Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VPCPeeringConnection: CfnVPCPeeringConnection tries to accept cross-account request #17383

Closed
luqmanulkhair opened this issue Nov 7, 2021 · 6 comments
Closed

VPCPeeringConnection: CfnVPCPeeringConnection tries to accept cross-account request #17383

luqmanulkhair opened this issue Nov 7, 2021 · 6 comments
Assignees
@rix0rrr
Labels
@aws-cdk/core Related to core CDK functionality bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@luqmanulkhair
Copy link

luqmanulkhair commented Nov 7, 2021
edited by ryparker
Loading

What is the problem?

I want to create a cross-account peering request and don't want to accept it immediately as the default behavior in UI and also awscli, however creating a peering connection using CfnVPCPeeringConnection, I get the error User cannot accept peering pcx-..... An example is given below.

Reproduction Steps

const connection = new CfnVPCPeeringConnection(
this, 
'xyzzy', 
{   
    peerOwnerId: '1234',
    peerVpcId: 'abc',
    vpcId: vpc.vpcId,
});

What did you expect to happen?

It should create a peering request instead of trying to accept it directly after creating it.

What actually happened?

It creates a peering request and tries to accept it. Since the role is not available and therefore it fails and gives this error.
User 'XYZ' cannot accept peering pcx-.

CDK CLI Version

1.130.0

Framework Version

No response

Node.js Version

v12.7.0

OS

macOS Catalina 10.15.6

Language

Typescript

Language Version

No response

Other information

No response
@luqmanulkhair luqmanulkhair added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 7, 2021
@github-actions github-actions bot added the @aws-cdk/core Related to core CDK functionality label Nov 7, 2021
@ryparker
Copy link
Contributor

ryparker commented Nov 8, 2021
edited
Loading

Hey @luqmanulkhair 👋🏻

CfnVPCPeeringConnection is an L1 construct which means that it is auto generated from the AWS::EC2::VPCPeeringConnection CloudFormation resource. This also means that there shouldn't be any CDK logic that overrides the defaults of CloudFormation.

Could you provide an example of how you're using awscli to achieve what you are expecting?

@ryparker ryparker added effort/small Small work item – less than a day of effort p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed needs-triage This issue or PR still needs to be triaged. labels Nov 8, 2021
@luqmanulkhair
Copy link
Author

luqmanulkhair commented Nov 9, 2021
edited
Loading

@ryparker i used create-vpc-peering-connection which works perfectly fine but this L1 construct doesn't work.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Nov 9, 2021
@ryparker
Copy link
Contributor

ryparker commented Nov 9, 2021

It creates a peering request and tries to accept it. Since the role is not available and therefore it fails and gives this error.
User 'XYZ' cannot accept peering pcx-.

Have you tried using CfnVpcPeeringConnection.addDependsOn() to guarantee that the role is created before it attempts the connection?

@ryparker ryparker added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Nov 9, 2021
@luqmanulkhair
Copy link
Author

luqmanulkhair commented Nov 9, 2021
edited
Loading

@ryparker I don't understand what should I write in dependsOn(), To me seems like it wants the role from another VPC and I don't have access to it (Cross-Account). I only want to create a pending connection. Even the connection request is created but then it is rolled-back. Why isn't it working the way create-vpc-peering-connection is working?

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Nov 10, 2021
@rix0rrr
Copy link
Contributor

rix0rrr commented Nov 22, 2021

Looking at the documentation here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/peer-with-vpc-in-another-account.html

Are you not missing peerRoleArn ?

We cannot really help you any more than that. VPC Peering has not been implemented in the hand-written layer of CDK. As such, you need to use exactly the same mechanisms as you would need to set up VPC peering using CloudFormation, except using CDK.

Otherwise, this seems like a duplicate of #9338. Closing.

@rix0rrr rix0rrr closed this as completed Nov 22, 2021
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rix0rrr rix0rrr

Labels
@aws-cdk/core Related to core CDK functionality bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rix0rrr @luqmanulkhair @ryparker