Aws peering auto accept accross accounts (same region)

I am unable to get auto accept peering connection in another account to work. I’m reading some conflicting reports that across account peering with auto_accepter is not supported. Looking for confirmation if across accounts vpc peering auto_accept is not supported when both vpcs are in the same region.

Hi @tatroc,

I don’t know the direct answer to your question (hopefully someone else in the forum does), but as a partial answer:

When you set auto_accept = true, that makes the provider call ec2:AcceptVpcPeeringConnection on your behalf during the “create” step for the object. The provider uses the value from the vpc_peering_connection_id argument to populate the VpcPeeringConnectionId parameter in that request.

After calling that action, the provider then politely polls the EC2 API waiting for the ec2:DescribeVpcPeeringConnectionsPages action to return a status of either “active” or “pending-acceptance” before considering the object to have been successfully created.

The auto_accept argument for aws_vpc_peering_connection (not the acceptor) follows the same behavior.

Therefore AWS provider is subject to whatever restrictions might apply to these underlying API endpoints but it doesn’t seem to impose any additional restrictions of its own. I wasn’t able to find any information in the VPC peering user guide talking about restrictions on accepting peering requests from other accounts, but one possible reason why it wouldn’t work is if VPC issues separate VPC connection IDs to each account: if that were true then vpc_peering_connection_id would need to be different for the accepter than for the requester, and so the simple example shown in the documentation wouldn’t work (because it assumes that the two IDs match).

I don’t know if that’s actually true, though; I’d suggest experimenting yourself via the CLI or AWS console to see how the EC2 API is internally representing cross-account requests similar to what you are trying to establish.