Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross-account (and cross-region) VPC Peering Accepter Error: vpc_peering_connection_id not found #7178

Closed
rmldsky opened this issue Jan 17, 2019 · 10 comments
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service. stale Old or inactive issues managed by automation, if no further action taken these will get closed.

Comments

@rmldsky
Copy link

rmldsky commented Jan 17, 2019

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.8
provider.aws v1.54.0

Affected Resource(s)

aws_vpc_peering_connection
aws_vpc_peering_connection_accepter

Terraform Configuration Files

resource "aws_vpc_peering_connection" "peer" {
  vpc_id = "${aws_vpc.default.id}"

  peer_owner_id = "${var.aws_production_account_id}"
  peer_vpc_id = "vpc-11111111"
  peer_region   = "us-west-2"

  auto_accept = false

  tags {
    Side = "Requester"
  }
}

resource "aws_vpc_peering_connection_accepter" "peer" {
  provider = "aws.production"
  vpc_peering_connection_id = "${aws_vpc_peering_connection.peer.id}"
  auto_accept = false

  tags {
    Side = "Accepter"
  }
}

Expected Behavior

On both account peering connections should be created and on accepter account it should've been approved (activated)

Actual Behavior

Both resources are created on both accounts. Accepter side doesn't approve the connection and TF throws error:

* aws_vpc_peering_connection_accepter.peer: VPC Peering Connection "pcx-XXXXXXXXX" not found

When I accept it on accepter's side (account) and run terraform plan again, it still wants to create aws_vpc_peering_connection_accepter resource.

pcx-XXXXXXXXX being vpc_peering_connection_id: "" => "pcx-XXXXXXXXX" and it does exists on requester side (was created).

Does not matter if I set auto_accept on accepter to true or false. It looks like accepter's side is not looking for this connection id on the requester account?

Should I be doing something differently? Am I getting documentation wrong?

@ewbankkit
Copy link
Contributor

@rmldsky Can you please run terraform plan with TF_LOG=DEBUG set (see here) and attach the output? Thanks.

@bflad bflad added the service/ec2 Issues and PRs that pertain to the ec2 service. label Jan 17, 2019
@rmldsky
Copy link
Author

rmldsky commented Jan 21, 2019

@ewbankkit sorry for late reply. Is sending via Keybase an option? I've used to do it via official Hashicorp key when dealing with different issue. Output is pretty long and there is too many things to redact for me.

@rmldsky rmldsky changed the title Cross-account VPC Peering Accepter Error: vpc_peering_connection_id not found Cross-account (and cross-region) VPC Peering Accepter Error: vpc_peering_connection_id not found Jan 21, 2019
@rmldsky
Copy link
Author

rmldsky commented Jan 21, 2019

@ewbankkit @bflad encrypted with Hashicorp's Keybase:
https://gist.githubusercontent.com/rmldsky/29f7dfe8a4e1d81d8ab25a101c459436/raw/f4aa919af515929ffcc7b79dd13d262b691d3a6f/encrypted-debug-7178.txt

This is a DEBUG output of running terraform apply. Both resources (on corresponding accounts) were created. They are left in Pending approval state as accepter's auto_approve = true failed due to the error I mentioned.

Hope this helps.

@gio-salvador
Copy link

I'm experiencing similar issues, has this been looked into?

@ewbankkit
Copy link
Contributor

ewbankkit commented Jun 12, 2019

@gio-salvador @rmldsky Have you tried setting the AWS_SDK_LOAD_CONFIG environment variable?
See #8451.

@rmldsky
Copy link
Author

rmldsky commented Jun 18, 2019

@ewbankkit I've just tried running AWS_SDK_LOAD_CONFIG=1 terraform apply while setting up a new cross-account VPC peering connection which kept failing due to:

Error: Error applying plan:

1 error(s) occurred:

* aws_vpc_peering_connection.operations_production_global: 1 error(s) occurred:

* aws_vpc_peering_connection.operations_production_global: Unable to accept VPC Peering Connection: OperationNotPermitted: User XXXXXXXXXXXX cannot accept peering pcx-0174XXXXXXXX
	status code: 400, request id: 7868f803-6ffc-4b37-bb1c-c6e7edcbbb08

... and it WORKED! :) Thanks for pointing me towards this! 🍺

Though it is not the same error and the same case as the original issue (cross-account AND cross region). Whenever I have a chance I'd test it as well.

@ewbankkit
Copy link
Contributor

@rmldsky No problem. I only just learned of that environment variable recently myself 😄.

@bflad bflad added the needs-triage Waiting for first response or review from a maintainer. label Jun 18, 2019
@aeschright aeschright added bug Addresses a defect in current functionality. and removed needs-triage Waiting for first response or review from a maintainer. labels Nov 20, 2019
@github-actions
Copy link

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

@github-actions github-actions bot added the stale Old or inactive issues managed by automation, if no further action taken these will get closed. label Nov 10, 2021
@github-actions github-actions bot closed this as completed Jan 4, 2022
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 22, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service. stale Old or inactive issues managed by automation, if no further action taken these will get closed.
Projects
None yet
Development

No branches or pull requests

5 participants