[Bug]: aws_vpc_peering_connection_accepter not idempotent

[bss-dmitry-shmakov]

Terraform Core Version

v1.6.3

AWS Provider Version

v5.42.0

Affected Resource(s)

aws_vpc_peering_connection_accepter aws_vpc_peering_connection

Expected Behavior

aws_vpc_peering_connection_accepter should not do anything if the peering already exists and already was accepted, on all subsequent runs.

Actual Behavior

aws_vpc_peering_connection_accepter initiates changes despite no changes are needed

Relevant Error/Panic Output Snippet

the example on screenshot is every time I run apply over many resources which include also peerings and accepter

Terraform Configuration Files

required_providers { aws = { source = "hashicorp/aws" version = "~> 5.0" }

Steps to Reproduce

use peering and accepter like this:

resource "aws_vpc_peering_connection" "to-ireland-eks" {
  count         = var.aws_region == "eu-west-1" ? 0 : 1
  peer_vpc_id   = "vpc-xxxxxxxxxxxxx"
  vpc_id        = aws_vpc.k8s-vpc.id
  peer_region   = "eu-west-1"
  auto_accept = false
  tags = {
    Name = "${module.label.id}-to-ireland-eks"
  }
}

resource "aws_vpc_peering_connection_accepter" "to-vpn" {
  provider                  = aws.vpn_and_main_region
  vpc_peering_connection_id = "${aws_vpc_peering_connection.to-vpn.id}"
  auto_accept               = true
  depends_on = [
    aws_vpc_peering_connection.to-vpn
  ]
  tags = {
    Name = "from-vpn-to-${var.aws_region}"
    Side = "Accepted by terraform"
  }
}

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[o6uoq]

@bss-dmitry-shmakov is this related to https://github.com/hashicorp/terraform-provider-aws/issues/24677 and https://github.com/hashicorp/terraform-provider-aws/pull/36761 ?

[bss-dmitry-shmakov]

@bss-dmitry-shmakov is this related to #24677 and #36761 ?

no we don't use transit gateway and it's not a cross account issue. I suspect it is because peering connections are somewhere represented by unsorted array and the terraform finds a 'diff' to update something that doesn't need to be updated, because of the order is different when it reads them back after it created them. Although we have specific names to resources like resource "aws_vpc_peering_connection" "to-ireland-eks" so I don't think it should get confused which peering defined in our manifests is which one in aws... it seems to reshuffle their names every time we run, as if it wants to rename their tags to one another, for no reason. Also it tries to remove its own tag "Accepted by Terraform" all the time, despite tag is being created as part of the run.