I am trying to create a VPC peer between accounts and auto accepting it but it fails with permissions error.

Here are the providers in the main.tf

provider "aws" {
  region                   = "${var.region}"
  shared_credentials_file  = "/Users/<username>/.aws/credentials"
  profile                  = "sandbox"
}

data "aws_caller_identity" "current" { }

Here is the vpc_peer module:

resource "aws_vpc_peering_connection" "peer" {
      peer_owner_id              = "${var.peer_owner_id}"
      peer_vpc_id                = "${var.peer_vpc_id}"
      vpc_id                     = "${var.vpc_id}"
      auto_accept                = "${var.auto_accept}"

      accepter {
        allow_remote_vpc_dns_resolution = true
      }

      requester {
        allow_remote_vpc_dns_resolution = true
      }

      tags {
        Name = "VPC Peering between ${var.peer_vpc_id} and ${var.vpc_id}"
      }
}

Here is the module execution in the maint.ft

module "peering" {
  source = "../modules/vpc_peer"

  region        = "${var.region}"
  peer_owner_id = "<management account number>"
  peer_vpc_id   = "<vpc-********>"
  vpc_id        = "${module.network.vpc_id}"
  auto_accept   = "true"
}

Now the IAM user I am using from the "sandbox" provider has permissions for VPC peering in the VPC which is in the management account.

I used the following procedure from AWS: http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

Unfortunately I keep failing with the following error:

1 error(s) occurred:

* aws_vpc_peering_connection.peer: Unable to accept VPC Peering Connection: OperationNotPermitted: User 651267440910 cannot accept peering pcx-f9c55290
    status code: 400, request id: cfbe1163-241e-413b-a8de-d2bca19726e5

Any ideas?

I managed to run a local_exec which accepts the peer.

Here is an example:

resource "aws_vpc_peering_connection" "peer" {

  peer_owner_id              = "${var.peer_owner_id}"
  peer_vpc_id                = "${var.peer_vpc_id}"
  vpc_id                     = "${var.vpc_id}"

  provisioner "local-exec" {
    command = "aws ec2 accept-vpc-peering-connection --vpc-peering-connection-id=${aws_vpc_peering_connection.peer.id} --region=${var.region} --profile=${var.profile}"

  }

  tags {
    Name = "VPC Peering between ${var.peer_vpc_id} and ${var.vpc_id}"
  }
}

The auto_acceptargument in Terraform can only be used on VPCs in the same account. From the documentation:

auto_accept - (Optional) Accept the peering (both VPCs need to be in the same AWS account).

...

If both VPCs are not in the same AWS account do not enable the auto_accept attribute. You will still have to accept the VPC Peering Connection request manually using the AWS Management Console, AWS CLI, through SDKs, etc.

So you'll just need to make the peering connection on this-side in terraform without auto_accept, and then manually or programatically accept it in the target account. Some programatic options:

• AWS CLI: accept-vpc-peering-connection

• AWS API: AcceptVpcPeeringConnection

The AWS SDK in your language of choice should have a matching method for this, as well.

VPC peering will happen on the same region with the same account or different accout, In Both the sides the VPC peering need to be accepted in order to access from one vpc to another vpc.