Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changing VPC peering parameters using aws_vpc_peering_connection_options resource fails #12113

Closed
roman8422 opened this issue Feb 21, 2020 · 6 comments · Fixed by #12126
Closed

Changing VPC peering parameters using aws_vpc_peering_connection_options resource fails #12113

roman8422 opened this issue Feb 21, 2020 · 6 comments · Fixed by #12126
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service.
Milestone
v3.13.0

Comments

@roman8422
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

$ terraform -v
Terraform v0.12.21
+ provider.aws v2.50.0

Affected Resource(s)

  • aws_vpc_peering_connection_options

Terraform Configuration Files

provider "aws" {
  alias   = "foo"
  region  = "us-west-2"
}

provider "aws" {
  alias   = "bar"
  region  = "us-east-1"
}

resource "aws_vpc" "foo" {
  provider = aws.foo
  cidr_block = "10.1.0.0/16"
  enable_dns_support = true
  enable_dns_hostnames = true
}

resource "aws_vpc" "bar" {
  provider = aws.bar
  cidr_block = "10.2.0.0/16"
  enable_dns_support = true
  enable_dns_hostnames = true
}

resource "aws_vpc_peering_connection" "foo" {
  provider = aws.foo
  vpc_id        = aws_vpc.foo.id
  peer_vpc_id   = aws_vpc.bar.id
  peer_region   = "us-east-1"
}

resource "aws_vpc_peering_connection_accepter" "bar" {
  provider                  = aws.bar
  vpc_peering_connection_id = aws_vpc_peering_connection.foo.id
  auto_accept               = true
}

resource "aws_vpc_peering_connection_options" "requester_peering_options" {
  provider = aws.foo
  vpc_peering_connection_id = aws_vpc_peering_connection.foo.id

  requester {
    allow_remote_vpc_dns_resolution = true
  }
}

resource "aws_vpc_peering_connection_options" "accepter_peering_options" {
  provider = aws.bar
  vpc_peering_connection_id = aws_vpc_peering_connection.foo.id

  accepter {
    allow_remote_vpc_dns_resolution = true
  }
}

Steps to Reproduce

  1. Apply the configuration above twice. First apply fails with the error below. It sucks but not what this issue is about.

terraform apply

Error: error modifying VPC Peering Connection (pcx-0c6974c762554784d) Options: OperationNotPermitted: Peering pcx-0c6974c762554784d is not active. Peering options can be added only to active peerings.
status code: 400, request id: 458c070b-3126-45fc-9897-5e0e512ffb81

on file.tf line 47, in resource "aws_vpc_peering_connection_options" "accepter_peering_options":
47: resource "aws_vpc_peering_connection_options" "accepter_peering_options" {

terraform apply

  1. Set allow_remote_vpc_dns_resolution = false for either requester or accepter and get the following error:

Error: error modifying VPC Peering Connection (pcx-0c6974c762554784d) Options: InvalidParameterValue: Requester’s VPC Peering connection options cannot be modified for a different region
status code: 400, request id: 06187670-310d-47f3-aa85-b3ea6361e9b6

on file.tf line 47, in resource "aws_vpc_peering_connection_options" "accepter_peering_options":
47: resource "aws_vpc_peering_connection_options" "accepter_peering_options" {

Expected Behavior

allow_remote_vpc_dns_resolution should be set to false

Actual Behavior

Apply fails with the error:

Error: error modifying VPC Peering Connection (pcx-0c6974c762554784d) Options: InvalidParameterValue: Requester’s VPC Peering connection options cannot be modified for a different region
@ghost ghost added the service/ec2 Issues and PRs that pertain to the ec2 service. label Feb 21, 2020
@roman8422 roman8422 changed the title Changing VPN peering parameters using aws_vpc_peering_connection_options resource fails Changing VPC peering parameters using aws_vpc_peering_connection_options resource fails Feb 21, 2020
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Feb 21, 2020
@ewbankkit
Copy link
Contributor

@roman8422 For 1 - Peering options can be added only to active peerings - you can set the aws_vpc_peering_connection_options resources to depend on the aws_vpc_peering_connection_accepter resource so that the peering connection is accepted before the options are set.
e.g.

// Requester's side of the connection.
resource "aws_vpc_peering_connection_options" "requester_peering_options" {
  provider = "aws.foo"

  # As options can't be set until the connection has been accepted
  # create an explicit dependency on the accepter.
  vpc_peering_connection_id = aws_vpc_peering_connection_accepter.bar.id

  requester {
    allow_remote_vpc_dns_resolution = true
  }
}

// Accepter's side of the connection.
resource "aws_vpc_peering_connection_options" "accepter_peering_options" {
  provider = "aws.bar"

  vpc_peering_connection_id = aws_vpc_peering_connection_accepter.bar.id

  accepter {
    allow_remote_vpc_dns_resolution = true
  }
}

For 2 - Requester’s VPC Peering connection options cannot be modified for a different region - I get the same error with a modified acceptance test:

$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSVpcPeeringConnectionOptions_differentRegionSameAccount'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -count 1 -parallel 20 -run=TestAccAWSVpcPeeringConnectionOptions_differentRegionSameAccount -timeout 120m
=== RUN   TestAccAWSVpcPeeringConnectionOptions_differentRegionSameAccount
=== PAUSE TestAccAWSVpcPeeringConnectionOptions_differentRegionSameAccount
=== CONT  TestAccAWSVpcPeeringConnectionOptions_differentRegionSameAccount
--- FAIL: TestAccAWSVpcPeeringConnectionOptions_differentRegionSameAccount (61.60s)
    testing.go:654: Step 2 error: errors during apply:
        
        Error: error modifying VPC Peering Connection (pcx-0383b7f8bd47fb8c1) Options: InvalidParameterValue: Accepter’s VPC Peering connection options cannot be modified for a different region
        	status code: 400, request id: 112635d8-bb0a-4f56-92e8-04fb4b9a25d5
        
          on /tmp/tf-test594142281/main.tf line 48:
          (source code not available)
        
        
        
        Error: error modifying VPC Peering Connection (pcx-0383b7f8bd47fb8c1) Options: InvalidParameterValue: Requester’s VPC Peering connection options cannot be modified for a different region
        	status code: 400, request id: d26074cb-6910-4d10-bee9-7728aa539366
        
          on /tmp/tf-test594142281/main.tf line 59:
          (source code not available)
        
        
FAIL
FAIL	github.com/terraform-providers/terraform-provider-aws/aws	61.700s
FAIL
GNUmakefile:25: recipe for target 'testacc' failed
make: *** [testacc] Error 1

According to the documentation this should be possible.
I'll investigate,

@ewbankkit
Copy link
Contributor

Related:

@ewbankkit
Copy link
Contributor

I see the problem - VPC peering connection option updates are being submitted for both accepter and requester on both sides. I'll fix and submit a PR.

@ewbankkit ewbankkit mentioned this issue Feb 21, 2020
Merged
@ewbankkit ewbankkit removed the needs-triage Waiting for first response or review from a maintainer. label Jul 29, 2020
@bflad bflad added the bug Addresses a defect in current functionality. label Oct 29, 2020
@bflad bflad added this to the v3.13.0 milestone Oct 29, 2020
@bflad
Copy link
Contributor

bflad commented Oct 29, 2020

The above fix has been merged and will release with version 3.13.0 of the Terraform AWS Provider, likely tomorrow. Thanks to @ewbankkit for the implementation. 👍

@ghost
Copy link

ghost commented Oct 29, 2020

This has been released in version 3.13.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Nov 28, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Nov 28, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service.
Projects
None yet
Milestone
v3.13.0
3 participants
@bflad @ewbankkit @roman8422