Terraform-provider-aws: terraform finish with error when successfully creates a vpc peer cross account

Created on 25 Oct 2017 · 5Comments · Source: hashicorp/terraform-provider-aws

_This issue was originally opened by @FernandoMiguel as hashicorp/terraform#16433. It was migrated here as a result of the provider split. The original body of the issue is below._

Terraform Version

Terraform v0.10.7

Terraform Configuration Files

peer_requester.tf

data "terraform_remote_state" "tfstate" {
  backend = "s3"

  config {
    bucket = "${var.s3bucket-tfstate}"
    key    = "terraform.tfstate"
    region = "${var.region}"
  }
}

module "vpc_peer" {
  source = "git::[email protected]:COMPAN/terraform//modules/peer?ref=v4"

  requester_vpc_id = "${module.vpc.vpc_id}"
  accepter_vpc_id  = "${data.terraform_remote_state.tfstate.vpc_id}"

  accepter_destination_cidr_block = "${var.cidr-prod-app}"

  # If from public subnet
  //requester_route_table_id = "${join(",", module.vpc.public_route_table_ids)}"

  # If from private subnet
  requester_route_table_id = "${join(",", module.vpc.private_route_table_ids)}"
  ##
  # If different aws accounts
  ##
  accepter_allow_remote_dns = false
  requester_allow_remote_dns = false
  accepter_owner_id          = "${data.terraform_remote_state.tfstate.account_id}"

  //vpc_peering_connection_id = "${data.terraform_remote_state.tfstate.module.vpc_peer.id}"
}

# Outputs

output "peer_connection_id" {
  value = "${module.vpc_peer.peer_connection_id}"
}

peer_accept.tf

data "terraform_remote_state" "tfstate" {
  backend = "s3"

  config {
    bucket = "${var.s3bucket-tfstate}"
    key    = "tools/terraform.tfstate"
    region = "${var.region}"
  }
}

module "vpc_peer" {
  source = "git::[email protected]:comapny/terraform//modules/peer?ref=v4"

  requester_vpc_id = "${module.vpc.vpc_id}"
  accepter_vpc_id  = "${data.terraform_remote_state.tfstate.vpc_id}"

  # If different aws accounts
  accepter_allow_remote_dns  = false
  requester_allow_remote_dns = false

  //accepter_owner_id = "${data.terraform_remote_state.tfstate.account_id}"
  vpc_peering_connection_id = "${data.terraform_remote_state.tfstate.peer_connection_id}"
}

# Outputs

output "peer_connection_id" {
  value = "${module.vpc_peer.peer_connection_id}"
}

peer_module.tf

resource "aws_vpc_peering_connection" "peer" {
  count = "${length(var.vpc_peering_connection_id) > 0 ? "0" : "1"}"

  auto_accept   = "${length(var.accepter_owner_id) > 0 ? "false" : "true"}"
  peer_owner_id = "${var.accepter_owner_id}"
  peer_vpc_id   = "${var.accepter_vpc_id}"
  vpc_id        = "${var.requester_vpc_id}"

  accepter {
    allow_remote_vpc_dns_resolution = "${var.accepter_allow_remote_dns}"
  }

  requester {
    allow_remote_vpc_dns_resolution = "${var.requester_allow_remote_dns}"
  }
}

resource "aws_vpc_peering_connection_accepter" "peer_accept" {
  count = "${length(var.vpc_peering_connection_id) > 0 ? "1" : "0"}"

  auto_accept               = true
  vpc_peering_connection_id = "${var.vpc_peering_connection_id}"

  accepter {
    allow_remote_vpc_dns_resolution = "${var.accepter_allow_remote_dns}"
  }

  requester {
    allow_remote_vpc_dns_resolution = "${var.requester_allow_remote_dns}"
  }

  tags {
    application = "${var.stack_item_fullname}"
    managed_by  = "terraform"
    Name        = "${var.stack_item_label}-peer"
  }
}

/* update requester route table */
resource "aws_route" "requester" {
  count = "${length(var.requester_route_table_id) > 0 ? "1" : "0"}"

  route_table_id            = "${var.requester_route_table_id}"
  destination_cidr_block    = "${var.accepter_destination_cidr_block}"
  vpc_peering_connection_id = "${aws_vpc_peering_connection.peer.id}"
}

Debug Output

$ aws-vault exec iam-account -- terraform apply
data.terraform_remote_state.tfstate-prodapp: Refreshing state...
data.terraform_remote_state.tfstate: Refreshing state...
data.aws_caller_identity.current: Refreshing state...
aws_vpc.this: Refreshing state... (ID: vpc-XXX)
[...]
module.vpc_peer_tools_prodapp.aws_vpc_peering_connection.peer: Creating...
  accept_status:                                         "" => "<computed>"
  accepter.#:                                            "" => "1"
  accepter.XXX.allow_classic_link_to_remote_vpc:  "" => "false"
  accepter.XXX.allow_remote_vpc_dns_resolution:   "" => "false"
  accepter.XXX.allow_vpc_to_remote_classic_link:  "" => "false"
  auto_accept:                                           "" => "false"
  peer_owner_id:                                         "" => "ACCOUNTID02"
  peer_vpc_id:                                           "" => "vpc-XXX"
  requester.#:                                           "" => "1"
  requester.XXX.allow_classic_link_to_remote_vpc: "" => "false"
  requester.XXX.allow_remote_vpc_dns_resolution:  "" => "false"
  requester.XXX.allow_vpc_to_remote_classic_link: "" => "false"
  vpc_id:                                                "" => "vpc-XXX"
Error applying plan:

1 error(s) occurred:

* module.vpc_peer_tools_prodapp.aws_vpc_peering_connection.peer: 1 error(s) occurred:

* aws_vpc_peering_connection.peer: Unable to modify peering options. The VPC Peering Connection "pcx-XXX" is not active. Please set `auto_accept` attribute to `true`, or activate VPC Peering Connection manually.

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Expected Behavior

for terraform to finish with success and push the state file to s3, since the request for accept was created with success in the cross account.

Actual Behavior

Terraform fails to finish and doesnt push the state file, preventing the other account to pull the remote state file data of the peer_connection_id.

References

Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:
https://github.com/hashicorp/terraform/issues/12448

bug servicec2

Source

hashibot

Most helpful comment

It appear that there is 2 aws api requests when you create a vpc peering. The first is to create the vpc ans the second is to set the dns resolution to true if needed.
But the second request can't be done cause a vpc peering need to be accepted before to be modified.
The vpc peering accepter ressource is not yet created when the second request is performed/
So it's a bug ...

feraudet on 3 Apr 2018

👍2

All 5 comments

Yep, can confirm.

coen-hyde on 10 Feb 2018

👍1

feraudet on 3 Apr 2018

👍2

This is fixed now, please check https://github.com/terraform-providers/terraform-provider-aws/issues/3069

Need to use the aws_vpc_peering_connection_options resource to manage the dns resolution options https://www.terraform.io/docs/providers/aws/r/vpc_peering_options.html

varkey on 15 May 2018

Thanks for the cross-reference! Closing this issue as it seems this should be resolved with the new aws_vpc_peering_connection_options resource previously released in version 1.17.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

bflad on 16 May 2018

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] on 6 Apr 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

tainting an ecs service and running terraform apply receives Creation of service was not idempotent

hashibot · 3Comments

aws_elasticsearch_domain: vpc_options - subnet_ids asks for list but can only be a single value.

ccslamstack · 3Comments

aws_alb_target_group_attachment does not support list for target_id

hashibot · 3Comments

Allow aws_acm_certificate to query the most recent certificate

hashibot · 3Comments

S3 Lifecycle Rule Unnecessarily Updates on Each Terraform Apply

hashibot · 3Comments