protocol", "TCP")
-  ip_version  = lookup(each.value, "ip_version", null)
-  subnetwork  = lookup(each.value, "ip_version", null) == "IPV6" ? var.subnetwork : null
+  ip_version  = lookup(each.value, "ip_version", "IPV4")
+  subnetwork  = lookup(each.value, "ip_version", "IPV4") == "IPV6" ? var.subnetwork : null
 }
 
 # Create `google_compute_target_pool` if required by `var.rules`
diff --git a/modules/lb_external/variables.tf b/modules/lb_external/variables.tf
index 5092466..a3bf084 100644
--- a/modules/lb_external/variables.tf
+++ b/modules/lb_external/variables.tf
@@ -19,10 +19,13 @@ variable "rules" {
   description = <<-EOF
   Map of objects, the keys are names of the external forwarding rules, each of the objects has the following attributes:
 
-  - `port_range`: (Required) The port your service is listening on. Can be a number (80) or a range (8080-8089, or even 1-65535).
-  - `ip_address`: (Optional) A public IP address on which to listen, must be in the same region as the LB and must be IPv4. If empty, automatically generates a new non-ephemeral IP on a PREMIUM tier.
+  - `port_range` : (Required) The port your service is listening on. Can be a number (80) or a range (8080-8089, or even 1-65535).
+  - `ip_version` : (Optional) The IP version that will be used by this Load Balancer rule. Possible values are: IPV4 (default), IPV6.
+  - `ip_address` : (Optional) An existing public IP address on which to listen, must be in the same region as the LB. IP version must correspond `ip_version`. 
+                   In case of IPv6 address specify address with a netmask, for example: 2600:1900:4020:bd2:8000:1::/96.
+                   If empty, a new non-ephemeral IP address is created on the PREMIUM tier.
   - `ip_protocol`: (Optional) The IP protocol for the frontend forwarding rule: TCP, UDP, ESP, ICMP, or L3_DEFAULT. Default is TCP.
-  - `all_ports`: (Optional) Allows all ports to be forwarded to the Backend Service
+  - `all_ports`  : (Optional) Allows all ports to be forwarded to the Backend Service.
 
   EOF
 }