VPC peering

60 views
Skip to first unread message

Gowtham

unread,
Feb 28, 2021, 2:27:39 PMFeb 28
to terrafo...@googlegroups.com
Team, 

In our AWS account, we are having a management VPC (Requester) and several other(Acceptor) VPC's in different regions. I am trying to make the VPC-peering from the Mgmt VPC to the others(App VPC's).

We would like to have the peering resource code("aws_vpc_peering_connection") as part of the Accepter VPC's calling code.  I am able to pass the management VPC id (requester) using the remote state, but unfortunately not able to set the region for the same. Is there a way to set the requester region. 


```
resource "aws_vpc_peering_connection" "mgmt_peering" {
# count = var.enable_peering
peer_vpc_id = aws_vpc.app.id
# peer_region = "us-west-1"
vpc_id = data.terraform_remote_state.global_vpc_metadata.outputs.vpc_id
auto_accept = false

tags = {
Name = "VPC Peering between management vpc and ${var.name}"
}
}




---
Best regards,
Gowtham
07798838879 


=====================
Learn from mistakes....

Please consider the environment before printing this email - Thanks

Fernando 🐼

unread,
Feb 28, 2021, 3:03:22 PMFeb 28
to terrafo...@googlegroups.com
you need a provider alias for another  region

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CADB0oFzzdJZoMDBFBc7NTnGo2-08OczEaahsg8zvWVnQjDLGAg%40mail.gmail.com.

Gowtham

unread,
Feb 28, 2021, 3:42:33 PMFeb 28
to terrafo...@googlegroups.com
Thanks for the suggestion. I've tried the same, Unfortunately, it's not working.

data "terraform_remote_state" "global_vpc_metadata" {
# count = var.enable_peering
backend = "s3"
config = {
bucket = var.mgmt_vpc_bucket
key = "aws_global.tfstate"
region = var.terraform_primary_region
profile = var.mgmt_profile
}
}

provider "aws" {
region = "eu-central-1"
alias = "requester"
}

# Requester's side of the connection.
resource "aws_vpc_peering_connection" "requester" {
provider = aws.requester
vpc_id = data.terraform_remote_state.global_vpc_metadata.outputs.vpc_id
peer_vpc_id = aws_vpc.mod.id
// peer_region = "us-west-1"

auto_accept = false

tags = {
Side = "Requester"
}
}

# Accepter's side of the connection.
resource "aws_vpc_peering_connection_accepter" "accepter" {
vpc_peering_connection_id = aws_vpc_peering_connection.requester.id
auto_accept = true

tags = {
Side = "Accepter"
}
}


THE RESULT IS:

 gowgopal@GOWGOPAL-M-H0VS  ~/Cisco/aws-infra/test-vpc   mgm/vpc ±  terraform apply -var 'region=us-west-1'
data.aws_caller_identity.current: Refreshing state...
module.mgmt_vpc.aws_cloudwatch_log_group.dcloud_vpc_log_group: Refreshing state... [id=test-vpc-dcloud-vpc-log-group]
module.mgmt_vpc.aws_iam_role.dcloud_flowlogs_role: Refreshing state... [id=test-vpc-dcloud-flowlogs-role]
data.aws_ami.latest_qualys_ami: Refreshing state...
data.aws_availability_zones.available: Refreshing state...
module.mgmt_vpc.aws_vpc.mod: Refreshing state... [id=vpc-072ca8331e75c635f]
module.mgmt_vpc.aws_iam_role_policy.vpc-flow-policy: Refreshing state... [id=test-vpc-dcloud-flowlogs-role:test-vpc-dcloud_vpc_flowlogs_policy]
module.mgmt_vpc.data.terraform_remote_state.global_vpc_metadata: Refreshing state...
module.mgmt_vpc.aws_internet_gateway.mod: Refreshing state... [id=igw-0c0c30bc7bcef3286]
module.mgmt_vpc.aws_subnet.public[0]: Refreshing state... [id=subnet-09612bdaf32ea4d4c]
module.mgmt_vpc.aws_flow_log.dcloud_flow_log: Refreshing state... [id=fl-0355ed29126830368]
module.mgmt_vpc.aws_vpc_peering_connection.requester: Refreshing state... [id=pcx-06e4ce78307dd2ba9]
module.mgmt_vpc.aws_route_table.public: Refreshing state... [id=rtb-05575e19c7b64dd73]
aws_security_group.qualys-sg: Refreshing state... [id=sg-0d813cc6cddc04acc]
module.mgmt_vpc.aws_route.public_internet_gateway: Refreshing state... [id=r-rtb-05575e19c7b64dd731080289494]
module.mgmt_vpc.aws_route_table_association.public[0]: Refreshing state... [id=rtbassoc-0cdfdab93a0c2e809]
aws_instance.qualys_instance: Refreshing state... [id=i-0fed254887f9ca251]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.mgmt_vpc.aws_vpc_peering_connection.requester will be created
  + resource "aws_vpc_peering_connection" "requester" {
      + accept_status = (known after apply)
      + auto_accept   = false
      + id            = (known after apply)
      + peer_owner_id = (known after apply)
      + peer_region   = (known after apply)
      + peer_vpc_id   = "vpc-072ca8331e75c635f"
      + tags          = {
          + "Side" = "Requester"
        }
      + vpc_id        = "vpc-0fcf8ab14c3e10471"

      + accepter {
          + allow_classic_link_to_remote_vpc = (known after apply)
          + allow_remote_vpc_dns_resolution  = (known after apply)
          + allow_vpc_to_remote_classic_link = (known after apply)
        }

      + requester {
          + allow_classic_link_to_remote_vpc = (known after apply)
          + allow_remote_vpc_dns_resolution  = (known after apply)
          + allow_vpc_to_remote_classic_link = (known after apply)
        }
    }

  # module.mgmt_vpc.aws_vpc_peering_connection_accepter.accepter will be created
  + resource "aws_vpc_peering_connection_accepter" "accepter" {
      + accept_status             = (known after apply)
      + auto_accept               = true
      + id                        = (known after apply)
      + peer_owner_id             = (known after apply)
      + peer_region               = (known after apply)
      + peer_vpc_id               = (known after apply)
      + tags                      = {
          + "Side" = "Accepter"
        }
      + vpc_id                    = (known after apply)
      + vpc_peering_connection_id = (known after apply)

      + accepter {
          + allow_classic_link_to_remote_vpc = (known after apply)
          + allow_remote_vpc_dns_resolution  = (known after apply)
          + allow_vpc_to_remote_classic_link = (known after apply)
        }

      + requester {
          + allow_classic_link_to_remote_vpc = (known after apply)
          + allow_remote_vpc_dns_resolution  = (known after apply)
          + allow_vpc_to_remote_classic_link = (known after apply)
        }
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions in workspace "test-peering"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.mgmt_vpc.aws_vpc_peering_connection.requester: Creating...

Error: Error waiting for VPC Peering Connection to become available: Error waiting for VPC Peering Connection (pcx-0751906ef0f36dff4) to become available: Failed due to incorrect VPC-ID, Account ID, or overlapping CIDR range

  on .terraform/modules/mgmt_vpc/peering.tf line 45, in resource "aws_vpc_peering_connection" "requester":
  45: resource "aws_vpc_peering_connection" "requester" {

---
Best regards,
Gowtham
07798838879 


=====================
Learn from mistakes....

Please consider the environment before printing this email - Thanks

Gowtham

unread,
Feb 28, 2021, 3:44:01 PMFeb 28
to terrafo...@googlegroups.com
By the way, Am using the following versions:

✘ gowgopal@GOWGOPAL-M-H0VS  terraform --version
Terraform v0.12.29
+ provider.aws v3.1.0
+ provider.template v2.1.2


---
Best regards,
Gowtham
07798838879 


=====================
Learn from mistakes....

Please consider the environment before printing this email - Thanks

Fernando 🐼

unread,
Feb 28, 2021, 3:47:16 PMFeb 28
to terrafo...@googlegroups.com
Can you use an alias also for the requester? 
Just go prevent weird provider picking. 

Also your errors shows wrong VPC id... 
In your place, I would comment out those requests and create data sources or outputs for those arguments and make sure they are the expected ones. 

FYI remote data sources are hard to work out in the same run. 
Using aws data sources is probably better. You can filter via tags. 

--
Fernando 🐼

Gowtham

unread,
Feb 28, 2021, 4:23:28 PMFeb 28
to terrafo...@googlegroups.com
Thanks for the suggestions. Yes, am setting up the alias for the requester.  Have hardcoded the VPC_ID for the requestor(Mgmt VPC) instead of the remote data source, still no luck.

I have tested the peering manually, which is working fine. 


provider "aws" {
region = "eu-central-1"
alias = "requester"
}

# Requester's side of the connection.
resource "aws_vpc_peering_connection" "requester" {
provider = aws.requester
vpc_id = "vpc-0fcf8ab14c3e10471"
peer_vpc_id = aws_vpc.mod.id
// peer_region = "us-west-1"

auto_accept = false

tags = {
Side = "Requester"
}
}

# Accepter's side of the connection.
resource "aws_vpc_peering_connection_accepter" "accepter" {
vpc_peering_connection_id = aws_vpc_peering_connection.requester.id
auto_accept = true

tags = {
Side = "Accepter"
}
}

OUTPUT:

Error: Error waiting for VPC Peering Connection to become available: Error waiting for VPC Peering Connection (pcx-0232ee93e8207dedc) to become available: Failed due to incorrect VPC-ID, Account ID, or overlapping CIDR range


  on .terraform/modules/mgmt_vpc/peering.tf line 45, in resource "aws_vpc_peering_connection" "requester":
  45: resource "aws_vpc_peering_connection" "requester" {

---
Best regards,
Gowtham
07798838879 


=====================
Learn from mistakes....

Please consider the environment before printing this email - Thanks

Fernando 🐼

unread,
Feb 28, 2021, 4:47:20 PMFeb 28
to terrafo...@googlegroups.com
But where's the accepter alias? It's the one which needs a region. 

--
Fernando 🐼

Fernando 🐼

unread,
Feb 28, 2021, 4:48:03 PMFeb 28
to terrafo...@googlegroups.com
Silly question, but the CIDRs don't overlap right? 

--
Fernando 🐼

Gowtham

unread,
Feb 28, 2021, 5:07:57 PMFeb 28
to terrafo...@googlegroups.com
The Accepter region is setting from the calling code. Anyway tested using an accepter alias as well, still getting the same error.  Manually tested the inter-region peering between these VPC's, which is working fine. 
 
Requester CIDR: 172.16.0.0/25
Accepter CIDR:  172.11.0.0/25

---
Best regards,
Gowtham
07798838879 


=====================
Learn from mistakes....

Please consider the environment before printing this email - Thanks

Fernando 🐼

unread,
Feb 28, 2021, 5:33:02 PMFeb 28
to terrafo...@googlegroups.com
I remember having similar issues in the past, but it was many many moons away to recall. 
Currently mobile and without access to any samples of code to see how we implement. 

Your best bet is to look over at a community module and see if something is missing 

--
Fernando 🐼

Eric Black

unread,
Feb 28, 2021, 5:51:00 PMFeb 28
to terrafo...@googlegroups.com
_sometimes_ throwing a `TF_LOG=TRACE` in front of the apply will also dump some more info from the api request too. Definitely worth a shot.

Gowtham

unread,
Mar 1, 2021, 3:30:46 PMMar 1
to terrafo...@googlegroups.com
This has been fixed after setting up the dedicated provider for the requester and setting up the correct region for the accepter. Thanks @fernando and @Eric. 
 

---
Best regards,
Gowtham
07798838879 


=====================
Learn from mistakes....

Please consider the environment before printing this email - Thanks

Reply all
Reply to author
Forward
0 new messages