From 8369c4885910f67f47e23c2c2e40016731a5983a Mon Sep 17 00:00:00 2001
From: k1rk <8kirk8@gmail.com>
Date: Fri, 2 Feb 2024 23:51:40 +0800
Subject: [PATCH 1/7] added support for different size ipv6 cidrs

---
 internal/service/ec2/vpc_.go                            | 9 ++++++---
 internal/service/ec2/vpc_default_vpc.go                 | 4 ++--
 internal/service/ec2/vpc_ipv6_cidr_block_association.go | 4 ++--
 website/docs/r/vpc.html.markdown                        | 2 +-
 4 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/internal/service/ec2/vpc_.go b/internal/service/ec2/vpc_.go
index 45c62b56076..9efa1a4e68d 100644
--- a/internal/service/ec2/vpc_.go
+++ b/internal/service/ec2/vpc_.go
@@ -34,9 +34,12 @@ import (
 const (
 	VPCCIDRMaxIPv4 = 28
 	VPCCIDRMinIPv4 = 16
-	VPCCIDRMaxIPv6 = 56
+	VPCCIDRMaxIPv6 = 60
+	VPCCIDRMinIPv6 = 44
 )
 
+var VPCCIDRValidIPv6Masks = []int{44, 48, 52, 56, 60}
+
 // @SDKResource("aws_vpc", name="VPC")
 // @Tags(identifierAttribute="id")
 func ResourceVPC() *schema.Resource {
@@ -141,7 +144,7 @@ func ResourceVPC() *schema.Resource {
 				RequiredWith:  []string{"ipv6_ipam_pool_id"},
 				ValidateFunc: validation.All(
 					verify.ValidIPv6CIDRNetworkAddress,
-					validation.IsCIDRNetwork(VPCCIDRMaxIPv6, VPCCIDRMaxIPv6)),
+					validation.IsCIDRNetwork(VPCCIDRMinIPv6, VPCCIDRMaxIPv6)),
 			},
 			"ipv6_cidr_block_network_border_group": {
 				Type:         schema.TypeString,
@@ -157,7 +160,7 @@ func ResourceVPC() *schema.Resource {
 			"ipv6_netmask_length": {
 				Type:          schema.TypeInt,
 				Optional:      true,
-				ValidateFunc:  validation.IntInSlice([]int{VPCCIDRMaxIPv6}),
+				ValidateFunc:  validation.IntInSlice(VPCCIDRValidIPv6Masks),
 				ConflictsWith: []string{"ipv6_cidr_block"},
 				RequiredWith:  []string{"ipv6_ipam_pool_id"},
 			},
diff --git a/internal/service/ec2/vpc_default_vpc.go b/internal/service/ec2/vpc_default_vpc.go
index 09badf17c12..de96728642e 100644
--- a/internal/service/ec2/vpc_default_vpc.go
+++ b/internal/service/ec2/vpc_default_vpc.go
@@ -119,7 +119,7 @@ func ResourceDefaultVPC() *schema.Resource {
 				RequiredWith:  []string{"ipv6_ipam_pool_id"},
 				ValidateFunc: validation.All(
 					verify.ValidIPv6CIDRNetworkAddress,
-					validation.IsCIDRNetwork(VPCCIDRMaxIPv6, VPCCIDRMaxIPv6)),
+					validation.IsCIDRNetwork(VPCCIDRMinIPv6, VPCCIDRMaxIPv6)),
 			},
 			"ipv6_cidr_block_network_border_group": {
 				Type:         schema.TypeString,
@@ -135,7 +135,7 @@ func ResourceDefaultVPC() *schema.Resource {
 			"ipv6_netmask_length": {
 				Type:          schema.TypeInt,
 				Optional:      true,
-				ValidateFunc:  validation.IntInSlice([]int{VPCCIDRMaxIPv6}),
+				ValidateFunc:  validation.IntInSlice(VPCCIDRValidIPv6Masks),
 				ConflictsWith: []string{"ipv6_cidr_block"},
 				RequiredWith:  []string{"ipv6_ipam_pool_id"},
 			},
diff --git a/internal/service/ec2/vpc_ipv6_cidr_block_association.go b/internal/service/ec2/vpc_ipv6_cidr_block_association.go
index 1ff8413f9d6..18500385a12 100644
--- a/internal/service/ec2/vpc_ipv6_cidr_block_association.go
+++ b/internal/service/ec2/vpc_ipv6_cidr_block_association.go
@@ -49,7 +49,7 @@ func ResourceVPCIPv6CIDRBlockAssociation() *schema.Resource {
 				ForceNew: true,
 				ValidateFunc: validation.All(
 					verify.ValidIPv6CIDRNetworkAddress,
-					validation.IsCIDRNetwork(VPCCIDRMaxIPv6, VPCCIDRMaxIPv6)),
+					validation.IsCIDRNetwork(VPCCIDRMinIPv6, VPCCIDRMaxIPv6)),
 			},
 			// ipam parameters are not required by the API but other usage mechanisms are not implemented yet. TODO ipv6 options:
 			// --amazon-provided-ipv6-cidr-block
@@ -63,7 +63,7 @@ func ResourceVPCIPv6CIDRBlockAssociation() *schema.Resource {
 				Type:          schema.TypeInt,
 				Optional:      true,
 				ForceNew:      true,
-				ValidateFunc:  validation.IntInSlice([]int{VPCCIDRMaxIPv6}),
+				ValidateFunc:  validation.IntInSlice(VPCCIDRValidIPv6Masks),
 				ConflictsWith: []string{"ipv6_cidr_block"},
 				// This RequiredWith setting should be applied once L57 is completed
 				// RequiredWith:  []string{"ipv6_ipam_pool_id"},
diff --git a/website/docs/r/vpc.html.markdown b/website/docs/r/vpc.html.markdown
index 43b011ef6ea..d9207deaa9b 100644
--- a/website/docs/r/vpc.html.markdown
+++ b/website/docs/r/vpc.html.markdown
@@ -74,7 +74,7 @@ This resource supports the following arguments:
 * `ipv4_netmask_length` - (Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a `ipv4_ipam_pool_id`.
 * `ipv6_cidr_block` - (Optional) IPv6 CIDR block to request from an IPAM Pool. Can be set explicitly or derived from IPAM using `ipv6_netmask_length`.
 * `ipv6_ipam_pool_id` - (Optional) IPAM Pool ID for a IPv6 pool. Conflicts with `assign_generated_ipv6_cidr_block`.
-* `ipv6_netmask_length` - (Optional) Netmask length to request from IPAM Pool. Conflicts with `ipv6_cidr_block`. This can be omitted if IPAM pool as a `allocation_default_netmask_length` set. Valid values: `56`.
+* `ipv6_netmask_length` - (Optional) Netmask length to request from IPAM Pool. Conflicts with `ipv6_cidr_block`. This can be omitted if IPAM pool as a `allocation_default_netmask_length` set. Valid values are from `44` to `60` in increments of 4.
 * `ipv6_cidr_block_network_border_group` - (Optional) By default when an IPv6 CIDR is assigned to a VPC a default ipv6_cidr_block_network_border_group will be set to the region of the VPC. This can be changed to restrict advertisement of public addresses to specific Network Border Groups such as LocalZones.
 * `enable_dns_support` - (Optional) A boolean flag to enable/disable DNS support in the VPC. Defaults to true.
 * `enable_network_address_usage_metrics` - (Optional) Indicates whether Network Address Usage metrics are enabled for your VPC. Defaults to false.

From 331a28cd77c8108932cddd5be0c298dcdb210937 Mon Sep 17 00:00:00 2001
From: k1rk <8kirk8@gmail.com>
Date: Fri, 2 Feb 2024 23:56:18 +0800
Subject: [PATCH 2/7] add changelog

---
 .changelog/35614.txt | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 .changelog/35614.txt

diff --git a/.changelog/35614.txt b/.changelog/35614.txt
new file mode 100644
index 00000000000..edfcb9bf5dd
--- /dev/null
+++ b/.changelog/35614.txt
@@ -0,0 +1,7 @@
+```release-note:bug
+resource/aws_vpc: add support for different sizes of ipv6_cidr_block
+```
+
+```release-note:bug
+resource/aws_vpc_ipv6_cidr_block_association: add support for different sizes of ipv6_cidr_block
+```

From 463232aa708ac2274c0e81e98f770937d302cd0b Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Fri, 26 Jul 2024 10:48:27 -0400
Subject: [PATCH 3/7] Revert "added support for different size ipv6 cidrs"

This reverts commit 8369c4885910f67f47e23c2c2e40016731a5983a.
---
 internal/service/ec2/vpc_.go                            | 9 +++------
 internal/service/ec2/vpc_default_vpc.go                 | 4 ++--
 internal/service/ec2/vpc_ipv6_cidr_block_association.go | 4 ++--
 website/docs/r/vpc.html.markdown                        | 2 +-
 4 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/internal/service/ec2/vpc_.go b/internal/service/ec2/vpc_.go
index 9efa1a4e68d..45c62b56076 100644
--- a/internal/service/ec2/vpc_.go
+++ b/internal/service/ec2/vpc_.go
@@ -34,12 +34,9 @@ import (
 const (
 	VPCCIDRMaxIPv4 = 28
 	VPCCIDRMinIPv4 = 16
-	VPCCIDRMaxIPv6 = 60
-	VPCCIDRMinIPv6 = 44
+	VPCCIDRMaxIPv6 = 56
 )
 
-var VPCCIDRValidIPv6Masks = []int{44, 48, 52, 56, 60}
-
 // @SDKResource("aws_vpc", name="VPC")
 // @Tags(identifierAttribute="id")
 func ResourceVPC() *schema.Resource {
@@ -144,7 +141,7 @@ func ResourceVPC() *schema.Resource {
 				RequiredWith:  []string{"ipv6_ipam_pool_id"},
 				ValidateFunc: validation.All(
 					verify.ValidIPv6CIDRNetworkAddress,
-					validation.IsCIDRNetwork(VPCCIDRMinIPv6, VPCCIDRMaxIPv6)),
+					validation.IsCIDRNetwork(VPCCIDRMaxIPv6, VPCCIDRMaxIPv6)),
 			},
 			"ipv6_cidr_block_network_border_group": {
 				Type:         schema.TypeString,
@@ -160,7 +157,7 @@ func ResourceVPC() *schema.Resource {
 			"ipv6_netmask_length": {
 				Type:          schema.TypeInt,
 				Optional:      true,
-				ValidateFunc:  validation.IntInSlice(VPCCIDRValidIPv6Masks),
+				ValidateFunc:  validation.IntInSlice([]int{VPCCIDRMaxIPv6}),
 				ConflictsWith: []string{"ipv6_cidr_block"},
 				RequiredWith:  []string{"ipv6_ipam_pool_id"},
 			},
diff --git a/internal/service/ec2/vpc_default_vpc.go b/internal/service/ec2/vpc_default_vpc.go
index de96728642e..09badf17c12 100644
--- a/internal/service/ec2/vpc_default_vpc.go
+++ b/internal/service/ec2/vpc_default_vpc.go
@@ -119,7 +119,7 @@ func ResourceDefaultVPC() *schema.Resource {
 				RequiredWith:  []string{"ipv6_ipam_pool_id"},
 				ValidateFunc: validation.All(
 					verify.ValidIPv6CIDRNetworkAddress,
-					validation.IsCIDRNetwork(VPCCIDRMinIPv6, VPCCIDRMaxIPv6)),
+					validation.IsCIDRNetwork(VPCCIDRMaxIPv6, VPCCIDRMaxIPv6)),
 			},
 			"ipv6_cidr_block_network_border_group": {
 				Type:         schema.TypeString,
@@ -135,7 +135,7 @@ func ResourceDefaultVPC() *schema.Resource {
 			"ipv6_netmask_length": {
 				Type:          schema.TypeInt,
 				Optional:      true,
-				ValidateFunc:  validation.IntInSlice(VPCCIDRValidIPv6Masks),
+				ValidateFunc:  validation.IntInSlice([]int{VPCCIDRMaxIPv6}),
 				ConflictsWith: []string{"ipv6_cidr_block"},
 				RequiredWith:  []string{"ipv6_ipam_pool_id"},
 			},
diff --git a/internal/service/ec2/vpc_ipv6_cidr_block_association.go b/internal/service/ec2/vpc_ipv6_cidr_block_association.go
index 18500385a12..1ff8413f9d6 100644
--- a/internal/service/ec2/vpc_ipv6_cidr_block_association.go
+++ b/internal/service/ec2/vpc_ipv6_cidr_block_association.go
@@ -49,7 +49,7 @@ func ResourceVPCIPv6CIDRBlockAssociation() *schema.Resource {
 				ForceNew: true,
 				ValidateFunc: validation.All(
 					verify.ValidIPv6CIDRNetworkAddress,
-					validation.IsCIDRNetwork(VPCCIDRMinIPv6, VPCCIDRMaxIPv6)),
+					validation.IsCIDRNetwork(VPCCIDRMaxIPv6, VPCCIDRMaxIPv6)),
 			},
 			// ipam parameters are not required by the API but other usage mechanisms are not implemented yet. TODO ipv6 options:
 			// --amazon-provided-ipv6-cidr-block
@@ -63,7 +63,7 @@ func ResourceVPCIPv6CIDRBlockAssociation() *schema.Resource {
 				Type:          schema.TypeInt,
 				Optional:      true,
 				ForceNew:      true,
-				ValidateFunc:  validation.IntInSlice(VPCCIDRValidIPv6Masks),
+				ValidateFunc:  validation.IntInSlice([]int{VPCCIDRMaxIPv6}),
 				ConflictsWith: []string{"ipv6_cidr_block"},
 				// This RequiredWith setting should be applied once L57 is completed
 				// RequiredWith:  []string{"ipv6_ipam_pool_id"},
diff --git a/website/docs/r/vpc.html.markdown b/website/docs/r/vpc.html.markdown
index d9207deaa9b..43b011ef6ea 100644
--- a/website/docs/r/vpc.html.markdown
+++ b/website/docs/r/vpc.html.markdown
@@ -74,7 +74,7 @@ This resource supports the following arguments:
 * `ipv4_netmask_length` - (Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a `ipv4_ipam_pool_id`.
 * `ipv6_cidr_block` - (Optional) IPv6 CIDR block to request from an IPAM Pool. Can be set explicitly or derived from IPAM using `ipv6_netmask_length`.
 * `ipv6_ipam_pool_id` - (Optional) IPAM Pool ID for a IPv6 pool. Conflicts with `assign_generated_ipv6_cidr_block`.
-* `ipv6_netmask_length` - (Optional) Netmask length to request from IPAM Pool. Conflicts with `ipv6_cidr_block`. This can be omitted if IPAM pool as a `allocation_default_netmask_length` set. Valid values are from `44` to `60` in increments of 4.
+* `ipv6_netmask_length` - (Optional) Netmask length to request from IPAM Pool. Conflicts with `ipv6_cidr_block`. This can be omitted if IPAM pool as a `allocation_default_netmask_length` set. Valid values: `56`.
 * `ipv6_cidr_block_network_border_group` - (Optional) By default when an IPv6 CIDR is assigned to a VPC a default ipv6_cidr_block_network_border_group will be set to the region of the VPC. This can be changed to restrict advertisement of public addresses to specific Network Border Groups such as LocalZones.
 * `enable_dns_support` - (Optional) A boolean flag to enable/disable DNS support in the VPC. Defaults to true.
 * `enable_network_address_usage_metrics` - (Optional) Indicates whether Network Address Usage metrics are enabled for your VPC. Defaults to false.

From e5a47d4913faf447975c3fe33fa66832571cb197 Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Fri, 26 Jul 2024 11:26:44 -0400
Subject: [PATCH 4/7] Add 'tfslices.Range'.

---
 internal/slices/slices.go      | 34 +++++++++++++-
 internal/slices/slices_test.go | 84 ++++++++++++++++++++++++++++++++++
 2 files changed, 117 insertions(+), 1 deletion(-)

diff --git a/internal/slices/slices.go b/internal/slices/slices.go
index 380a5307879..dccfa9f3814 100644
--- a/internal/slices/slices.go
+++ b/internal/slices/slices.go
@@ -3,7 +3,9 @@
 
 package slices
 
-import "slices"
+import (
+	"slices"
+)
 
 // Reverse returns a reversed copy of the slice `s`.
 func Reverse[S ~[]E, E any](s S) S {
@@ -146,3 +148,33 @@ func IndexOf[S ~[]any, E comparable](s S, v E) int {
 	}
 	return -1
 }
+
+type signed interface {
+	~int | ~int32 | ~int64
+}
+
+// Range returns a slice of integers from `start` to `stop` (exclusive) using the specified `step`.
+func Range[T signed](start, stop, step T) []T {
+	v := make([]T, 0)
+
+	switch {
+	case step > 0:
+		if start >= stop {
+			return nil
+		}
+		for i := start; i < stop; i += step {
+			v = append(v, i)
+		}
+	case step < 0:
+		if start <= stop {
+			return nil
+		}
+		for i := start; i > stop; i += step {
+			v = append(v, i)
+		}
+	default:
+		return nil
+	}
+
+	return v
+}
diff --git a/internal/slices/slices_test.go b/internal/slices/slices_test.go
index 919792a3ce8..8be44a0d253 100644
--- a/internal/slices/slices_test.go
+++ b/internal/slices/slices_test.go
@@ -328,3 +328,87 @@ func TestIndexOf(t *testing.T) {
 		})
 	}
 }
+
+func TestRange(t *testing.T) {
+	t.Parallel()
+
+	type testCase struct {
+		start, stop, step int
+		expected          []int
+	}
+	tests := map[string]testCase{
+		"0 step": {
+			start:    0,
+			stop:     10,
+			step:     0,
+			expected: nil,
+		},
+		"start == stop": {
+			start:    0,
+			stop:     0,
+			step:     1,
+			expected: nil,
+		},
+		"start == 0, step == 1": {
+			start:    0,
+			stop:     10,
+			step:     1,
+			expected: []int{0, 1, 2, 3, 4, 5, 6, 7, 8, 9},
+		},
+		"start == 1, step == 1": {
+			start:    1,
+			stop:     11,
+			step:     1,
+			expected: []int{1, 2, 3, 4, 5, 6, 7, 8, 9, 10},
+		},
+		"start == 0, step == 5": {
+			start:    0,
+			stop:     30,
+			step:     5,
+			expected: []int{0, 5, 10, 15, 20, 25},
+		},
+		"start == 0, step == 11": {
+			start:    0,
+			stop:     30,
+			step:     11,
+			expected: []int{0, 11, 22},
+		},
+		"start == 0, step == -1": {
+			start:    0,
+			stop:     -10,
+			step:     -1,
+			expected: []int{0, -1, -2, -3, -4, -5, -6, -7, -8, -9},
+		},
+		"start == 0, stop = 5, step == -1": {
+			start:    0,
+			stop:     5,
+			step:     -1,
+			expected: nil,
+		},
+		"start == 0, stop = -5, step == 1": {
+			start:    0,
+			stop:     -5,
+			step:     1,
+			expected: nil,
+		},
+		"start == 1, step == -5": {
+			start:    1,
+			stop:     -30,
+			step:     -5,
+			expected: []int{1, -4, -9, -14, -19, -24, -29},
+		},
+	}
+
+	for name, test := range tests {
+		name, test := name, test
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			got := Range(test.start, test.stop, test.step)
+
+			if diff := cmp.Diff(got, test.expected); diff != "" {
+				t.Errorf("unexpected diff (+wanted, -got): %s", diff)
+			}
+		})
+	}
+}

From 8a26d6180dfd5f5ee2af0bd654d98cbad90dc8c1 Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Fri, 26 Jul 2024 11:58:58 -0400
Subject: [PATCH 5/7] VPCs now support more sizes for IPv6 CIDRs.

---
 .changelog/35614.txt                          | 24 +++++++++++++++----
 internal/service/ec2/vpc_.go                  | 23 ++++++++++++------
 internal/service/ec2/vpc_default_vpc.go       |  6 ++---
 .../ec2/vpc_ipv6_cidr_block_association.go    | 15 +++++-------
 website/docs/r/vpc.html.markdown              |  2 +-
 5 files changed, 45 insertions(+), 25 deletions(-)

diff --git a/.changelog/35614.txt b/.changelog/35614.txt
index edfcb9bf5dd..686c165d3c4 100644
--- a/.changelog/35614.txt
+++ b/.changelog/35614.txt
@@ -1,7 +1,23 @@
-```release-note:bug
-resource/aws_vpc: add support for different sizes of ipv6_cidr_block
+```release-note:enhancement
+resource/aws_vpc: Support `ipv6_cidr_block` sizes between `/44` and `/60` in increments of /4
 ```
 
-```release-note:bug
-resource/aws_vpc_ipv6_cidr_block_association: add support for different sizes of ipv6_cidr_block
+```release-note:enhancement
+resource/aws_vpc: Support `ipv6_netmask_length` values between `44` and `60` in increments of 4
+```
+
+```release-note:enhancement
+resource/aws_default_vpc: Support `ipv6_cidr_block` sizes between `/44` and `/60` in increments of /4
+```
+
+```release-note:enhancement
+resource/aws_default_vpc: Support `ipv6_netmask_length` values between `44` and `60` in increments of 4
+```
+
+```release-note:enhancement
+resource/aws_vpc_ipv6_cidr_block_association: Support `ipv6_cidr_block` sizes between `/44` and `/60` in increments of /4
+```
+
+```release-note:enhancement
+resource/aws_vpc_ipv6_cidr_block_association: Support `ipv6_netmask_length` values between `44` and `60` in increments of 4
 ```
diff --git a/internal/service/ec2/vpc_.go b/internal/service/ec2/vpc_.go
index 406ddb52e18..d31edab06e0 100644
--- a/internal/service/ec2/vpc_.go
+++ b/internal/service/ec2/vpc_.go
@@ -24,7 +24,7 @@ import (
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
 	"github.com/hashicorp/terraform-provider-aws/internal/enum"
 	"github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag"
-	"github.com/hashicorp/terraform-provider-aws/internal/slices"
+	tfslices "github.com/hashicorp/terraform-provider-aws/internal/slices"
 	tftags "github.com/hashicorp/terraform-provider-aws/internal/tags"
 	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
 	"github.com/hashicorp/terraform-provider-aws/internal/verify"
@@ -34,7 +34,18 @@ import (
 const (
 	vpcCIDRMaxIPv4Netmask = 28
 	vpcCIDRMinIPv4Netmask = 16
-	vpcCIDRMaxIPv6Netmask = 56
+	vpcCIDRMaxIPv6Netmask = 60
+	vpcCIDRMinIPv6Netmask = 44
+)
+
+var (
+	vpcCIDRValidIPv6Netmasks = tfslices.Range(vpcCIDRMinIPv6Netmask, vpcCIDRMaxIPv6Netmask+1, 4)
+	validVPCIPv6CIDRBlock    = validation.All(
+		verify.ValidIPv6CIDRNetworkAddress,
+		validation.Any(tfslices.ApplyToAll(vpcCIDRValidIPv6Netmasks, func(v int) schema.SchemaValidateFunc {
+			return validation.IsCIDRNetwork(v, v)
+		})...),
+	)
 )
 
 // @SDKResource("aws_vpc", name="VPC")
@@ -140,9 +151,7 @@ func resourceVPC() *schema.Resource {
 				Computed:      true,
 				ConflictsWith: []string{"ipv6_netmask_length", "assign_generated_ipv6_cidr_block"},
 				RequiredWith:  []string{"ipv6_ipam_pool_id"},
-				ValidateFunc: validation.All(
-					verify.ValidIPv6CIDRNetworkAddress,
-					validation.IsCIDRNetwork(vpcCIDRMaxIPv6Netmask, vpcCIDRMaxIPv6Netmask)),
+				ValidateFunc:  validVPCIPv6CIDRBlock,
 			},
 			"ipv6_cidr_block_network_border_group": {
 				Type:         schema.TypeString,
@@ -158,7 +167,7 @@ func resourceVPC() *schema.Resource {
 			"ipv6_netmask_length": {
 				Type:          schema.TypeInt,
 				Optional:      true,
-				ValidateFunc:  validation.IntInSlice([]int{vpcCIDRMaxIPv6Netmask}),
+				ValidateFunc:  validation.IntInSlice(vpcCIDRValidIPv6Netmasks),
 				ConflictsWith: []string{"ipv6_cidr_block"},
 				RequiredWith:  []string{"ipv6_ipam_pool_id"},
 			},
@@ -729,7 +738,7 @@ func findIPAMPoolAllocationsForVPC(ctx context.Context, conn *ec2.Client, poolID
 		return nil, err
 	}
 
-	output = slices.Filter(output, func(v types.IpamPoolAllocation) bool {
+	output = tfslices.Filter(output, func(v types.IpamPoolAllocation) bool {
 		return string(v.ResourceType) == string(types.IpamPoolAllocationResourceTypeVpc) && aws.ToString(v.ResourceId) == vpcID
 	})
 
diff --git a/internal/service/ec2/vpc_default_vpc.go b/internal/service/ec2/vpc_default_vpc.go
index f3fd9727b25..16524ef1683 100644
--- a/internal/service/ec2/vpc_default_vpc.go
+++ b/internal/service/ec2/vpc_default_vpc.go
@@ -118,9 +118,7 @@ func resourceDefaultVPC() *schema.Resource {
 				Computed:      true,
 				ConflictsWith: []string{"ipv6_netmask_length", "assign_generated_ipv6_cidr_block"},
 				RequiredWith:  []string{"ipv6_ipam_pool_id"},
-				ValidateFunc: validation.All(
-					verify.ValidIPv6CIDRNetworkAddress,
-					validation.IsCIDRNetwork(vpcCIDRMaxIPv6Netmask, vpcCIDRMaxIPv6Netmask)),
+				ValidateFunc:  validVPCIPv6CIDRBlock,
 			},
 			"ipv6_cidr_block_network_border_group": {
 				Type:         schema.TypeString,
@@ -136,7 +134,7 @@ func resourceDefaultVPC() *schema.Resource {
 			"ipv6_netmask_length": {
 				Type:          schema.TypeInt,
 				Optional:      true,
-				ValidateFunc:  validation.IntInSlice([]int{vpcCIDRMaxIPv6Netmask}),
+				ValidateFunc:  validation.IntInSlice(vpcCIDRValidIPv6Netmasks),
 				ConflictsWith: []string{"ipv6_cidr_block"},
 				RequiredWith:  []string{"ipv6_ipam_pool_id"},
 			},
diff --git a/internal/service/ec2/vpc_ipv6_cidr_block_association.go b/internal/service/ec2/vpc_ipv6_cidr_block_association.go
index 7cc20acee91..e79c4dd0847 100644
--- a/internal/service/ec2/vpc_ipv6_cidr_block_association.go
+++ b/internal/service/ec2/vpc_ipv6_cidr_block_association.go
@@ -17,7 +17,6 @@ import (
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
 	"github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag"
 	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
-	"github.com/hashicorp/terraform-provider-aws/internal/verify"
 	"github.com/hashicorp/terraform-provider-aws/names"
 )
 
@@ -44,13 +43,11 @@ func resourceVPCIPv6CIDRBlockAssociation() *schema.Resource {
 		},
 		Schema: map[string]*schema.Schema{
 			"ipv6_cidr_block": {
-				Type:     schema.TypeString,
-				Optional: true,
-				Computed: true,
-				ForceNew: true,
-				ValidateFunc: validation.All(
-					verify.ValidIPv6CIDRNetworkAddress,
-					validation.IsCIDRNetwork(vpcCIDRMaxIPv6Netmask, vpcCIDRMaxIPv6Netmask)),
+				Type:         schema.TypeString,
+				Optional:     true,
+				Computed:     true,
+				ForceNew:     true,
+				ValidateFunc: validVPCIPv6CIDRBlock,
 			},
 			// ipam parameters are not required by the API but other usage mechanisms are not implemented yet. TODO ipv6 options:
 			// --amazon-provided-ipv6-cidr-block
@@ -64,7 +61,7 @@ func resourceVPCIPv6CIDRBlockAssociation() *schema.Resource {
 				Type:          schema.TypeInt,
 				Optional:      true,
 				ForceNew:      true,
-				ValidateFunc:  validation.IntInSlice([]int{vpcCIDRMaxIPv6Netmask}),
+				ValidateFunc:  validation.IntInSlice(vpcCIDRValidIPv6Netmasks),
 				ConflictsWith: []string{"ipv6_cidr_block"},
 				// This RequiredWith setting should be applied once L57 is completed
 				// RequiredWith:  []string{"ipv6_ipam_pool_id"},
diff --git a/website/docs/r/vpc.html.markdown b/website/docs/r/vpc.html.markdown
index 4d1c75d006a..e39684492e8 100644
--- a/website/docs/r/vpc.html.markdown
+++ b/website/docs/r/vpc.html.markdown
@@ -74,7 +74,7 @@ This resource supports the following arguments:
 * `ipv4_netmask_length` - (Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a `ipv4_ipam_pool_id`.
 * `ipv6_cidr_block` - (Optional) IPv6 CIDR block to request from an IPAM Pool. Can be set explicitly or derived from IPAM using `ipv6_netmask_length`.
 * `ipv6_ipam_pool_id` - (Optional) IPAM Pool ID for a IPv6 pool. Conflicts with `assign_generated_ipv6_cidr_block`.
-* `ipv6_netmask_length` - (Optional) Netmask length to request from IPAM Pool. Conflicts with `ipv6_cidr_block`. This can be omitted if IPAM pool as a `allocation_default_netmask_length` set. Valid values: `56`.
+* `ipv6_netmask_length` - (Optional) Netmask length to request from IPAM Pool. Conflicts with `ipv6_cidr_block`. This can be omitted if IPAM pool as a `allocation_default_netmask_length` set. Valid values are from `44` to `60` in increments of 4.
 * `ipv6_cidr_block_network_border_group` - (Optional) By default when an IPv6 CIDR is assigned to a VPC a default ipv6_cidr_block_network_border_group will be set to the region of the VPC. This can be changed to restrict advertisement of public addresses to specific Network Border Groups such as LocalZones.
 * `enable_dns_support` - (Optional) A boolean flag to enable/disable DNS support in the VPC. Defaults to true.
 * `enable_network_address_usage_metrics` - (Optional) Indicates whether Network Address Usage metrics are enabled for your VPC. Defaults to false.

From 48a0eaa40dba831b7ab79138bd85a16fe96b9766 Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Fri, 26 Jul 2024 12:32:41 -0400
Subject: [PATCH 6/7] Fix golangci-lint 'mnd'.

---
 internal/service/ec2/vpc_.go | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/internal/service/ec2/vpc_.go b/internal/service/ec2/vpc_.go
index d31edab06e0..5a927ecf4be 100644
--- a/internal/service/ec2/vpc_.go
+++ b/internal/service/ec2/vpc_.go
@@ -32,14 +32,15 @@ import (
 )
 
 const (
-	vpcCIDRMaxIPv4Netmask = 28
-	vpcCIDRMinIPv4Netmask = 16
-	vpcCIDRMaxIPv6Netmask = 60
-	vpcCIDRMinIPv6Netmask = 44
+	vpcCIDRMaxIPv4Netmask  = 28
+	vpcCIDRMinIPv4Netmask  = 16
+	vpcCIDRMaxIPv6Netmask  = 60
+	vpcCIDRMinIPv6Netmask  = 44
+	vpcCIDRIPv6NetmaskStep = 4
 )
 
 var (
-	vpcCIDRValidIPv6Netmasks = tfslices.Range(vpcCIDRMinIPv6Netmask, vpcCIDRMaxIPv6Netmask+1, 4)
+	vpcCIDRValidIPv6Netmasks = tfslices.Range(vpcCIDRMinIPv6Netmask, vpcCIDRMaxIPv6Netmask+1, vpcCIDRIPv6NetmaskStep)
 	validVPCIPv6CIDRBlock    = validation.All(
 		verify.ValidIPv6CIDRNetworkAddress,
 		validation.Any(tfslices.ApplyToAll(vpcCIDRValidIPv6Netmasks, func(v int) schema.SchemaValidateFunc {

From 4021bcc945bf29b8114ec9f45c9a4689084f93a1 Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Fri, 26 Jul 2024 12:43:05 -0400
Subject: [PATCH 7/7] r/aws_vpc_security_group_(ingress|egress)_rule: Add tags
 to AuthorizeSecurityGroup... call.

---
 .changelog/35614.txt                                 |  8 ++++++++
 .../service/ec2/vpc_security_group_egress_rule.go    |  5 +++--
 .../service/ec2/vpc_security_group_ingress_rule.go   | 12 +++---------
 3 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/.changelog/35614.txt b/.changelog/35614.txt
index 686c165d3c4..214d3b67967 100644
--- a/.changelog/35614.txt
+++ b/.changelog/35614.txt
@@ -21,3 +21,11 @@ resource/aws_vpc_ipv6_cidr_block_association: Support `ipv6_cidr_block` sizes be
 ```release-note:enhancement
 resource/aws_vpc_ipv6_cidr_block_association: Support `ipv6_netmask_length` values between `44` and `60` in increments of 4
 ```
+
+```release-note:enhancement
+resource/aws_vpc_security_group_ingress_rule: Add `tags` to the `AuthorizeSecurityGroupIngress` EC2 API call instead of making a separate `CreateTags` call
+```
+
+```release-note:enhancement
+resource/aws_vpc_security_group_egress_rule: Add `tags` to the `AuthorizeSecurityGroupEgress` EC2 API call instead of making a separate `CreateTags` call
+```
\ No newline at end of file
diff --git a/internal/service/ec2/vpc_security_group_egress_rule.go b/internal/service/ec2/vpc_security_group_egress_rule.go
index c4e109385a4..c7b6630cdc7 100644
--- a/internal/service/ec2/vpc_security_group_egress_rule.go
+++ b/internal/service/ec2/vpc_security_group_egress_rule.go
@@ -39,8 +39,9 @@ func (r *securityGroupEgressRuleResource) create(ctx context.Context, data *secu
 	conn := r.Meta().EC2Client(ctx)
 
 	input := &ec2.AuthorizeSecurityGroupEgressInput{
-		GroupId:       fwflex.StringFromFramework(ctx, data.SecurityGroupID),
-		IpPermissions: []awstypes.IpPermission{data.expandIPPermission(ctx)},
+		GroupId:           fwflex.StringFromFramework(ctx, data.SecurityGroupID),
+		IpPermissions:     []awstypes.IpPermission{data.expandIPPermission(ctx)},
+		TagSpecifications: getTagSpecificationsIn(ctx, awstypes.ResourceTypeSecurityGroupRule),
 	}
 
 	output, err := conn.AuthorizeSecurityGroupEgress(ctx, input)
diff --git a/internal/service/ec2/vpc_security_group_ingress_rule.go b/internal/service/ec2/vpc_security_group_ingress_rule.go
index 318432e2d8e..a707a1277b5 100644
--- a/internal/service/ec2/vpc_security_group_ingress_rule.go
+++ b/internal/service/ec2/vpc_security_group_ingress_rule.go
@@ -72,8 +72,9 @@ func (r *securityGroupIngressRuleResource) create(ctx context.Context, data *sec
 	conn := r.Meta().EC2Client(ctx)
 
 	input := &ec2.AuthorizeSecurityGroupIngressInput{
-		GroupId:       fwflex.StringFromFramework(ctx, data.SecurityGroupID),
-		IpPermissions: []awstypes.IpPermission{data.expandIPPermission(ctx)},
+		GroupId:           fwflex.StringFromFramework(ctx, data.SecurityGroupID),
+		IpPermissions:     []awstypes.IpPermission{data.expandIPPermission(ctx)},
+		TagSpecifications: getTagSpecificationsIn(ctx, awstypes.ResourceTypeSecurityGroupRule),
 	}
 
 	output, err := conn.AuthorizeSecurityGroupIngress(ctx, input)
@@ -258,13 +259,6 @@ func (r *securityGroupRuleResource) Create(ctx context.Context, request resource
 	data.SecurityGroupRuleID = types.StringValue(securityGroupRuleID)
 	data.setID()
 
-	conn := r.Meta().EC2Client(ctx)
-	if err := createTags(ctx, conn, data.ID.ValueString(), getTagsIn(ctx)); err != nil {
-		response.Diagnostics.AddError(fmt.Sprintf("setting VPC Security Group Rule (%s) tags", data.ID.ValueString()), err.Error())
-
-		return
-	}
-
 	response.Diagnostics.Append(response.State.Set(ctx, &data)...)
 }