Terraform-provider-aws: Changing VPC peering parameters using aws_vpc_peering_connection_options resource fails

Created on 21 Feb 2020 · 6Comments · Source: hashicorp/terraform-provider-aws

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

$ terraform -v
Terraform v0.12.21
+ provider.aws v2.50.0

Affected Resource(s)

aws_vpc_peering_connection_options

Terraform Configuration Files

provider "aws" {
  alias   = "foo"
  region  = "us-west-2"
}

provider "aws" {
  alias   = "bar"
  region  = "us-east-1"
}

resource "aws_vpc" "foo" {
  provider = aws.foo
  cidr_block = "10.1.0.0/16"
  enable_dns_support = true
  enable_dns_hostnames = true
}

resource "aws_vpc" "bar" {
  provider = aws.bar
  cidr_block = "10.2.0.0/16"
  enable_dns_support = true
  enable_dns_hostnames = true
}

resource "aws_vpc_peering_connection" "foo" {
  provider = aws.foo
  vpc_id        = aws_vpc.foo.id
  peer_vpc_id   = aws_vpc.bar.id
  peer_region   = "us-east-1"
}

resource "aws_vpc_peering_connection_accepter" "bar" {
  provider                  = aws.bar
  vpc_peering_connection_id = aws_vpc_peering_connection.foo.id
  auto_accept               = true
}

resource "aws_vpc_peering_connection_options" "requester_peering_options" {
  provider = aws.foo
  vpc_peering_connection_id = aws_vpc_peering_connection.foo.id

  requester {
    allow_remote_vpc_dns_resolution = true
  }
}

resource "aws_vpc_peering_connection_options" "accepter_peering_options" {
  provider = aws.bar
  vpc_peering_connection_id = aws_vpc_peering_connection.foo.id

  accepter {
    allow_remote_vpc_dns_resolution = true
  }
}

Steps to Reproduce

Apply the configuration above twice. First apply fails with the error below. It sucks but not what this issue is about.

terraform apply

Error: error modifying VPC Peering Connection (pcx-0c6974c762554784d) Options: OperationNotPermitted: Peering pcx-0c6974c762554784d is not active. Peering options can be added only to active peerings.
status code: 400, request id: 458c070b-3126-45fc-9897-5e0e512ffb81

on file.tf line 47, in resource "aws_vpc_peering_connection_options" "accepter_peering_options":
47: resource "aws_vpc_peering_connection_options" "accepter_peering_options" {

terraform apply

Set allow_remote_vpc_dns_resolution = false for either requester or accepter and get the following error:

Error: error modifying VPC Peering Connection (pcx-0c6974c762554784d) Options: InvalidParameterValue: Requester’s VPC Peering connection options cannot be modified for a different region
status code: 400, request id: 06187670-310d-47f3-aa85-b3ea6361e9b6

on file.tf line 47, in resource "aws_vpc_peering_connection_options" "accepter_peering_options":
47: resource "aws_vpc_peering_connection_options" "accepter_peering_options" {

Expected Behavior

allow_remote_vpc_dns_resolution should be set to false

Actual Behavior

Apply fails with the error:

Error: error modifying VPC Peering Connection (pcx-0c6974c762554784d) Options: InvalidParameterValue: Requester’s VPC Peering connection options cannot be modified for a different region

bug servicec2

Source

roman8422

👍1

Most helpful comment

I see the problem - VPC peering connection option updates are being submitted for both accepter and requester on both sides. I'll fix and submit a PR.

ewbankkit on 21 Feb 2020

❤3

All 6 comments

@roman8422 For 1 - _Peering options can be added only to active peerings_ - you can set the aws_vpc_peering_connection_options resources to depend on the aws_vpc_peering_connection_accepter resource so that the peering connection is accepted before the options are set.
e.g.

// Requester's side of the connection.
resource "aws_vpc_peering_connection_options" "requester_peering_options" {
  provider = "aws.foo"

  # As options can't be set until the connection has been accepted
  # create an explicit dependency on the accepter.
  vpc_peering_connection_id = aws_vpc_peering_connection_accepter.bar.id

  requester {
    allow_remote_vpc_dns_resolution = true
  }
}

// Accepter's side of the connection.
resource "aws_vpc_peering_connection_options" "accepter_peering_options" {
  provider = "aws.bar"

  vpc_peering_connection_id = aws_vpc_peering_connection_accepter.bar.id

  accepter {
    allow_remote_vpc_dns_resolution = true
  }
}

For 2 - _Requester’s VPC Peering connection options cannot be modified for a different region_ - I get the same error with a modified acceptance test:

$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSVpcPeeringConnectionOptions_differentRegionSameAccount'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -count 1 -parallel 20 -run=TestAccAWSVpcPeeringConnectionOptions_differentRegionSameAccount -timeout 120m
=== RUN   TestAccAWSVpcPeeringConnectionOptions_differentRegionSameAccount
=== PAUSE TestAccAWSVpcPeeringConnectionOptions_differentRegionSameAccount
=== CONT  TestAccAWSVpcPeeringConnectionOptions_differentRegionSameAccount
--- FAIL: TestAccAWSVpcPeeringConnectionOptions_differentRegionSameAccount (61.60s)
    testing.go:654: Step 2 error: errors during apply:

        Error: error modifying VPC Peering Connection (pcx-0383b7f8bd47fb8c1) Options: InvalidParameterValue: Accepter’s VPC Peering connection options cannot be modified for a different region
            status code: 400, request id: 112635d8-bb0a-4f56-92e8-04fb4b9a25d5

          on /tmp/tf-test594142281/main.tf line 48:
          (source code not available)



        Error: error modifying VPC Peering Connection (pcx-0383b7f8bd47fb8c1) Options: InvalidParameterValue: Requester’s VPC Peering connection options cannot be modified for a different region
            status code: 400, request id: d26074cb-6910-4d10-bee9-7728aa539366

          on /tmp/tf-test594142281/main.tf line 59:
          (source code not available)


FAIL
FAIL    github.com/terraform-providers/terraform-provider-aws/aws   61.700s
FAIL
GNUmakefile:25: recipe for target 'testacc' failed
make: *** [testacc] Error 1

According to the documentation this should be possible.
I'll investigate,

ewbankkit on 21 Feb 2020

I see the problem - VPC peering connection option updates are being submitted for both accepter and requester on both sides. I'll fix and submit a PR.

ewbankkit on 21 Feb 2020

❤3

The above fix has been merged and will release with version 3.13.0 of the Terraform AWS Provider, likely tomorrow. Thanks to @ewbankkit for the implementation. 👍

bflad on 29 Oct 2020

This has been released in version 3.13.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

hashibot[bot] on 29 Oct 2020

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] on 28 Nov 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

aws_elasticsearch_domain: vpc_options - subnet_ids asks for list but can only be a single value.

ccslamstack · 3Comments

Plans to support more custom endpoints in provider AWS (lambda, apigateway, ...)

hashibot · 3Comments

Using security_groups instead of the correct vpc_security_group_ids on an instance within VPC results in instance recreation on each apply

andywirv · 3Comments

aws_security_group: revoke_rules_on_delete conflict with 'terraform plan'

carmas · 3Comments

On plan, redrive_policy is always marked as modified

hashibot · 3Comments