HOWTO: Configure REQUIRE_IPAM Enforcement for a Module¶
Purpose: Enable and validate the REQUIRE_IPAM constraint on a provisioning module to block runs with unallocated IP addresses.
Difficulty: Intermediate
Track: IPAM-Driven Infrastructure
Overview¶
The REQUIRE_IPAM constraint is the technical enforcement of the HybridOps rule that all provisioning must flow through NetBox addressing. Adding it to a module contract means that preflight will fail (with a clear diagnostic) if any target IP does not have a valid NetBox allocation. This HOWTO covers declaring the constraint and configuring its validation parameters.
1. Understanding the Constraint¶
- What REQUIRE_IPAM checks and when.
- How it integrates with the preflight phase.
- The diagnostic output on failure.
2. Declaring the Constraint in the Module Contract¶
- Contract block syntax for REQUIRE_IPAM.
- Scope: which input fields are checked.
- Status filter:
active,reserved, or custom tags.
3. Configuring the NetBox Query¶
- NetBox endpoint and token configuration.
- Prefix scope for allocation lookup.
- Handling multi-site and multi-tenant environments.
4. Testing the Enforcement¶
- Confirming a blocked run on an unallocated IP.
- Confirming a clean preflight on a valid allocation.
- Edge cases: reserved IPs, duplicate allocations.
5. Applying to Production Profiles¶
- Adding the constraint to production profile policy.
- Overriding the constraint in dev profiles for flexibility.
- Audit trail: constraint evaluation logged in the run record.
References¶
- ADR-0104 – Static IP Allocation with Terraform IPAM
- HOWTO: Allocate IPs from NetBox
- HOWTO: Author a Module Spec
License: MIT-0 for code, CC-BY-4.0 for documentation unless otherwise stated.