AWS Cross Account VPC Peering issue

[linuxwalabhushan]

i have tried to create a new vpc peering in between two aws cross accounts. i have faced some issue which have pasted below

Error: Error applying plan:

1 error(s) occurred:

• module.multi-account-peering.aws_vpc_peering_connection.this: 1 error(s) occurred:

• aws_vpc_peering_connection.this: Unable to accept VPC Peering Connection: OperationNotPermitted: User 264086180894 cannot accept peering pcx-0e868786683ea89a6
  status code: 400, request id: 93673723-4851-40ed-98ce-07a0ac4ea0c8

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

as per my findings, above issue occurred when second cross account does not have permission to accept the peering connection.

please go through at above issue.

[mildwonkey]

Hi @linuxwalabhushan !

I'm sorry that you've come across this error, but I'm not sure what you are asking us for here. You've already identified the problem, which is that the second cross account does not have permission to accept the peering connection. That's something you (or the owner of the account) needs to fix.

[ewbankkit]

Hi @linuxwalabhushan to accept a cross-account VPC peering you will need to use the aws_vpc_peering_accepter resource.

[gio-salvador]

I got the same issue:

provider "aws" {
  alias   = "prod"
  region  = "${var.region}"
  profile = "prod_admin"
}

# REQUESTER's side of the connection (LOCAL).
resource "aws_vpc_peering_connection" "peer" {
  vpc_id        = "${var.local_vpc_id}"
  peer_vpc_id   = "${var.peer_vpc_id}"  
  # peer_vpc_id = "${var.local_vpc_id}"
  # vpc_id      = "${var.peer_vpc_id}"
  
  peer_owner_id = "${var.peer_vpc_owner}"
  peer_region   = "${var.region}"
  auto_accept   = false

  # accepter {
  #   allow_remote_vpc_dns_resolution = true
  # }

  # requester {
  #   allow_remote_vpc_dns_resolution = true
  # }

  tags = {
    Side = "Requester"
  }
}

# ACCEPTER's side of the connection (REMOTE).
resource "aws_vpc_peering_connection_accepter" "peer" {
  provider                  = "aws.prod"
  vpc_peering_connection_id = "${aws_vpc_peering_connection.peer.id}"
  auto_accept               = true

  tags = {
    Side = "Accepter"
  }
}

...

Error: Unable to accept VPC Peering Connection: OperationNotPermitted: User Y cannot accept peering pcx-ZZZ
        status code: 400, request id: AAA

But the user should have been X instead of Y. The Y user is the account that is running the script, and not the account that is supposed to be loaded through the referred provider.

[apparentlymart]

Hi all,

It seems like this is a question about the AWS provider, rather than a bug or feature request in Terraform Core. The AWS provider forum could be a good place to raise this topic.

If this is actually a bug report, feel free to open an issue in the AWS provider repository and complete the issue template so the provider team can understand better what is going on here.

Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.