tedilabs · posquit0 · Dec 2, 2023 · Dec 2, 2023
@@ -61,6 +61,7 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws-
 
 ### VPC Peering
 
+- [vpc-peering-cross-region](./examples/vpc-peering-cross-region)
 - [vpc-peering-requester-and-accepter-cross-region](./examples/vpc-peering-requester-and-accepter-cross-region)
 
 ### VPC PrivateLink

@@ -0,0 +1,78 @@
+provider "aws" {
+  alias = "use1"
+
+  region = "us-east-1"
+}
+
+provider "aws" {
+  alias = "apne2"
+
+  region = "ap-northeast-2"
+}
+
+resource "aws_vpc" "use1" {
+  provider = aws.use1
+
+  cidr_block = "10.1.0.0/16"
+
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+
+  tags = {
+    "Name" = "use1"
+  }
+}
+
+resource "aws_vpc" "apne2" {
+  provider = aws.apne2
+
+  cidr_block = "10.2.0.0/16"
+
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+
+  tags = {
+    "Name" = "apne2"
+  }
+}
+
+
+###################################################
+# VPC Peering
+###################################################
+
+module "peering" {
+  source = "../../modules/vpc-peering"
+  # source  = "tedilabs/vpc-connectivity/aws//modules/vpc-peering"
+  # version = "~> 0.2.0"
+
+  providers = {
+    aws.requester = aws.use1
+    aws.accepter  = aws.apne2
+  }
+
+  name = "use1/apne2"
+
+
+  ## Requester
+  requester_vpc = {
+    id = aws_vpc.use1.id
+  }
+  requester_options = {
+    allow_remote_vpc_dns_resolution = true
+  }
+
+
+  ## Acccepter
+  accepter_vpc = {
+    id = aws_vpc.apne2.id
+  }
+  accepter_options = {
+    allow_remote_vpc_dns_resolution = true
+  }
+
+
+  tags = {
+    "project" = "terraform-aws-vpc-connectivity-examples"
+  }
+}
@@ -0,0 +1,4 @@
+output "peering" {
+  description = "The VPC Peering Connection."
+  value       = module.peering
+}
@@ -0,0 +1,10 @@
+terraform {
+  required_version = "~> 1.6"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
@@ -51,6 +51,7 @@ This module creates following resources.
 | Name | Description |
 |------|-------------|
 | <a name="output_accepter_vpc"></a> [accepter\_vpc](#output\_accepter\_vpc) | The accepter information including AWS Account ID, Region, VPC ID. |
+| <a name="output_allow_remote_vpc_dns_resolution"></a> [allow\_remote\_vpc\_dns\_resolution](#output\_allow\_remote\_vpc\_dns\_resolution) | Whether to allow a accepter VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the requester VPC. |
 | <a name="output_id"></a> [id](#output\_id) | The ID of the VPC Peering Connection. |
 | <a name="output_name"></a> [name](#output\_name) | The VPC Peering name. |
 | <a name="output_requester_vpc"></a> [requester\_vpc](#output\_requester\_vpc) | The requester information including AWS Account ID, Region, VPC ID. |

@@ -22,3 +22,8 @@ output "accepter_vpc" {
   description = "The accepter information including AWS Account ID, Region, VPC ID."
   value       = local.accepter_vpc
 }
+
+output "allow_remote_vpc_dns_resolution" {
+  description = "Whether to allow a accepter VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the requester VPC."
+  value       = var.allow_remote_vpc_dns_resolution
+}
@@ -54,7 +54,7 @@ This module creates following resources.
 | Name | Description |
 |------|-------------|
 | <a name="output_accepter_vpc"></a> [accepter\_vpc](#output\_accepter\_vpc) | The accepter information including AWS Account ID, Region, VPC ID. |
-| <a name="output_allow_remote_vpc_dns_resolution"></a> [allow\_remote\_vpc\_dns\_resolution](#output\_allow\_remote\_vpc\_dns\_resolution) | Whether to allow a accepter VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the requester VPC. |
+| <a name="output_allow_remote_vpc_dns_resolution"></a> [allow\_remote\_vpc\_dns\_resolution](#output\_allow\_remote\_vpc\_dns\_resolution) | Whether to allow a requester VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the accepter VPC. |
 | <a name="output_id"></a> [id](#output\_id) | The ID of the VPC Peering Connection. |
 | <a name="output_name"></a> [name](#output\_name) | The VPC Peering name. |
 | <a name="output_requester_vpc"></a> [requester\_vpc](#output\_requester\_vpc) | The requester information including AWS Account ID, Region, VPC ID. |

@@ -34,6 +34,6 @@ output "accepter_vpc" {
 }
 
 output "allow_remote_vpc_dns_resolution" {
-  description = "Whether to allow a accepter VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the requester VPC."
+  description = "Whether to allow a requester VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the accepter VPC."
   value       = var.allow_remote_vpc_dns_resolution
 }
@@ -3,6 +3,8 @@
 This module creates following resources.
 
 - `aws_vpc_peering_connection`
+- `aws_vpc_peering_connection_accepter`
+- `aws_vpc_peering_connection_options`
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
@@ -16,7 +18,9 @@ This module creates following resources.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.22.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.29.0 |
+| <a name="provider_aws.accepter"></a> [aws.accepter](#provider\_aws.accepter) | 5.29.0 |
+| <a name="provider_aws.requester"></a> [aws.requester](#provider\_aws.requester) | 5.29.0 |
 
 ## Modules
 
@@ -29,21 +33,25 @@ This module creates following resources.
 | Name | Type |
 |------|------|
 | [aws_vpc_peering_connection.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_peering_connection) | resource |
-| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
-| [aws_vpc.accepter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
-| [aws_vpc.requester](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+| [aws_vpc_peering_connection_accepter.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_peering_connection_accepter) | resource |
+| [aws_vpc_peering_connection_options.accepter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_peering_connection_options) | resource |
+| [aws_vpc_peering_connection_options.requester](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_peering_connection_options) | resource |
+| [aws_caller_identity.accepter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_caller_identity.requester](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.accepter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_region.requester](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_vpc_peering_connection.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_peering_connection) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_accepter_vpc_id"></a> [accepter\_vpc\_id](#input\_accepter\_vpc\_id) | (Required) The ID of the VPC with which you are creating the VPC Peering Connection. | `string` | n/a | yes |
+| <a name="input_accepter_vpc"></a> [accepter\_vpc](#input\_accepter\_vpc) | (Required) The configuration of the accepter VPC. `accepter_vpc` as defined below.<br>    (Required) `id` - The ID of the VPC with which you are creating the VPC Peering Connection.<br>  account. | <pre>object({<br>    id = string<br>  })</pre> | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | (Required) Desired name for the VPC Peering resources. | `string` | n/a | yes |
-| <a name="input_requester_vpc_id"></a> [requester\_vpc\_id](#input\_requester\_vpc\_id) | (Required) The ID of the requester VPC. | `string` | n/a | yes |
-| <a name="input_accepter_allow_remote_vpc_dns_resolution"></a> [accepter\_allow\_remote\_vpc\_dns\_resolution](#input\_accepter\_allow\_remote\_vpc\_dns\_resolution) | (Optional) Allow a accepter VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the requester VPC. This is not supported for inter-region VPC peering. | `bool` | `false` | no |
+| <a name="input_requester_vpc"></a> [requester\_vpc](#input\_requester\_vpc) | (Required) The configuration of the requester VPC. `requester_vpc` as defined below.<br>    (Required) `id` - The ID of the requester VPC.<br>  account. | <pre>object({<br>    id = string<br>  })</pre> | n/a | yes |
+| <a name="input_accepter_options"></a> [accepter\_options](#input\_accepter\_options) | (Optional) The accepter options of the VPC Peering Connection. `accepter_options` as defined below.<br>    (Optional) `allow_remote_vpc_dns_resolution` - Whether to allow a accepter VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the requester VPC. Defaults to `false`.<br>  account. | <pre>object({<br>    allow_remote_vpc_dns_resolution = optional(bool, false)<br>  })</pre> | `{}` | no |
 | <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
-| <a name="input_requester_allow_remote_vpc_dns_resolution"></a> [requester\_allow\_remote\_vpc\_dns\_resolution](#input\_requester\_allow\_remote\_vpc\_dns\_resolution) | (Optional) Allow a requester VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the accepter VPC. This is not supported for inter-region VPC peering. | `bool` | `false` | no |
+| <a name="input_requester_options"></a> [requester\_options](#input\_requester\_options) | (Optional) The requester options of the VPC Peering Connection. `requester_options` as defined below.<br>    (Optional) `allow_remote_vpc_dns_resolution` - Whether to allow a requester VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the accepter VPC. Defaults to `false`.<br>  account. | <pre>object({<br>    allow_remote_vpc_dns_resolution = optional(bool, false)<br>  })</pre> | `{}` | no |
 | <a name="input_resource_group_description"></a> [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
 | <a name="input_resource_group_enabled"></a> [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
@@ -53,9 +61,11 @@ This module creates following resources.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_accepter"></a> [accepter](#output\_accepter) | The accepter information including AWS Account ID, Region, VPC ID. |
+| <a name="output_accepter_options"></a> [accepter\_options](#output\_accepter\_options) | The accepter options of the VPC Peering Connection. |
+| <a name="output_accepter_vpc"></a> [accepter\_vpc](#output\_accepter\_vpc) | The accepter information including AWS Account ID, Region, VPC ID. |
 | <a name="output_id"></a> [id](#output\_id) | The ID of the VPC Peering Connection. |
 | <a name="output_name"></a> [name](#output\_name) | The VPC Peering name. |
-| <a name="output_requester"></a> [requester](#output\_requester) | The requester information including AWS Account ID, Region, VPC ID. |
+| <a name="output_requester_options"></a> [requester\_options](#output\_requester\_options) | The requester options of the VPC Peering Connection. |
+| <a name="output_requester_vpc"></a> [requester\_vpc](#output\_requester\_vpc) | The requester information including AWS Account ID, Region, VPC ID. |
 | <a name="output_status"></a> [status](#output\_status) | The status of the VPC Peering Connection request. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -14,59 +14,92 @@ locals {
   } : {}
 }
 
-data "aws_caller_identity" "this" {}
-data "aws_region" "this" {}
+provider "aws" {
+  alias = "requester"
+}
+
+provider "aws" {
+  alias = "accepter"
+}
+
+data "aws_caller_identity" "requester" {
+  provider = aws.accepter
+}
 
-data "aws_vpc" "requester" {
-  id = var.requester_vpc_id
+data "aws_caller_identity" "accepter" {
+  provider = aws.accepter
 }
 
-data "aws_vpc" "accepter" {
-  id = var.accepter_vpc_id
+data "aws_region" "requester" {
+  provider = aws.accepter
+}
+
+data "aws_region" "accepter" {
+  provider = aws.accepter
 }
 
 locals {
-  requester = {
-    account_id = data.aws_caller_identity.this.account_id
-    region     = data.aws_region.this.name
-    vpc_id     = var.requester_vpc_id
-    cidr_block = data.aws_vpc.requester.cidr_block
-    secondary_cidr_blocks = [
-      for association in data.aws_vpc.requester.cidr_block_associations :
-      association.cidr_block
-      if association.cidr_block != data.aws_vpc.requester.cidr_block
-    ]
+  requester_vpc = {
+    id      = var.requester_vpc.id
+    region  = data.aws_region.requester.name
+    account = data.aws_caller_identity.requester.account_id
   }
-  accepter = {
-    account_id = data.aws_caller_identity.this.account_id
-    region     = data.aws_region.this.name
-    vpc_id     = var.accepter_vpc_id
-    cidr_block = data.aws_vpc.accepter.cidr_block
-    secondary_cidr_blocks = [
-      for association in data.aws_vpc.accepter.cidr_block_associations :
-      association.cidr_block
-      if association.cidr_block != data.aws_vpc.accepter.cidr_block
-    ]
+  accepter_vpc = {
+    id      = var.accepter_vpc.id
+    region  = data.aws_region.accepter.name
+    account = data.aws_caller_identity.accepter.account_id
   }
 }
 
 
 ###################################################
-# VPC Peering
+# VPC Peering for Requester
 ###################################################
 
+# INFO: Not supported attributes
+# - `accepter`
+# - `requester`
 resource "aws_vpc_peering_connection" "this" {
-  vpc_id      = local.requester.vpc_id
-  peer_vpc_id = local.accepter.vpc_id
-  auto_accept = true
+  provider = aws.requester
+
+  vpc_id      = local.requester_vpc.id
+  auto_accept = false
+
+  peer_vpc_id   = local.accepter_vpc.id
+  peer_region   = local.accepter_vpc.region
+  peer_owner_id = local.accepter_vpc.account
+
+  tags = merge(
+    {
+      "Name" = local.metadata.name
+    },
+    local.module_tags,
+    var.tags,
+  )
+}
+
+# INFO: Not supported attributes
+# - `accepter`
+resource "aws_vpc_peering_connection_options" "requester" {
+  provider = aws.requester
+
+  vpc_peering_connection_id = aws_vpc_peering_connection_accepter.this.id
 
   requester {
-    allow_remote_vpc_dns_resolution = var.requester_allow_remote_vpc_dns_resolution
+    allow_remote_vpc_dns_resolution = var.requester_options.allow_remote_vpc_dns_resolution
   }
+}
 
-  accepter {
-    allow_remote_vpc_dns_resolution = var.accepter_allow_remote_vpc_dns_resolution
-  }
+
+###################################################
+# VPC Peering for Accepter
+###################################################
+
+resource "aws_vpc_peering_connection_accepter" "this" {
+  provider = aws.accepter
+
+  vpc_peering_connection_id = aws_vpc_peering_connection.this.id
+  auto_accept               = true
 
   tags = merge(
     {
@@ -76,3 +109,19 @@ resource "aws_vpc_peering_connection" "this" {
     var.tags,
   )
 }
+
+# INFO: Not supported attributes
+# - `requester`
+resource "aws_vpc_peering_connection_options" "accepter" {
+  provider = aws.accepter
+
+  vpc_peering_connection_id = aws_vpc_peering_connection_accepter.this.id
+
+  accepter {
+    allow_remote_vpc_dns_resolution = var.accepter_options.allow_remote_vpc_dns_resolution
+  }
+}
+
+data "aws_vpc_peering_connection" "this" {
+  id = aws_vpc_peering_connection_accepter.this.id
+}
@@ -10,15 +10,35 @@ output "id" {
 
 output "status" {
   description = "The status of the VPC Peering Connection request."
-  value       = aws_vpc_peering_connection.this.accept_status
+  value       = aws_vpc_peering_connection_accepter.this.accept_status
 }
 
-output "requester" {
+output "requester_vpc" {
   description = "The requester information including AWS Account ID, Region, VPC ID."
-  value       = local.requester
+  value = merge(local.requester_vpc, {
+    ipv4_cidrs = toset([
+      for cidr in data.aws_vpc_peering_connection.this.cidr_block_set :
+      cidr.cidr_block
+    ])
+  })
 }
 
-output "accepter" {
+output "requester_options" {
+  description = "The requester options of the VPC Peering Connection."
+  value       = var.requester_options
+}
+
+output "accepter_vpc" {
   description = "The accepter information including AWS Account ID, Region, VPC ID."
-  value       = local.accepter
+  value = merge(local.accepter_vpc, {
+    ipv4_cidrs = toset([
+      for cidr in data.aws_vpc_peering_connection.this.peer_cidr_block_set :
+      cidr.cidr_block
+    ])
+  })
+}
+
+output "accepter_options" {
+  description = "The accepter options of the VPC Peering Connection."
+  value       = var.accepter_options
 }