VPC peering

[Gowtham]

Team, 

In our AWS account, we are having a management VPC (Requester) and several other(Acceptor) VPC's in different regions. I am trying to make the VPC-peering from the Mgmt VPC to the others(App VPC's).

We would like to have the peering resource code("aws_vpc_peering_connection") as part of the Accepter VPC's calling code.  I am able to pass the management VPC id (requester) using the remote state, but unfortunately not able to set the region for the same. Is there a way to set the requester region. 

```

resource "aws_vpc_peering_connection" "mgmt_peering" {

# count = var.enable_peering

peer_vpc_id = aws_vpc.app.id

# peer_region = "us-west-1"

vpc_id = data.terraform_remote_state.global_vpc_metadata.outputs.vpc_id

auto_accept = false

tags = {

Name = "VPC Peering between management vpc and ${var.name}"

}

}

---
Best regards,
Gowtham

07798838879 

=====================
Learn from mistakes....

Please consider the environment before printing this email - Thanks

[Fernando 🐼]

you need a provider alias for another  region

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CADB0oFzzdJZoMDBFBc7NTnGo2-08OczEaahsg8zvWVnQjDLGAg%40mail.gmail.com.

[Gowtham]

Thanks for the suggestion. I've tried the same, Unfortunately, it's not working.

data "terraform_remote_state" "global_vpc_metadata" {

# count = var.enable_peering

backend = "s3"

config = {

bucket = var.mgmt_vpc_bucket

key = "aws_global.tfstate"

region = var.terraform_primary_region

profile = var.mgmt_profile

}

}

provider "aws" {

region = "eu-central-1"

alias = "requester"

}

# Requester's side of the connection.

resource "aws_vpc_peering_connection" "requester" {

provider = aws.requester

vpc_id = data.terraform_remote_state.global_vpc_metadata.outputs.vpc_id

peer_vpc_id = aws_vpc.mod.id

// peer_region = "us-west-1"

auto_accept = false

tags = {

Side = "Requester"

}

}

# Accepter's side of the connection.

resource "aws_vpc_peering_connection_accepter" "accepter" {

vpc_peering_connection_id = aws_vpc_peering_connection.requester.id

auto_accept = true

tags = {

Side = "Accepter"

}

}

THE RESULT IS:

 gowgopal@GOWGOPAL-M-H0VS  ~/Cisco/aws-infra/test-vpc   mgm/vpc ±  terraform apply -var 'region=us-west-1'
data.aws_caller_identity.current: Refreshing state...
module.mgmt_vpc.aws_cloudwatch_log_group.dcloud_vpc_log_group: Refreshing state... [id=test-vpc-dcloud-vpc-log-group]
module.mgmt_vpc.aws_iam_role.dcloud_flowlogs_role: Refreshing state... [id=test-vpc-dcloud-flowlogs-role]
data.aws_ami.latest_qualys_ami: Refreshing state...
data.aws_availability_zones.available: Refreshing state...
module.mgmt_vpc.aws_vpc.mod: Refreshing state... [id=vpc-072ca8331e75c635f]
module.mgmt_vpc.aws_iam_role_policy.vpc-flow-policy: Refreshing state... [id=test-vpc-dcloud-flowlogs-role:test-vpc-dcloud_vpc_flowlogs_policy]
module.mgmt_vpc.data.terraform_remote_state.global_vpc_metadata: Refreshing state...
module.mgmt_vpc.aws_internet_gateway.mod: Refreshing state... [id=igw-0c0c30bc7bcef3286]
module.mgmt_vpc.aws_subnet.public[0]: Refreshing state... [id=subnet-09612bdaf32ea4d4c]
module.mgmt_vpc.aws_flow_log.dcloud_flow_log: Refreshing state... [id=fl-0355ed29126830368]
module.mgmt_vpc.aws_vpc_peering_connection.requester: Refreshing state... [id=pcx-06e4ce78307dd2ba9]
module.mgmt_vpc.aws_route_table.public: Refreshing state... [id=rtb-05575e19c7b64dd73]
aws_security_group.qualys-sg: Refreshing state... [id=sg-0d813cc6cddc04acc]
module.mgmt_vpc.aws_route.public_internet_gateway: Refreshing state... [id=r-rtb-05575e19c7b64dd731080289494]
module.mgmt_vpc.aws_route_table_association.public[0]: Refreshing state... [id=rtbassoc-0cdfdab93a0c2e809]
aws_instance.qualys_instance: Refreshing state... [id=i-0fed254887f9ca251]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.mgmt_vpc.aws_vpc_peering_connection.requester will be created
  + resource "aws_vpc_peering_connection" "requester" {
      + accept_status = (known after apply)
      + auto_accept   = false
      + id            = (known after apply)
      + peer_owner_id = (known after apply)
      + peer_region   = (known after apply)
      + peer_vpc_id   = "vpc-072ca8331e75c635f"
      + tags          = {
          + "Side" = "Requester"
        }
      + vpc_id        = "vpc-0fcf8ab14c3e10471"

      + accepter {
          + allow_classic_link_to_remote_vpc = (known after apply)
          + allow_remote_vpc_dns_resolution  = (known after apply)
          + allow_vpc_to_remote_classic_link = (known after apply)
        }

      + requester {
          + allow_classic_link_to_remote_vpc = (known after apply)
          + allow_remote_vpc_dns_resolution  = (known after apply)
          + allow_vpc_to_remote_classic_link = (known after apply)
        }
    }

  # module.mgmt_vpc.aws_vpc_peering_connection_accepter.accepter will be created
  + resource "aws_vpc_peering_connection_accepter" "accepter" {
      + accept_status             = (known after apply)
      + auto_accept               = true
      + id                        = (known after apply)
      + peer_owner_id             = (known after apply)
      + peer_region               = (known after apply)
      + peer_vpc_id               = (known after apply)
      + tags                      = {
          + "Side" = "Accepter"
        }
      + vpc_id                    = (known after apply)
      + vpc_peering_connection_id = (known after apply)

      + accepter {
          + allow_classic_link_to_remote_vpc = (known after apply)
          + allow_remote_vpc_dns_resolution  = (known after apply)
          + allow_vpc_to_remote_classic_link = (known after apply)
        }

      + requester {
          + allow_classic_link_to_remote_vpc = (known after apply)
          + allow_remote_vpc_dns_resolution  = (known after apply)
          + allow_vpc_to_remote_classic_link = (known after apply)
        }
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions in workspace "test-peering"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.mgmt_vpc.aws_vpc_peering_connection.requester: Creating...

Error: Error waiting for VPC Peering Connection to become available: Error waiting for VPC Peering Connection (pcx-0751906ef0f36dff4) to become available: Failed due to incorrect VPC-ID, Account ID, or overlapping CIDR range

  on .terraform/modules/mgmt_vpc/peering.tf line 45, in resource "aws_vpc_peering_connection" "requester":
  45: resource "aws_vpc_peering_connection" "requester" {

---
Best regards,
Gowtham

07798838879 

=====================
Learn from mistakes....

Please consider the environment before printing this email - Thanks

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAM7yfUDCLhsN4kyARuOE%3DsBWS5m0kSRByaTwggm0VTQwMKm_8Q%40mail.gmail.com.

[Gowtham]

By the way, Am using the following versions:

✘ gowgopal@GOWGOPAL-M-H0VS  terraform --version
Terraform v0.12.29
+ provider.aws v3.1.0
+ provider.template v2.1.2

---
Best regards,
Gowtham

07798838879 

=====================
Learn from mistakes....

Please consider the environment before printing this email - Thanks

[Fernando 🐼]

Can you use an alias also for the requester? 

Just go prevent weird provider picking. 

Also your errors shows wrong VPC id... 

In your place, I would comment out those requests and create data sources or outputs for those arguments and make sure they are the expected ones. 

FYI remote data sources are hard to work out in the same run. 

Using aws data sources is probably better. You can filter via tags. 

--
Fernando 🐼

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CADB0oFzCTRyk4O7cQ0Q2C2iifjutYCz0Us-x7rhFmsEjfxkwbw%40mail.gmail.com.

[Gowtham]

Thanks for the suggestions. Yes, am setting up the alias for the requester.  Have hardcoded the VPC_ID for the requestor(Mgmt VPC) instead of the remote data source, still no luck.

I have tested the peering manually, which is working fine. 

provider "aws" {

region = "eu-central-1"

alias = "requester"

}

# Requester's side of the connection.

resource "aws_vpc_peering_connection" "requester" {

provider = aws.requester

vpc_id = "vpc-0fcf8ab14c3e10471"

peer_vpc_id = aws_vpc.mod.id

// peer_region = "us-west-1"

auto_accept = false

tags = {

Side = "Requester"

}

}

# Accepter's side of the connection.

resource "aws_vpc_peering_connection_accepter" "accepter" {

vpc_peering_connection_id = aws_vpc_peering_connection.requester.id

auto_accept = true

tags = {

Side = "Accepter"

}

}

OUTPUT:

Error: Error waiting for VPC Peering Connection to become available: Error waiting for VPC Peering Connection (pcx-0232ee93e8207dedc) to become available: Failed due to incorrect VPC-ID, Account ID, or overlapping CIDR range

  on .terraform/modules/mgmt_vpc/peering.tf line 45, in resource "aws_vpc_peering_connection" "requester":
  45: resource "aws_vpc_peering_connection" "requester" {

---
Best regards,
Gowtham

07798838879 

=====================
Learn from mistakes....

Please consider the environment before printing this email - Thanks

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAM7yfUBaU7Ba7Ncjw0Z3K%2BMr5vCifqJdC7c%2B%2BGNjJiHaM5-%3DpA%40mail.gmail.com.

[Fernando 🐼]

But where's the accepter alias? It's the one which needs a region. 

--
Fernando 🐼

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CADB0oFxUhWGHxxSieuy%2BcKQ%3Dh_aayCOXb4z_k5RRd4Cheqw%2BNQ%40mail.gmail.com.

[Fernando 🐼]

Silly question, but the CIDRs don't overlap right? 

--
Fernando 🐼

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CADB0oFxUhWGHxxSieuy%2BcKQ%3Dh_aayCOXb4z_k5RRd4Cheqw%2BNQ%40mail.gmail.com.

[Gowtham]

The Accepter region is setting from the calling code. Anyway tested using an accepter alias as well, still getting the same error.  Manually tested the inter-region peering between these VPC's, which is working fine. 

 

Requester CIDR: 172.16.0.0/25

Accepter CIDR:  172.11.0.0/25

---
Best regards,
Gowtham

07798838879 

=====================
Learn from mistakes....

Please consider the environment before printing this email - Thanks

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAM7yfUC7rOwM21hSOjS6mfwh1vBAMd0JGaG_m%3DCNL%3D0W_FXZww%40mail.gmail.com.

[Fernando 🐼]

I remember having similar issues in the past, but it was many many moons away to recall. 

Currently mobile and without access to any samples of code to see how we implement. 

Your best bet is to look over at a community module and see if something is missing 

--
Fernando 🐼

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CADB0oFxuSt%3DQA_4c4oiYXODzmfM_0qQGLm_ZTjq6hb53NMr9oA%40mail.gmail.com.

[Eric Black]

_sometimes_ throwing a `TF_LOG=TRACE` in front of the apply will also dump some more info from the api request too. Definitely worth a shot.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAM7yfUBgW3_gxv30J39JLJFgyPK-8v-FAk9QeqE2MOn0Qejxuw%40mail.gmail.com.

[Gowtham]

This has been fixed after setting up the dedicated provider for the requester and setting up the correct region for the accepter. Thanks @fernando and @Eric. 

 

---
Best regards,
Gowtham

07798838879 

=====================
Learn from mistakes....

Please consider the environment before printing this email - Thanks

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAMfzQyFMGAz_bzt1DDjnLkNihBgFc_WXVcN%3Dfpf6UheW%2B%2BA3%3Dg%40mail.gmail.com.