I’m trying to create VPC Peering between two VPCs in two different accounts. One is managed by me and another one by others and I don’t have access to it.
I’m using the next snippet of Terraform script.
resource "aws_vpc_peering_connection" "a" {
peer_owner_id = var.a.aws_account_id
peer_vpc_id = var.a.vpc_id
vpc_id = aws_vpc.main.id
peer_region = "eu-west-1"
requester {
allow_remote_vpc_dns_resolution = false
}
}
Next, it is going to be manually accepted by those who manage that account.
The problem is whether Peering is accepted or not Terraform wants to replace that Peering connection:
# module.vpc.aws_vpc_peering_connection.a is tainted, so must be replaced
-/+ resource "aws_vpc_peering_connection" "a" {
~ accept_status = "active" -> (known after apply)
~ id = "pcx-00000000000000000" -> (known after apply)
# (5 unchanged attributes hidden)
+ accepter {
+ allow_classic_link_to_remote_vpc = (known after apply)
+ allow_remote_vpc_dns_resolution = (known after apply)
+ allow_vpc_to_remote_classic_link = (known after apply)
}
# (1 unchanged block hidden)
}
I have already tried to prevent the replacement by using lifecycle
lifecycle {
ignore_changes = all
}
But it doesn’t help…
2
Answers
Try to untaint the resource e.g.
By using the
aws_vpc_peering_connection_optionsresource instead of specifying options in theaws_vpc_peering_connectionrequester, I was able to avoid recreation of the connection itself when Terraform noticed that theallow_remote_vpc_dns_resolutionoption had changed.https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_peering_connection_options
Setting the option will still fail before the peering connection has been accepted by the other side, but once you have accepted the connection on the other account, only the options will be tainted, not the whole connection.