search

cloudposse / terraform-aws-vpc-peering-multi-account

Terraform module to provision a VPC peering across multiple VPCs in different accounts by using multiple providers
https://cloudposse.com/accelerate
Apache License 2.0
129 stars 92 forks source link

Order of Operations issue? #9

Closed msmagoo87 closed 5 years ago

msmagoo87 commented 5 years ago

Hey there, I am using your terraform-aws-vpc module in combination with this one to create and peer a vpc. I'm having what seems it may be an order of operations issue? Here is my main.tf:

module "vpc" {
  source     = "git::https://github.com/cloudposse/terraform-aws-vpc.git?ref=0.4.0"
  namespace  = "${var.namespace}"
  stage      = "${var.stage}"
  name       = "${var.app_name}"
  cidr_block = "${var.cidr_block}"
}

data "aws_availability_zones" "available" {}

module "dynamic_subnets" {
  source             = "git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=0.4.0"
  namespace          = "${var.namespace}"
  stage              = "${var.stage}"
  name               = "${var.app_name}"
  region             = "${var.region}"
  availability_zones = ["${data.aws_availability_zones.available.names}"]
  vpc_id             = "${module.vpc.vpc_id}"
  igw_id             = "${module.vpc.igw_id}"
  cidr_block         = "${var.cidr_block}"
}

module "vpc_peering" {
  source           = "git::https://github.com/cloudposse/terraform-aws-vpc-peering-multi-account.git?ref=0.4.0"
  namespace        = "${var.namespace}"
  stage            = "${var.stage}"
  name             = "${var.app_name}"
  auto_accept      = true

  accepter_aws_assume_role_arn             = "${var.vpn_account_arn}"
  accepter_region                          = "${var.vpn_region}"
  accepter_vpc_id                          = "${var.vpn_vpc_id}"
  accepter_allow_remote_vpc_dns_resolution = "true"

  requester_aws_assume_role_arn             = "${var.account_arn}"
  requester_region                          = "${var.region}"
  requester_vpc_id                          = "${module.vpc.vpc_id}"
  requester_allow_remote_vpc_dns_resolution = "true"
}

When I run terraform plan I am getting the following error:

Error: Error refreshing state: 1 error(s) occurred:

* module.vpc_peering.data.aws_route_table.requester: data.aws_route_table.requester: value of 'count' cannot be computed

My only guess as to what could be happening here is it's failing to get the route table data because the vpc does not yet exist? You'd think it would fail with an aws error rather than an error on the counter though. Hopefully someone might have some insight here.

I was able to get this working by splitting the peering into it's own tf file and running that after this one creates the vpc and passing forward the tfstate file. But ideally I'd like it all to share a tfstate file otherwise if I need to update this file it will wipe out the peering connection configuration.

Thanks

aknysh commented 5 years ago

@msmagoo87 yes, VPC has to be already created for the peering connection to succeed. we usually create VPC and subnets in a diff project (diff TF folder), then do data source lookup to find the VPC in the peering connection folder. Or, another way, if all the files are in one TF project, use terraform plan/apply --target .... to first create the VPC and subnets, and then terraform plan/apply to provision everything else.

msmagoo87 commented 5 years ago

Ah ok, thanks for the confirmation!