Why am I getting a permissions error when attempting to auto_accept vpc peering in Terraform?

Question

I am trying to create a VPC peer between accounts and auto accepting it but it fails with permissions error.

Here are the providers in the main.tf

provider "aws" {
  region                   = "${var.region}"
  shared_credentials_file  = "/Users/<username>/.aws/credentials"
  profile                  = "sandbox"
}

data "aws_caller_identity" "current" { }

Here is the vpc_peer module:

resource "aws_vpc_peering_connection" "peer" {
      peer_owner_id              = "${var.peer_owner_id}"
      peer_vpc_id                = "${var.peer_vpc_id}"
      vpc_id                     = "${var.vpc_id}"
      auto_accept                = "${var.auto_accept}"

      accepter {
        allow_remote_vpc_dns_resolution = true
      }

      requester {
        allow_remote_vpc_dns_resolution = true
      }

      tags {
        Name = "VPC Peering between ${var.peer_vpc_id} and ${var.vpc_id}"
      }
}

Here is the module execution in the maint.ft

module "peering" {
  source = "../modules/vpc_peer"

  region        = "${var.region}"
  peer_owner_id = "<management account number>"
  peer_vpc_id   = "<vpc-********>"
  vpc_id        = "${module.network.vpc_id}"
  auto_accept   = "true"
}

Now the IAM user I am using from the "sandbox" provider has permissions for VPC peering in the VPC which is in the management account.

I used the following procedure from AWS: http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

Unfortunately I keep failing with the following error:

1 error(s) occurred:

* aws_vpc_peering_connection.peer: Unable to accept VPC Peering Connection: OperationNotPermitted: User 651267440910 cannot accept peering pcx-f9c55290
    status code: 400, request id: cfbe1163-241e-413b-a8de-d2bca19726e5

Any ideas?

score 2 · Answer 1 · answered Nov 07 '16 at 20:05

I managed to run a local_exec which accepts the peer.

Here is an example:

resource "aws_vpc_peering_connection" "peer" {

  peer_owner_id              = "${var.peer_owner_id}"
  peer_vpc_id                = "${var.peer_vpc_id}"
  vpc_id                     = "${var.vpc_id}"

  provisioner "local-exec" {
    command = "aws ec2 accept-vpc-peering-connection --vpc-peering-connection-id=${aws_vpc_peering_connection.peer.id} --region=${var.region} --profile=${var.profile}"

  }

  tags {
    Name = "VPC Peering between ${var.peer_vpc_id} and ${var.vpc_id}"
  }
}

score 1 · Answer 2 · edited Dec 26 '21 at 04:45

Latest doc example works fine for me (cross account usage)

Other answers was not working

example with terraform ver > 1

provider "aws" {
  alias = "requester"

  # Requester's credentials.
}

provider "aws" {
  alias = "accepter"

  # Accepter's credentials.
}

resource "aws_vpc" "main" {
  provider = aws.requester

  cidr_block = "10.0.0.0/16"

  enable_dns_support   = true
  enable_dns_hostnames = true
}

resource "aws_vpc" "peer" {
  provider = aws.accepter

  cidr_block = "10.1.0.0/16"

  enable_dns_support   = true
  enable_dns_hostnames = true
}

data "aws_caller_identity" "peer" {
  provider = aws.accepter
}

# Requester's side of the connection.
resource "aws_vpc_peering_connection" "peer" {
  provider = aws.requester

  vpc_id        = aws_vpc.main.id
  peer_vpc_id   = aws_vpc.peer.id
  peer_owner_id = data.aws_caller_identity.peer.account_id
  auto_accept   = false

  tags = {
    Side = "Requester"
  }
}

# Accepter's side of the connection.
resource "aws_vpc_peering_connection_accepter" "peer" {
  provider = aws.accepter

  vpc_peering_connection_id = aws_vpc_peering_connection.peer.id
  auto_accept               = true

  tags = {
    Side = "Accepter"
  }
}

resource "aws_vpc_peering_connection_options" "requester" {
  provider = aws.requester

  # As options can't be set until the connection has been accepted
  # create an explicit dependency on the accepter.
  vpc_peering_connection_id = aws_vpc_peering_connection_accepter.peer.id

  requester {
    allow_remote_vpc_dns_resolution = true
  }
}

resource "aws_vpc_peering_connection_options" "accepter" {
  provider = aws.accepter

  vpc_peering_connection_id = aws_vpc_peering_connection_accepter.peer.id

  accepter {
    allow_remote_vpc_dns_resolution = true
  }
}

Anthony Neace · Answer 3 · 2016-11-06T19:52:02.917

The auto_acceptargument in Terraform can only be used on VPCs in the same account. From the documentation:

auto_accept - (Optional) Accept the peering (both VPCs need to be in the same AWS account).

...

If both VPCs are not in the same AWS account do not enable the auto_accept attribute. You will still have to accept the VPC Peering Connection request manually using the AWS Management Console, AWS CLI, through SDKs, etc.

So you'll just need to make the peering connection on this-side in terraform without auto_accept, and then manually or programatically accept it in the target account. Some programatic options:

AWS CLI: accept-vpc-peering-connection
AWS API: AcceptVpcPeeringConnection

The AWS SDK in your language of choice should have a matching method for this, as well.

Thanks Anthony., i have found a way to work around that. by running local_exec and aws cli command to accept the peer on the remote account. — Nathaniel Assis, Nov 07 '16 at 20:02

score 0 · Answer 4 · answered Nov 23 '16 at 18:01

0

VPC peering will happen on the same region with the same account or different accout, In Both the sides the VPC peering need to be accepted in order to access from one vpc to another vpc.

answered Nov 23 '16 at 18:01

shravan

1

Why am I getting a permissions error when attempting to auto_accept vpc peering in Terraform?

4 Answers4

Linked