Is there a way I can make a cross account VPC peering connec Pulumi Community #aws

Is there a way I can make a cross-account VPC peer...

rough-ice-18151

11/14/2024, 5:22 PM

Is there a way I can make a cross-account VPC peering connection (as the requester) and have it succeed? Whenever I create one, it fails because the accepter needs to accept the connection. Is there a way I can bypass this so my pulumi run does not fail?

Copy code

aws:ec2:VpcPeeringConnection (0000000-vpc-000000000):
    error:   sdk-v2/provider2.go:520: sdk.helper_schema: Unable to modify EC2 VPC Peering Connection Options. EC2 VPC Peering Connection (pcx-0000000000000) is not active (current status: pending-acceptance). Please set the `auto_accept` attribute to `true` or activate the EC2 VPC Peering Connection manually.: provider=aws@6.56.1
    error: 1 error occurred:
    	* Unable to modify EC2 VPC Peering Connection Options. EC2 VPC Peering Connection (pcx-00000000000) is not active (current status: pending-acceptance). Please set the `auto_accept` attribute to `true` or activate the EC2 VPC Peering Connection manually.

steep-secretary-65224

11/14/2024, 5:40 PM

@rough-ice-18151 funny, i'm actually working on the same exact thing right now

steep-secretary-65224

11/14/2024, 5:41 PM

but that's a weird error. what are you trying to change about the peering connection?

rough-ice-18151

11/14/2024, 5:42 PM

I’m just creating the connection, not modifying it

steep-secretary-65224

11/14/2024, 5:42 PM

could you share the (sanitized) args you're passing in?

rough-ice-18151

11/14/2024, 5:43 PM

Copy code

var conn *ec2.VpcPeeringConnection
		if conn, err = ec2.NewVpcPeeringConnection(ctx, fmt.Sprintf("%s-%s", peer.AccountId, peer.VpcId), &ec2.VpcPeeringConnectionArgs{
			VpcId:       vpc.ID(),
			PeerVpcId:   pulumi.String(peer.VpcId),
			PeerOwnerId: pulumi.String(peer.AccountId),
			AutoAccept:  pulumi.BoolPtr(false),
			Requester: ec2.VpcPeeringConnectionRequesterArgs{
				AllowRemoteVpcDnsResolution: pulumi.BoolPtr(true),
			},
			Tags: pulumi.ToStringMap(vpcOpts.Tags),
		}, pulumi.Parent(&componentResource)); err != nil {
			return nil, err
		}

rough-ice-18151

11/14/2024, 5:44 PM

For testing purposes, both vpcs are in the same account. I’m not sure if this makes a difference at all

steep-secretary-65224

11/14/2024, 5:45 PM

ah, i think it actually does. if they're the same account and same region, you use autoaccept and not the

peer*

arguments

Copy code

const peeringConnectionArgs = {
    vpcId: source.vpcId,
    peerVpcId: target.vpcId,
    ...(region === peerRegion && accountId === peerOwnerId
      ? { autoAccept: true }
      : { peerOwnerId, peerRegion }),
  }

rough-ice-18151

11/14/2024, 5:45 PM

I see… I’ll have to test this against a separate account and see if I get the same error

steep-secretary-65224

11/14/2024, 5:46 PM

also FYI, i had no idea that same account but cross region requests can't be

autoAccepted

either. so you effectively treat them the same way as cross account

steep-secretary-65224

11/14/2024, 5:47 PM

which also means you need to throw another provider into the mix

rough-ice-18151

11/14/2024, 5:47 PM

I’m only pulumi-ing 1 end of the connection

rough-ice-18151

11/14/2024, 5:47 PM

At least for now 🙂

steep-secretary-65224

11/14/2024, 5:47 PM

ah, gotcha

rough-ice-18151

11/14/2024, 5:48 PM

I’m trying to avoid customers running pulumi code right now, trying to keep it in-house since the project I’m working on is very early stage

rough-ice-18151

11/14/2024, 5:50 PM

I’ll give it a go cross-region first, then try cross-account and see if it succeeds

steep-secretary-65224

11/14/2024, 5:51 PM

i'm working on a module that does some crazy under the hood for this sort of stuff. you can pass it an arbitrary number of VPCs you want created (in the same account, but any regions) as well as other VPCs you want to peer with. it spins up the VPCs and then creates a full mesh peering. the fun bit is i need to create a provider for each

account-region

pair and then passing stuff back and forth. like ill

createPeeringConnection

in one provider, then pass that to another provider to

acceptPeeringConnection

rough-ice-18151

11/14/2024, 5:52 PM

that sounds really cool! I’m loving what pulumi can do as a recent terraform convert

steep-secretary-65224

11/14/2024, 5:53 PM

yea, it's been a trip. we're hoping to open source it 🤞

steep-secretary-65224

11/14/2024, 5:53 PM

this is what our config looks like

Copy code

config:
  aws:region: us-east-1
  networking:vpcs:
    - name: foo
      region: us-east-1
      cidrBlock: 10.100.0.0/16
    - name: bar
      cidrBlock: 10.200.0.0/16
      region: eu-central-2
  networking:peering-connections:
    - name: Primary
      cidrBlock: 10.25.0.0/16
      region: us-east-1
      vpcId: vpc-XXXXXXX
    - name: Ops
      cidrBlock: 10.0.0.0/16
      region: us-east-1
      vpcId: vpc-YYYYYY
      accountId: 1234456

steep-secretary-65224

11/14/2024, 5:54 PM

so for that cross account peering to

Ops

, it just makes the request and sets up routes, but we need to accept it elsewhere

33 Views

Open in Slack

Previous Next