r/aws_vpc_ipam_pool: set publicly_advertisable only if public_ip_source = byoip and address_family = ipv6

[NamanJain8]

Issue:
The following terraform snippet fails to create a pool in private scope in IPAM.
main.tf

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.70.0"
    }
  }
}

# Configure the AWS Provider
provider "aws" {
  region = "us-east-1"
}

resource "aws_vpc_ipam_pool" "ipv6_pool" {
  count            = 1
  address_family   = "ipv6"
  ipam_scope_id    = "<private scope id>"
  locale           = "us-east-1"
  tags = {
    Name      = "test-ipv6-pool"
  }
}

Error:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_vpc_ipam_pool.ipv6_pool[0] will be created
  + resource "aws_vpc_ipam_pool" "ipv6_pool" {
      + address_family        = "ipv6"
      + arn                   = (known after apply)
      + auto_import           = false
      + id                    = (known after apply)
      + ipam_scope_id         = "ipam-scope-0f7c42d47424ebce8"
      + ipam_scope_type       = (known after apply)
      + locale                = "us-east-1"
      + pool_depth            = (known after apply)
      + publicly_advertisable = false
      + state                 = (known after apply)
      + tags                  = {
          + "Name"      = "test-ipv6-pool"
        }
      + tags_all              = {
          + "Name"      = "test-ipv6-pool"
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.
aws_vpc_ipam_pool.ipv6_pool[0]: Creating...
╷
│ Error: creating IPAM Pool: InvalidParameterCombination: The request can only contain PubliclyAdvertisable if the AddressFamily is IPv6 and PublicIpSource is byoip.
│ 	status code: 400, request id: 4152ddc1-05e1-4288-a894-89ab943fd50f
│
│   with aws_vpc_ipam_pool.ipv6_pool[0],
│   on main.tf line 15, in resource "aws_vpc_ipam_pool" "ipv6_pool":
│   15: resource "aws_vpc_ipam_pool" "ipv6_pool" {
│

Verified the same by writing a simple go program to create IPAM pool using AWS SDK.

Go Code

package main

import (
	"context"
	"fmt"
	"log"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/ec2"
)

func main() {
	// Create a new session
	sess, err := session.NewSessionWithOptions(session.Options{
		Config: aws.Config{
			Region: aws.String("us-east-1"), // Change to your desired region
		},
		SharedConfigState: session.SharedConfigEnable,
	})
	if err != nil {
		log.Fatalf("Failed to create session: %v", err)
	}

	// Create an EC2 service client
	svc := ec2.New(sess)

	// Define the parameters for creating an IPAM pool
	input := &ec2.CreateIpamPoolInput{
		AddressFamily: aws.String("ipv6"), // or "ipv6"
		ClientToken:   aws.String("123"),
		IpamScopeId:   aws.String("ipam-scope-0f7c42d47424ebce8"), // Provide your IPAM scope ID
		Locale:        aws.String("us-east-1"),
		// PubliclyAdvertisable: aws.Bool(false),
	}

	// Create the IPAM pool
	result, err := svc.CreateIpamPoolWithContext(context.Background(), input)
	if err != nil {
		log.Fatalf("Failed to create IPAM pool: %v", err)
	}

	// Output the result
	fmt.Printf("IPAM Pool created: %+v\n", *result.IpamPool)
}

This fails when PubliclyAdvertisable: aws.Bool(false), is uncommented.

Closes #38805.
Closes #38838.

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

• Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
• Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

[github-actions]

Welcome @NamanJain8 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTOR guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.

Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.

Thanks again, and welcome to the community! 😃

[ewbankkit]

LGTM 🚀.

% make testacc TESTARGS='-run=TestAccIPAM_' PKG=ec2 ACCTEST_PARALLELISM=2
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.23.2 test ./internal/service/ec2/... -v -count 1 -parallel 2  -run=TestAccIPAM_ -timeout 360m
=== RUN   TestAccIPAM_byoipIPv6
    ipam_byoip_test.go:26: Environment variable IPAM_BYOIP_IPV6_MESSAGE, IPAM_BYOIP_IPV6_SIGNATURE, or IPAM_BYOIP_IPV6_PROVISIONED_CIDR is not set
--- SKIP: TestAccIPAM_byoipIPv6 (0.00s)
=== RUN   TestAccIPAM_basic
=== PAUSE TestAccIPAM_basic
=== RUN   TestAccIPAM_disappears
=== PAUSE TestAccIPAM_disappears
=== RUN   TestAccIPAM_description
=== PAUSE TestAccIPAM_description
=== RUN   TestAccIPAM_operatingRegions
=== PAUSE TestAccIPAM_operatingRegions
=== RUN   TestAccIPAM_cascade
=== PAUSE TestAccIPAM_cascade
=== RUN   TestAccIPAM_tier
=== PAUSE TestAccIPAM_tier
=== RUN   TestAccIPAM_tags
=== PAUSE TestAccIPAM_tags
=== RUN   TestAccIPAM_enablePrivateGUA
=== PAUSE TestAccIPAM_enablePrivateGUA
=== CONT  TestAccIPAM_basic
=== CONT  TestAccIPAM_cascade
--- PASS: TestAccIPAM_basic (26.55s)
=== CONT  TestAccIPAM_description
--- PASS: TestAccIPAM_cascade (48.29s)
=== CONT  TestAccIPAM_operatingRegions
--- PASS: TestAccIPAM_description (40.14s)
=== CONT  TestAccIPAM_tags
--- PASS: TestAccIPAM_tags (40.21s)
=== CONT  TestAccIPAM_enablePrivateGUA
--- PASS: TestAccIPAM_operatingRegions (67.86s)
=== CONT  TestAccIPAM_tier
--- PASS: TestAccIPAM_enablePrivateGUA (39.14s)
=== CONT  TestAccIPAM_disappears
--- PASS: TestAccIPAM_disappears (29.16s)
--- PASS: TestAccIPAM_tier (60.32s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/ec2	182.059s

% make testacc TESTARGS='-run=TestAccVPCIPv6CIDRBlockAssociation_basic' PKG=ec2 ACCTEST_PARALLELISM=2
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.23.2 test ./internal/service/ec2/... -v -count 1 -parallel 2  -run=TestAccVPCIPv6CIDRBlockAssociation_basic -timeout 360m
=== RUN   TestAccVPCIPv6CIDRBlockAssociation_basic
=== PAUSE TestAccVPCIPv6CIDRBlockAssociation_basic
=== CONT  TestAccVPCIPv6CIDRBlockAssociation_basic
--- PASS: TestAccVPCIPv6CIDRBlockAssociation_basic (51.79s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/ec2	57.659s

% make testacc TESTARGS='-run=TestAccIPAMPool_' PKG=ec2 ACCTEST_PARALLELISM=2
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.23.2 test ./internal/service/ec2/... -v -count 1 -parallel 2  -run=TestAccIPAMPool_ -timeout 360m
=== RUN   TestAccIPAMPool_basic
=== PAUSE TestAccIPAMPool_basic
=== RUN   TestAccIPAMPool_disappears
=== PAUSE TestAccIPAMPool_disappears
=== RUN   TestAccIPAMPool_ipv6Basic
=== PAUSE TestAccIPAMPool_ipv6Basic
=== RUN   TestAccIPAMPool_ipv6Contiguous
=== PAUSE TestAccIPAMPool_ipv6Contiguous
=== RUN   TestAccIPAMPool_cascade
=== PAUSE TestAccIPAMPool_cascade
=== RUN   TestAccIPAMPool_tags
=== PAUSE TestAccIPAMPool_tags
=== RUN   TestAccIPAMPool_ipv6PrivateScope
=== PAUSE TestAccIPAMPool_ipv6PrivateScope
=== CONT  TestAccIPAMPool_basic
=== CONT  TestAccIPAMPool_cascade
--- PASS: TestAccIPAMPool_basic (54.02s)
=== CONT  TestAccIPAMPool_ipv6PrivateScope
--- PASS: TestAccIPAMPool_cascade (63.44s)
=== CONT  TestAccIPAMPool_tags
--- PASS: TestAccIPAMPool_ipv6PrivateScope (67.75s)
=== CONT  TestAccIPAMPool_ipv6Basic
--- PASS: TestAccIPAMPool_tags (60.20s)
=== CONT  TestAccIPAMPool_ipv6Contiguous
--- PASS: TestAccIPAMPool_ipv6Contiguous (60.37s)
=== CONT  TestAccIPAMPool_disappears
--- PASS: TestAccIPAMPool_ipv6Basic (62.78s)
--- PASS: TestAccIPAMPool_disappears (57.45s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/ec2	245.866s

[ewbankkit]

@NamanJain8 Thanks for the contribution 🎉 👏.

[github-actions]

This functionality has been released in v5.72.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[sshankman]

I believe this broke the functionality to be able to make an ipv6 ipam pool when the source is set to "amazon". In 5.70, I am able to do so, but I can no longer do so in 5.72. It looks like the publicly_advertisable attribute is always being sent to aws for anything ipv6 and aws rejects the command when the source is amazon.

It also appears that none of the test cases check that scenario which is probably why it was not caught?

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.