我正在尝试在帐户之间创建VPC对等体并自动接受它,但由于权限错误而失败。
以下是main.tf中的提供程序provider "aws" {
region = "${var.region}"
shared_credentials_file = "/Users/<username>/.aws/credentials"
profile = "sandbox"
}
data "aws_caller_identity" "current" { }
resource "aws_vpc_peering_connection" "peer" {
peer_owner_id = "${var.peer_owner_id}"
peer_vpc_id = "${var.peer_vpc_id}"
vpc_id = "${var.vpc_id}"
auto_accept = "${var.auto_accept}"
accepter {
allow_remote_vpc_dns_resolution = true
}
requester {
allow_remote_vpc_dns_resolution = true
}
tags {
Name = "VPC Peering between ${var.peer_vpc_id} and ${var.vpc_id}"
}
}
下面是maint.ft
中的模块执行module "peering" {
source = "../modules/vpc_peer"
region = "${var.region}"
peer_owner_id = "<management account number>"
peer_vpc_id = "<vpc-********>"
vpc_id = "${module.network.vpc_id}"
auto_accept = "true"
}
现在我使用的来自"沙箱"提供商的IAM用户具有在管理帐户中的VPC中对等VPC的权限。
我在AWS上使用了以下步骤:http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
不幸的是,我一直失败与以下错误:
1 error(s) occurred:
* aws_vpc_peering_connection.peer: Unable to accept VPC Peering Connection: OperationNotPermitted: User 651267440910 cannot accept peering pcx-f9c55290
status code: 400, request id: cfbe1163-241e-413b-a8de-d2bca19726e5
任何想法?
我成功地运行了一个接受对等体的local_exec。
下面是一个例子:
resource "aws_vpc_peering_connection" "peer" {
peer_owner_id = "${var.peer_owner_id}"
peer_vpc_id = "${var.peer_vpc_id}"
vpc_id = "${var.vpc_id}"
provisioner "local-exec" {
command = "aws ec2 accept-vpc-peering-connection --vpc-peering-connection-id=${aws_vpc_peering_connection.peer.id} --region=${var.region} --profile=${var.profile}"
}
tags {
Name = "VPC Peering between ${var.peer_vpc_id} and ${var.vpc_id}"
}
}
最新的文档示例对我来说很好(跨帐户使用)
其他答案不工作
示例>1
provider "aws" {
alias = "requester"
# Requester's credentials.
}
provider "aws" {
alias = "accepter"
# Accepter's credentials.
}
resource "aws_vpc" "main" {
provider = aws.requester
cidr_block = "10.0.0.0/16"
enable_dns_support = true
enable_dns_hostnames = true
}
resource "aws_vpc" "peer" {
provider = aws.accepter
cidr_block = "10.1.0.0/16"
enable_dns_support = true
enable_dns_hostnames = true
}
data "aws_caller_identity" "peer" {
provider = aws.accepter
}
# Requester's side of the connection.
resource "aws_vpc_peering_connection" "peer" {
provider = aws.requester
vpc_id = aws_vpc.main.id
peer_vpc_id = aws_vpc.peer.id
peer_owner_id = data.aws_caller_identity.peer.account_id
auto_accept = false
tags = {
Side = "Requester"
}
}
# Accepter's side of the connection.
resource "aws_vpc_peering_connection_accepter" "peer" {
provider = aws.accepter
vpc_peering_connection_id = aws_vpc_peering_connection.peer.id
auto_accept = true
tags = {
Side = "Accepter"
}
}
resource "aws_vpc_peering_connection_options" "requester" {
provider = aws.requester
# As options can't be set until the connection has been accepted
# create an explicit dependency on the accepter.
vpc_peering_connection_id = aws_vpc_peering_connection_accepter.peer.id
requester {
allow_remote_vpc_dns_resolution = true
}
}
resource "aws_vpc_peering_connection_options" "accepter" {
provider = aws.accepter
vpc_peering_connection_id = aws_vpc_peering_connection_accepter.peer.id
accepter {
allow_remote_vpc_dns_resolution = true
}
}
Terraform中的auto_accept参数只能在同一帐户的vpc上使用。来自文档:
auto_accept -(可选)接受对等连接(需要两个vpc都在)相同的AWS账户)。
…
如果两个vpc不在同一个AWS帐户中,则不启用auto_accept属性。您仍然需要接受VPC对等连接使用AWS管理控制台、AWS CLI、通过sdk等
因此,您只需要在terraform中不使用auto_accept在这一侧进行对等连接,然后在目标帐户中手动或编程地接受它。一些程序选项:
-
AWS CLI: accept-vpc-peer -connection
-
AWS API: AcceptVpcPeeringConnection
您选择的语言中的AWS SDK也应该有一个匹配的方法。
在同一区域内使用同一帐户或不同帐户进行对等连接,为了从一个VPC访问到另一个VPC,双方都需要接受VPC的对等连接