Running ref-arch CIDR change impact
Hello Gruntwork Team, When reference architecture is being setup by first time we have configured the below IP :- ``` # Map of account name to VPC CIDR blocks to use for the mgmt VPC. mgmt_vpc_cidrs = { logs = "172.31.80.0/20" prod = "172.31.80.0/20" security = "172.31.80.0/20" shared = "172.31.80.0/20" sit = "172.31.80.0/20" stage = "172.31.80.0/20" uat = "172.31.80.0/20" } # Map of account name to VPC CIDR blocks to use for the app VPC. app_vpc_cidrs = { prod = "10.6.0.0/16" sit = "10.0.0.0/16" stage = "10.4.0.0/16" uat = "10.2.0.0/16" } ``` Now we want to change the IP as below :- ``` mgmt_vpc_cidrs = { logs = "11.250.0.0/20" prod = "11.250.0.0/20" security = "11.250.0.0/20" shared = "11.250.0.0/20" sit = "11.250.0.0/20" stage = "11.250.0.0/20" uat = "11.250.0.0/20" } # Map of account name to VPC CIDR blocks to use for the app VPC. app_vpc_cidrs = { prod = "11.260.0.0/16" sit = "11.260.0.0/16" stage = "11.260.0.0/16" uat = "11.260.0.0/16" } ``` Questions:- • To implement this, what I guess we need to make change in common.hcl file. • But how we are going to make this change in reference architecture ? • Do we need to run gruntwork cli wizard? • What are the step we need to take, to make this change. ? • Is there any impact on current / existing ref arch setup. ? • We also have reserve pool of IP addresses, how do we extent CIDR ranges, please suggest. Please respond on the above questions, if required, please suggest suitable time to schedule call. ? --- <ins datetime="2022-11-24T12:51:51Z"> <p><a href="https://support.gruntwork.io/hc/requests/109647">Tracked in ticket #109647</a></p> </ins>
Hey @ivishalvarshney, we've discussed about these questions internally and here are the responses to your questions above: > To implement this, what I guess we need to make change in common.hcl file. Yes, CIDR blocks are managed by default in `common.hcl` You can find an example [here](https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/examples/for-production/infrastructure-live/common.hcl#L59-L73) > But how we are going to make this change in reference architecture ? If a VPC has already been created, you cannot change its CIDR block. This is an [AWS limitation](https://aws.amazon.com/premiumsupport/knowledge-center/vpc-ip-address-range/) and has nothing to do with our modules. So if they change the values in `common.hcl` and run `terraform/terragrunt apply`, it won’t do what they want! So there are really two paths: * Extend the CIDR block of the existing VPC. We don’t natively support this within our vpc-app module. However, a customer can [extend the module](https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/core-concepts.md#extend-gruntwork-services) and add the additional CIDR block from “outside” the module via the [aws_vpc_ipv4_cidr_block_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipv4_cidr_block_association) resource. * Recreate the existing VPC. To do this, the customer would first need to run destroy on everything deployed into that VPC: every EC2 instance, RDS DB, ECS Task, etc. After that, you can run destroy on the old VPC, change the CIDR block, and run apply. I think the destroy/recreate will also happen automatically if you change cidr_block and run apply, but you can potentially face some issues with this. > Do we need to run gruntwork cli wizard? No. You do not need to run gruntwork CLI wizard for this change. > What are the step we need to take, to make this change? Explained the overall approach above. You would have to make changes in the `commonh.hcl` file and run `terragrunt/terraform apply`. > Is there any impact on current / existing ref arch setup. ? Explained in one of the previous question. It would destroy the entire ref arch setup and try to recreate it. > We also have reserve pool of IP addresses, how do we extent CIDR ranges, please suggest. You can extend an existing vpc module to provide support for this. Here is the [instruction of extending an existing module](https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/core-concepts.md#extend-gruntwork-services). --- Aside from the questions you raised, here are additional questions/thoughts that would be worth thinking about: * We recommend using private CIDR blocks from [RFC 1918](https://docs.aws.amazon.com/vpc/latest/userguide/configure-your-vpc.html#vpc-sizing-ipv4). Why do you want to change the IP addresses from private to public? * We believe you are not allowed to have number greater than 255 in your IP address. Is `11.260.0.0/16` a typo?