Terraform Version
$ terraform version
Terraform v0.12.1
+ provider.aws v2.13.0
Terraform Configuration Files
provider "aws" {
alias = "prod"
region = "${var.region}"
profile = "prod_admin"
}
resource "aws_vpc_peering_connection" "peer" {
vpc_id = "${var.local_vpc_id}"
peer_vpc_id = "${var.peer_vpc_id}"
peer_owner_id = "${var.peer_vpc_owner}"
peer_region = "${var.region}"
auto_accept = false
tags = {
Side = "Requester"
}
}
resource "aws_vpc_peering_connection_accepter" "peer" {
provider = "aws.prod"
vpc_peering_connection_id = "${aws_vpc_peering_connection.peer.id}"
auto_accept = true
tags = {
Side = "Accepter"
}
}
# REMOTE ROUTE TABLES RULES #
#############################
resource aws_route "peer_public_1" {
provider = "aws.prod"
route_table_id = "${var.peer_rt_pub_id}"
destination_cidr_block = "${var.local_vpc_cidr}"
vpc_peering_connection_id = "${aws_vpc_peering_connection.peer.id}"
}
resource aws_route "peer_private_1" {
provider = "aws.prod"
route_table_id = "${var.peer_rt_priv1_id}"
destination_cidr_block = "${var.local_vpc_cidr}"
vpc_peering_connection_id = "${aws_vpc_peering_connection.peer.id}"
}
resource aws_route "peer_private_2" {
provider = "aws.prod"
route_table_id = "${var.peer_rt_priv2_id}"
destination_cidr_block = "${var.local_vpc_cidr}"
vpc_peering_connection_id = "${aws_vpc_peering_connection.peer.id}"
}
# LOCAL ROUTE TABLES RULES #
############################
resource aws_route "local_public_1" {
route_table_id = "${var.local_rt_pub_id}"
destination_cidr_block = "${var.peer_vpc_cidr}"
vpc_peering_connection_id = "${aws_vpc_peering_connection.peer.id}"
}
resource aws_route "local_private_1" {
route_table_id = "${var.local_rt_priv1_id}"
destination_cidr_block = "${var.peer_vpc_cidr}"
vpc_peering_connection_id = "${aws_vpc_peering_connection.peer.id}"
}
resource aws_route "local_private_2" {
route_table_id = "${var.local_rt_priv2_id}"
destination_cidr_block = "${var.peer_vpc_cidr}"
vpc_peering_connection_id = "${aws_vpc_peering_connection.peer.id}"
}
Crash Output
Error: Unable to accept VPC Peering Connection: OperationNotPermitted: User <REDACTED> cannot accept peering <REDACTED>
status code: 400, request id: <REDACTED>
on ../../common/modules/vpc_peering/main.tf line 39, in resource "aws_vpc_peering_connection_accepter" "peer":
39: resource "aws_vpc_peering_connection_accepter" "peer" {
Error: Error creating route: InvalidRouteTableID.NotFound: The routeTable ID 'rtb-<REDACTED>' does not exist
status code: 400, request id: <REDACTED>
on ../../common/modules/vpc_peering/main.tf line 52, in resource "aws_route" "peer_public_1":
52: resource aws_route "peer_public_1" {
Error: Error creating route: InvalidRouteTableID.NotFound: The routeTable ID 'rtb-<REDACTED>' does not exist
status code: 400, request id: <REDACTED>
on ../../common/modules/vpc_peering/main.tf line 59, in resource "aws_route" "peer_private_1":
59: resource aws_route "peer_private_1" {
Error: Error creating route: InvalidRouteTableID.NotFound: The routeTable ID 'rtb-<REDACTED>' does not exist
status code: 400, request id: <REDACTED>
on ../../common/modules/vpc_peering/main.tf line 66, in resource "aws_route" "peer_private_2":
66: resource aws_route "peer_private_2" {
Expected Behavior
The VPC peering should be correctly set up.
Actual Behavior
Apparently the provider is not working.
The User
(AWS account ID) in the first error is not the correct account ID for the prod provider.
Instead it’s showing the User
of the requester, which are the AWS credentials loaded to the system environment variables, and not the ones passed through the provider profile.
Also, the route tables that the errors state not to exist, do in fact exist in the accepter account (which is supposed to be invoked through the provider statement), which leads me to believe it’s actually trying to find them with the requester’s account.
Steps to Reproduce
terraform apply
Additional Context
(1) I would like to advise here, that the prod_admin profile in question here is configured as such in the ~/.aws/config
file:
profile [prod_admin]
role_arn = arn:aws:iam::<REDACTED>:role/admin
source_profile = prod
It is in the ~/.aws/credentials
file that the prod profile credentials are described.
(2) After manually accepting the VPC Peering in the AWS Console, only the route table not found errors persist, therefore I tried to import those aws_route resources, but with o avail:
$ terraform import -provider=aws.prod module.vpc_peering.aws_route.peer_public_1 rtb-<REDACTED>_10.13.0.0/16
module.vpc_peering.aws_route.peer_public_1: Importing from ID "rtb-<REDACTED>_10.13.0.0/16"...
module.vpc_peering.aws_route.peer_public_1: Import complete!
Imported aws_route
module.vpc_peering.aws_route.peer_public_1: Refreshing state... [id=r-rtb-<REDACTED>]
Error: Cannot import non-existent remote object
While attempting to import an existing object to aws_route.peer_public_1, the
provider detected that no object exists with the given id. Only pre-existing
objects can be imported; check that the id is correct and that it is
associated with the provider's configured region or endpoint, or use
"terraform apply" to create a new remote object for this resource.
Observation 1: Note the extra “r-” in front of the route table id [id=r-rtb-<REDACTED>]
when terraform tries to refresh the state.
Observation 2: Although the Imported aws_route
message appears in green, when trying to apply the script again, the same 3 errors appear.