vpc: ipam pool under vpc.ipv6 should be used for VPC IPv6 CIDR

tthvo · tthvo · commit 57d87ba70bc3 · 2025-10-30T20:31:44.000-07:00
The field awscluster.spec.network.vpc.ipv6.ipamPool defines the IPAM
pool to allocate an IPv6 CIDR for the VPC. Previously, CAPA only
considers field awscluster.spec.network.vpc.ipamPool, which is used only
for VPC IPv4 CIDR allocation.

Additionally, CAPA should preserve the ipv6 spec fields, provided by the
users, for example, the ipv6 ipamPool. Previously, these spec fields
are lost during vpc reconcilation.
diff --git a/pkg/cloud/services/network/vpc.go b/pkg/cloud/services/network/vpc.go
@@ -58,6 +58,10 @@ func (s *Service) reconcileVPC() error {
 
 		s.scope.VPC().CidrBlock = vpc.CidrBlock
 		if s.scope.VPC().IsIPv6Enabled() {
+			if vpc.IPv6 != nil {
+				// Preserve spec fields are not available when describing vpcs
+				vpc.IPv6.IPAMPool = s.scope.VPC().IPv6.IPAMPool
+			}
 			s.scope.VPC().IPv6 = vpc.IPv6
 		}
 		if s.scope.TagUnmanagedNetworkResources() {
@@ -107,7 +111,6 @@ func (s *Service) reconcileVPC() error {
 
 	// .spec.vpc.id is nil. This means no managed VPC exists or we failed to save its ID before. Check if a managed VPC
 	// with the desired name exists, or if not, create a new managed VPC.
-
 	vpc, err := s.describeVPCByName()
 	if err == nil {
 		// An VPC already exists with the desired name
@@ -133,10 +136,17 @@ func (s *Service) reconcileVPC() error {
 	}
 
 	s.scope.VPC().CidrBlock = vpc.CidrBlock
-	s.scope.VPC().IPv6 = vpc.IPv6
 	s.scope.VPC().Tags = vpc.Tags
 	s.scope.VPC().ID = vpc.ID
 
+	if s.scope.VPC().IsIPv6Enabled() {
+		if vpc.IPv6 != nil {
+			// Preserve spec fields are not available when describing vpcs
+			vpc.IPv6.IPAMPool = s.scope.VPC().IPv6.IPAMPool
+		}
+		s.scope.VPC().IPv6 = vpc.IPv6
+	}
+
 	if !conditions.Has(s.scope.InfraCluster(), infrav1.VpcReadyCondition) {
 		conditions.MarkFalse(s.scope.InfraCluster(), infrav1.VpcReadyCondition, infrav1.VpcCreationStartedReason, clusterv1.ConditionSeverityInfo, "")
 		if err := s.scope.PatchObject(); err != nil {
@@ -382,15 +392,15 @@ func (s *Service) ensureManagedVPCAttributes(vpc *infrav1.VPCSpec) error {
 	return nil
 }
 
-func (s *Service) getIPAMPoolID() (*string, error) {
+func (s *Service) getIPAMPoolID(ipamPool *infrav1.IPAMPool) (*string, error) {
 	input := &ec2.DescribeIpamPoolsInput{}
 
-	if s.scope.VPC().IPAMPool.ID != "" {
-		input.Filters = append(input.Filters, filter.EC2.IPAM(s.scope.VPC().IPAMPool.ID))
+	if ipamPool.ID != "" {
+		input.Filters = append(input.Filters, filter.EC2.IPAM(ipamPool.ID))
 	}
 
-	if s.scope.VPC().IPAMPool.Name != "" {
-		input.Filters = append(input.Filters, filter.EC2.Name(s.scope.VPC().IPAMPool.Name))
+	if ipamPool.Name != "" {
+		input.Filters = append(input.Filters, filter.EC2.Name(ipamPool.Name))
 	}
 
 	output, err := s.EC2Client.DescribeIpamPools(context.TODO(), input)
@@ -426,7 +436,7 @@ func (s *Service) createVPC() (*infrav1.VPCSpec, error) {
 			input.Ipv6Pool = aws.String(s.scope.VPC().IPv6.PoolID)
 			input.AmazonProvidedIpv6CidrBlock = aws.Bool(false)
 		case s.scope.VPC().IPv6.IPAMPool != nil:
-			ipamPoolID, err := s.getIPAMPoolID()
+			ipamPoolID, err := s.getIPAMPoolID(s.scope.VPC().IPv6.IPAMPool)
 			if err != nil {
 				return nil, errors.Wrap(err, "failed to get IPAM Pool ID")
 			}
@@ -444,7 +454,7 @@ func (s *Service) createVPC() (*infrav1.VPCSpec, error) {
 
 	// IPv4-specific configuration
 	if s.scope.VPC().IPAMPool != nil {
-		ipamPoolID, err := s.getIPAMPoolID()
+		ipamPoolID, err := s.getIPAMPoolID(s.scope.VPC().IPAMPool)
 		if err != nil {
 			return nil, errors.Wrap(err, "failed to get IPAM Pool ID")
 		}
