Terraform Provisioner "local-exec" not working as expected | VPC Peering Connection Accept issue

Question

I'm unable to get the auto accept peering done through the work around mentioned in the link (Why am I getting a permissions error when attempting to auto_accept vpc peering in Terraform?"] via provisioner option

See below Terraform code of mine. Can some one help me out?

provider "aws" {
  region  = "us-east-1"
  profile = "default"
}

provider "aws" {
  region  = "us-east-1"
  profile = "peer"
  alias   = "peer"
}

data "aws_caller_identity" "peer" {
  provider = "aws.peer"
}



resource "aws_vpc_peering_connection" "service-peer" {
  vpc_id                            = "vpc-123a56789bc"

  peer_vpc_id                       = "vpc-YYYYYY"
  peer_owner_id                     = "012345678901"
  peer_region                       = "us-east-1"


  accepter {
    allow_remote_vpc_dns_resolution = true
  }

  requester {
    allow_remote_vpc_dns_resolution = true
  }


  provisioner "local-exec" {
    command = "aws ec2 accept-vpc-peering-connection --vpc-peering-connection-id=${aws_vpc_peering_connection.service-peer.id} --region=us-east-1 --profile=peer"
  }

}

Output I'm getting:

Error: Error applying plan:

1 error(s) occurred:

* aws_vpc_peering_connection.servicehub-peer: 1 error(s) occurred:

* aws_vpc_peering_connection.servicehub-peer: Unable to modify peering options. The VPC Peering Connection "pcx-08ebd316c82acacd9" is not active. Please set `auto_accept` attribute to `true`, or activate VPC Peering Connection manually.

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure

Where as I'm able to run the aws cli command successfully via linux shell, outside the terraform template. Let me know if I'm missing out something in the terraform script.

What happens when you run it? Does it error? – ydaetskcoR May 29 '18 at 08:07 — ydaetskcoR, May 29 '18 at 08:07
@ydaetskcoR - I update the output of the terraform template – cinny May 29 '18 at 10:00 — cinny, May 29 '18 at 10:00

score 0 · Answer 1 · answered May 29 '18 at 13:25

0

Try with moving out your "local-exec" and add depends on link with your VPC peering.

resource "null_resource" "peering-provision" {
  depends_on = ["aws_vpc_peering_connection.service-peer"]

  provisioner "local-exec" {
    command = "aws ec2 accept-vpc-peering-connection --vpc-peering-connection-id=${aws_vpc_peering_connection.service-peer.id} --region=us-east-1 --profile=peer"
  }
}

As said Koe it's may be better to use auto_accept option.

answered May 29 '18 at 13:25

frbayart

156
2

@frbyart - auto_accept option won't work for Cross Account VPC peering. See the documentation: https://www.terraform.io/docs/providers/aws/r/vpc_peering.html#auto_accept – cinny May 29 '18 at 14:47
@frbyart - I also, tried moving out local-exec as mentioned by you but still throwing the same error. – cinny May 29 '18 at 15:08
Can any one help me out on this issue? – cinny May 30 '18 at 07:29
I deleted my previous answer because I was wrong, as @cinny said, won't work for Cross Accounts VPC peering. – Koe May 30 '18 at 16:47

Terraform Provisioner "local-exec" not working as expected | VPC Peering Connection Accept issue

1 Answers1