Creating aws_vpc_peering_connection with allow_remote_vpc_dns_resolution fails

[hashibot]

This issue was originally opened by @WishCow as hashicorp/terraform#8733. It was migrated here as part of the provider split. The original body of the issue is below.

---

Terraform Version

Terraform v0.7.3

Affected Resource(s)

• aws_vpc
• aws_vpc_peering_connection

Terraform Configuration Files

variable "kops_cidr_block" {}
variable "tf_cidr_block" {}
variable "peer_owner_id" {}

resource "aws_vpc" "kops" {
    cidr_block = "${var.kops_cidr_block}"
    enable_dns_hostnames = true
    tags {
        Name = "KOPS VPC"
        Managed = "Terraform"
    }
}

resource "aws_vpc" "tf" {
    cidr_block = "${var.tf_cidr_block}"
    enable_dns_hostnames = true
    tags {
        Name = "Terraform VPC"
        Managed = "Terraform"
    }
}

resource "aws_vpc_peering_connection" "kops-tf" {
    peer_owner_id = "${var.peer_owner_id}"
    peer_vpc_id = "${aws_vpc.tf.id}"
    vpc_id = "${aws_vpc.kops.id}"
    auto_accept = true

    accepter {
        allow_remote_vpc_dns_resolution = true
    }
    requester {
        allow_remote_vpc_dns_resolution = true
    }

    tags {
        Managed = "Terraform"
        Name = "kops-tf"
    }
}

Debug Output

The debug output seems to contain some sensitive information, I'm not sure I'm allowed to share that (company policies).

Panic Output

No panic output

Expected Behavior

Expected the VPC peering connection to be made, with remote_vpc_dns_resolution enabled.

Actual Behavior

The VPC peering connection is made, but the DNS resolution properties are disabled.
In addition, terraform outputs the following error:

Error applying plan:

1 error(s) occurred:

• aws_vpc_peering_connection.kops-tf: Error modifying VPC Peering Connection options: OperationNotPermitted: User 076506802325 is not permitted to perform this operation
  status code: 400, request id: 6e163e8d-d361-4e86-a629-9ea98685a59a

If I leave out the accepter/requester blocks, everything is fine

Steps to Reproduce

terraform apply

Important Factoids

Are there anything atypical about your accounts that we should know? For example: Running in EC2 Classic? Custom version of OpenStack? Tight ACLs?

References

No references.

[mconigliaro]

I've seen this fail when trying to set allow_remote_vpc_dns_resolution = true on a VPC that doesn't have enable_dns_hostnames enabled. Unfortunately, I don't see any way to selectively enable allow_remote_vpc_dns_resolution, because the aws_vpc data source doesn't return the enable_dns_hostnames attribute.

[ewbankkit]

@WishCow, @mconigliaro I think that this has been fixed with the aws_vpc_peering_connection_options resource added via #3909 and released in version 1.17.0 of the AWS provider.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!