Terraform-provider-aws: Multi-account VPC Peering doesn't accept - rest of plan completes after manual acceptance

Hi there,

Terraform Version

Terraform v0.11.4
AWS provider 1.11.0

Affected Resource(s)

aws_vpc_peering_connection_accepter

Terraform Configuration Files (Relevant parts only)

provider "aws" {
alias = "intersite"
}

provider "aws" {
alias = "environment"
}

resource "aws_vpc_peering_connection" "env_to_intersite" {
provider = "aws.intersite"

peer_owner_id = "${var.peer_owner}"
peer_vpc_id = "${data.terraform_remote_state.env_vpc.vpc}"
vpc_id = "${data.terraform_remote_state.intersite_vpc.vpc}"

requester {
allow_remote_vpc_dns_resolution = true
}
tags {
Name = "VPC Peering between ${var.Environment} and Intersite VPC"
Terraform = "True"
Side = "Requester"
}
}

resource "aws_vpc_peering_connection_accepter" "env_accept" {
provider = "aws.environment"

vpc_peering_connection_id = "${aws_vpc_peering_connection.env_to_intersite.id}"
auto_accept = true

depends_on = [
"aws_vpc_peering_connection.env_to_intersite"
]

accepter {
allow_remote_vpc_dns_resolution = true
}

tags {
Name = "VPC Peering between ${var.Environment} and Intersite VPC"
Terraform = "True"
Side = "Accepter"
}
}

Expected Behavior

This is part of a module. The credentials are passed onto this module using the providers{} block, which is all successful. This module should create a VPC Peering connection request from intersite account to "environment" account. It should then accept the Peering request from the "environment" side. It should also create additional routes, security group rules and NACLs in pre-existing resources, which are retrieved using terraform_remote_state data providers. Only the VPC Peering Accepter fails.

Actual Behaviour

For each of the two accounts, all resources are correctly created, except for the aws_vpc_peering_connection_accepter. For some reason it fails here and halts the creation of 5 more resources. If I go and manually accept the Peering request via the console, then run the Terraform template again, it will succeed and everything looks fine. However, obviously this isn't the desired behaviour (I don't want to do that with every new account) and also the allow_remote_vpc_dns_resolution configuration is set incorrectly on the "environment" side. Below is the CLI output:

• aws_vpc_peering_connection.env_to_intersite: Unable to modify peering options. The VPC Peering Connection "[redacted]" is not active. Please set auto_accept attribute to true, or activate VPC Peering Connection manually.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:
Run above template in a module, passing two providers through to it for separate accounts. If needed, replace interpolations for testing.

Important Factoids

Nothing unusual about accounts. I configure my providers in the parent module using the profile= option of the AWS provider. Each of those accounts are accessed via assumed role. All of this works fine elsewhere in terraform and indeed for the entirety of this template except for the one failing resource.

Thanks for any advice.