Hi folks, I running into trouble when peer connecting cross-account VPCs. It shows VPC in another account cannot be found. Please advice.

connection_id = ec2.VpcPeeringConnection(
            f"vpcPeering-{loca_vpc}->{remote_vpc}",
            opts=pulumi.ResourceOptions(provider=local_provider),
            vpc_id=local_vpc.id,
            peer_vpc_id=remote_vpc_id,
            peer_owner_id=local_account_id,
            auto_accept=False,
)

and the error is

The vpc ID 'vpc-remote' does not exist

What are you using as the ID? It should be the ID of a VPC object. Have you used Vpc.get() or similar to load the VPC object?

Hi @little-cartoon-10569 for the local_vpc, I created this vpc in the same .py file. For the remote vpc, I exported the vpc ID and refered it in this .py file to get its ID.

Are you creating them in the same project and stack? And are you destroying all resources after every failed

up

? If not, you'll have a very hard time figuring out the issue. VPC peering is a hand-shake-y process, and (I think) you're trying to create code to support that hand shaking. If you're running

up

which creates some resources then fails, your next

up

is potentially starting part-way through the hand shake. So you may think you've fixed a problem, but actually something in AWS changed state, and you're just avoiding the problem.

Hi @little-cartoon-10569, the two VPCs are in two aws accounts and from different stack. And I did remove all resources (by

pulumi up

with the early version of my Pulumi code). For your third question, the vpc-remote is from another stack, I use pulumi.export to firstly export it, and then refer it in _local-vpc_'s stack. cc: @rich-whale-93740

So the string really says vpc-remote? If it does, then you're either exporting the wrong thing, or importing the wrong thing. Because that's the wrong value. It's not a VPC ID.

With pure

ec2.VpcPeeringConnection

, I can actually create a peering-connection from local_vpc to remote_vpc, but it needs me to click 'accept peering' in remote_vpc's console. That's why I introduced

VpcPeeringConnectionAccepter

and tried to make it in full-auto. The

VpcPeeringConnectionAccepter

suppose to 'adopt' the peering connection (for

VpcPeeringConnection

, it creates peering connection on both local_vpc and remote_vpc) on the remote_vpc side, but strangely, it gave me the 'peering connection already exists' error I illustrated before .

Ah ok, then that's fine, that's a valid VPC id.

And the accepter's error is like this:

So the only problem now is that you're not referring to the remote VPC id correctly? Or maybe you're creating some resource(s) in the wrong AWS account?

For the remote vpc not found issue, I worked around by change the

peer_owner_id

to the remote_vpc's account id.

Yes, that's not a workaround, that's the correct solution

But for the accepter, I have 'The vpc peering connection identified by pcx-0c63ab4afee3f2800 already exists' error as illustrated above.

Yes. That's because the accepter object is like an ACM certificate validation: it's not a real object, it's Pulumi's way of recording that it has taken an action.

OK, so I need to delete both

VpcPeeringConnection

and

VpcPeeringConnectionAccepter

, or the entire stack?

I can't tell. I think, based on the error messages, that you don't need to delete any Pulumi resources, only the AWS accepter, via the Console

OK, I'm trying this now. Thanks @little-cartoon-10569, will update you once it's done.

Bum. This is likely because it's not a real resource, or somesuch. Without access to the system, it's very difficult to debug. I would delete the connection from AWS (not using Pulumi), and then deal with the fall-out.

Yes, I've deleted everything related to the peering connection from both AWS and Pulumi (except the VPCs), but still got this issue.

Have you checked both accounts?

Yes, both accounts

Then I guess that the thing you're doing is creating the connection a 2nd time in your code.

Seems like the VpcPeeringConnectionAccepter cannot

adopt

the existing peering connection request. Instead, it tries to create one, so it throws 'already exist' error

Maybe. It can work though. I set up peering in one of my projects.

I use

opts=pulumi.ResourceOptions(provider=self._provider)

and

opts=pulumi.ResourceOptions(provider=peer_provider)

to separates the operations on two accounts, where self._provider is for the local vpc whereas the peer_provider is for the remote one

Yep. I'm just wondering if the wrong provider is being used once.

Well, let me attach the code here for your inspection

You can use Text Snippet for collapsible text bits. Better than backticks

Sure.

local_

prefix indicates things in Account A, while

remote_

in Account B:

connection_id = ec2.VpcPeeringConnection(
            "vpcPeering-local-to-remote",
            opts=pulumi.ResourceOptions(provider=local_provider),
            vpc_id=local_vpc_id,
            peer_vpc_id=remote_vpc_id,
            peer_owner_id=remote_account_id,
            auto_accept=False,
            tags={
               ...
            },
        ).id

        ec2.VpcPeeringConnectionAccepter(
            "peer-accepter-in-remote-vpc-account",
            vpc_peering_connection_id=connection_id,
            auto_accept=True,
            tags={
                ...
            },
            opts=pulumi.ResourceOptions(provider=remote_provider),
        )

That looks exactly the same as my code. Except, y'know, Python.

😂

When you see the error message, is it for an existing (old) connection? Maybe note all the existing connections (the ones marked deleted), delete everything you think you ought to, and run it again? If the error message complains about an already-deleted connection, then that's a problem.

Let me check how to purge those deleted connections in AWS

I don't work for Pulumi 🙂 I'd imagine this is unrelated to Pulumi and it's an AWS feature. Would need to trawl the docs though.