Add prefix length validation for IPv6 gateway and IP range defaults

The code previously assumed it could always use network+1 for gateway and
network+2 for start IP, but this fails for very small prefixes:
- /128 (1 address): Cannot accommodate gateway
- /127 (2 addresses): Can accommodate gateway but not start/end IP range

Added validation to ensure:
- When specifyiprange is false: minimum /127 (2 addresses for gateway)
- When specifyiprange is true: minimum /126 (4 addresses for gateway + range)

Added comprehensive unit tests for edge cases:
- TestParseCIDRv6_Prefix128_NoIPRange: Rejects /128 (too small)
- TestParseCIDRv6_Prefix127_NoIPRange: Accepts /127 without IP range
- TestParseCIDRv6_Prefix127_WithIPRange: Rejects /127 with IP range
- TestParseCIDRv6_Prefix126_WithIPRange: Accepts /126 with IP range

Author: bhouse-nexthop

cloudstack/resource_cloudstack_network.go

@@ -554,6 +554,25 @@ func parseCIDRv6(d *schema.ResourceData, specifyiprange bool) (map[string]string
 		return nil, fmt.Errorf("ip6cidr must be an IPv6 CIDR with 16-byte mask, got %d bytes: %s", len(ipnet.Mask), cidr)
 	}
 
+	// Validate prefix length to ensure we have enough addresses for gateway/start/end
+	ones, _ := ipnet.Mask.Size()
+	if specifyiprange {
+		// When specifyiprange is true, we need at least 3 addresses:
+		// - gateway (network + 1)
+		// - start IP (network + 2)
+		// - end IP (network + 3 or more)
+		// This requires a /126 or larger prefix (4 addresses minimum)
+		if ones > 126 {
+			return nil, fmt.Errorf("ip6cidr prefix /%d is too small for automatic IP range generation; minimum is /126 (4 addresses)", ones)
+		}
+	} else {
+		// When specifyiprange is false, we only need the gateway (network + 1)
+		// This requires a /127 or larger prefix (2 addresses minimum)
+		if ones > 127 {
+			return nil, fmt.Errorf("ip6cidr prefix /%d is too small for automatic gateway generation; minimum is /127 (2 addresses)", ones)
+		}
+	}
+
 	if gateway, ok := d.GetOk("ip6gateway"); ok {
 		m["ip6gateway"] = gateway.(string)
 	} else {

cloudstack/resource_cloudstack_network_unit_test.go

@@ -149,3 +149,88 @@ func TestParseCIDRv6_RejectsIPv4(t *testing.T) {
 		t.Errorf("Expected error message to start with '%s', got '%s'", expectedError, err.Error())
 	}
 }
+
+func TestParseCIDRv6_Prefix128_NoIPRange(t *testing.T) {
+	// /128 is a single address - should fail even without IP range
+	d := schema.TestResourceDataRaw(t, resourceCloudStackNetwork().Schema, map[string]interface{}{
+		"ip6cidr": "2001:db8::1/128",
+	})
+
+	_, err := parseCIDRv6(d, false)
+	if err == nil {
+		t.Fatal("parseCIDRv6 should reject /128 prefix (single address)")
+	}
+
+	expectedError := "ip6cidr prefix /128 is too small"
+	if err.Error()[:len(expectedError)] != expectedError {
+		t.Errorf("Expected error message to start with '%s', got '%s'", expectedError, err.Error())
+	}
+}
+
+func TestParseCIDRv6_Prefix127_NoIPRange(t *testing.T) {
+	// /127 has 2 addresses - should work without IP range (only needs gateway)
+	d := schema.TestResourceDataRaw(t, resourceCloudStackNetwork().Schema, map[string]interface{}{
+		"ip6cidr": "2001:db8::/127",
+	})
+
+	result, err := parseCIDRv6(d, false)
+	if err != nil {
+		t.Fatalf("parseCIDRv6 should accept /127 prefix without IP range: %v", err)
+	}
+
+	// Should have gateway
+	if _, ok := result["ip6gateway"]; !ok {
+		t.Error("Expected ip6gateway to be set")
+	}
+
+	// Should not have start/end IP
+	if _, ok := result["startipv6"]; ok {
+		t.Error("startipv6 should not be set when specifyiprange is false")
+	}
+}
+
+func TestParseCIDRv6_Prefix127_WithIPRange(t *testing.T) {
+	// /127 has only 2 addresses - should fail with IP range (needs 3+ addresses)
+	d := schema.TestResourceDataRaw(t, resourceCloudStackNetwork().Schema, map[string]interface{}{
+		"ip6cidr": "2001:db8::/127",
+	})
+
+	_, err := parseCIDRv6(d, true)
+	if err == nil {
+		t.Fatal("parseCIDRv6 should reject /127 prefix with IP range (only 2 addresses)")
+	}
+
+	expectedError := "ip6cidr prefix /127 is too small for automatic IP range generation"
+	if err.Error()[:len(expectedError)] != expectedError {
+		t.Errorf("Expected error message to start with '%s', got '%s'", expectedError, err.Error())
+	}
+}
+
+func TestParseCIDRv6_Prefix126_WithIPRange(t *testing.T) {
+	// /126 has 4 addresses - should work with IP range
+	d := schema.TestResourceDataRaw(t, resourceCloudStackNetwork().Schema, map[string]interface{}{
+		"ip6cidr": "2001:db8::/126",
+	})
+
+	result, err := parseCIDRv6(d, true)
+	if err != nil {
+		t.Fatalf("parseCIDRv6 should accept /126 prefix with IP range: %v", err)
+	}
+
+	// Should have gateway, start, and end
+	if _, ok := result["ip6gateway"]; !ok {
+		t.Error("Expected ip6gateway to be set")
+	}
+	if _, ok := result["startipv6"]; !ok {
+		t.Error("Expected startipv6 to be set")
+	}
+	if _, ok := result["endipv6"]; !ok {
+		t.Error("Expected endipv6 to be set")
+	}
+
+	// Verify the end IP is correct for /126 (last 2 bits set to 1)
+	expectedEndIP := "2001:db8::3"
+	if result["endipv6"] != expectedEndIP {
+		t.Errorf("Expected end IP %s for /126, got %s", expectedEndIP, result["endipv6"])
+	}
+}