AWS multi-region VPC peering using Terraform

AWS multi-region VPC peering using Terraform
How to securely connect two VPCs from different regions.

VPC peering is a networking connection between between two VPCs that enables traffic routing between the two using private IPv4 and/or IPv6 addresses.
AWS blog : What is VPC peering?A way to privately connect the two VPCs without exposing them to the internet and the resources in either VPC can communicate with each other as if they are within the same network.
Check this very detailed article from Ashish Patel for more information.

NB : The two VPCs should not have matching or overlapping CIDR blocks.

Steps

1/ Create a peering connection using a aws_vpc_peering_connection in one of the VPCs (this VPC will be the 'requester' of the peering connection, and the one that requests access to the other VPC's resources).

resource "aws_vpc_peering_connection" "this" {
  vpc_id      = var.requester_vpc_id
  peer_vpc_id = var.accpeter_vpc_id
  peer_region = var.accepter_region
}

2/ Create and accept the peering connection in the other VPC using a aws_vpc_peering_connection_accepter . (When using cross-account or cross-region the other vpc will be the 'accepter' side and will need to create and accept the incoming request of peering to allow access to it's resources).

resource "aws_vpc_peering_connection_accepter" "this" {
  provider                  = aws.accepter
  vpc_peering_connection_id = aws_vpc_peering_connection.this.id
  auto_accept               = true
}

3/ Create the necessary aws_routes in the routes tables of both VPCs so they can handle and know where to redirect traffic and where each resource is. And that's why is the peering requires having different and non-overlapping CIDRs.

A complete example with the all the necessary resources is available here

	#### variables ####
	#accepter
	variable "accpeter_vpc_id" {}
	variable "accepter_region" {}
	#requester
	variable "requester_vpc_id" {}
	variable "requester_region" {}
	#### providers ####
	#requester
	provider "aws" {
	alias = "peer"
	region = var.requester_region
	}
	## accepter
	provider "aws" {
	alias = "accepter"
	region = var.accepter_region
	}
	data "aws_vpc" "accepter" {
	id = var.accpeter_vpc_id
	provider = aws.accepter
	}
	data "aws_route_tables" "accepter" {
	vpc_id = var.accpeter_vpc_id
	provider = aws.accepter
	}
	data "aws_vpc" "requester" {
	id = var.accpeter_vpc_id
	provider = aws.requester
	}
	data "aws_route_tables" "requester" {
	vpc_id = var.requester_vpc_id
	provider = aws.requester
	}
	locals {
	requester_route_tables_ids = data.aws_route_tables.requester.ids
	accepter_route_tables_ids = data.aws_route_tables.accepter.ids
	}
	#### peering configuration ####
	data "aws_availability_zones" "available" {
	provider = aws.peer
	}
	resource "aws_vpc_peering_connection" "this" {
	vpc_id = var.requester_vpc_id
	peer_vpc_id = var.accpeter_vpc_id
	peer_region = var.accepter_region
	auto_accept = false
	provider = aws.peer
	}
	resource "aws_vpc_peering_connection_accepter" "this" {
	provider = aws.accepter
	vpc_peering_connection_id = aws_vpc_peering_connection.this.id
	auto_accept = true
	}
	resource "aws_vpc_peering_connection_options" "this" {
	vpc_peering_connection_id = aws_vpc_peering_connection.this.id
	accepter {
	allow_remote_vpc_dns_resolution = true
	}
	provider = aws.accepter
	}
	#### route tables ####
	resource "aws_route" "requester" {
	count = length(local.requester_route_tables_ids)
	route_table_id = local.requester_route_tables_ids[count.index]
	destination_cidr_block = data.aws_vpc.accepter.cidr_block
	vpc_peering_connection_id = aws_vpc_peering_connection.this.id
	provider = aws.peer
	}
	resource "aws_route" "accepter" {
	count = length(local.accepter_route_tables_ids)
	route_table_id = local.accepter_route_tables_ids[count.index]
	destination_cidr_block = data.aws_vpc.requester.cidr_block
	vpc_peering_connection_id = aws_vpc_peering_connection.this.id
	provider = aws.accepter
	}

view raw main.tf hosted with ❤ by GitHub

And that's it 👋