terraform-aws-arc-vpc-peering

Overview

SourceFuse AWS Reference Architecture (ARC) Terraform module for managing AWS VPC Peering connections.

Features

• Single Module Design: Handles both requester and accepter sides automatically
• Multi-Account Support: Cross-account VPC peering with automatic accepter handling
• Multi-Region Support: Cross-region VPC peering capabilities
• Automatic Route Management: Optional route table updates for seamless connectivity
• DNS Resolution: Configurable DNS resolution across peered VPCs
• Flexible Configuration: Both simple and advanced input patterns
• Production Ready: Comprehensive validation, error handling, and best practices
• Security Best Practices: Encryption, tagging, and protection settings
• High Availability: Multi-AZ route table support
• Conditional Resources: Smart resource creation based on configuration

Usage Patterns

Simple Same-Account Peering

module "vpc_peering" {
  source = "sourcefuse/arc-vpc-peering/aws"

  providers = {
    aws.accepter = aws.accepter
  }

  connections = {
    "main" = {
      requester_vpc_id                = "vpc-12345678"
      accepter_vpc_id                 = "vpc-87654321"
      allow_remote_vpc_dns_resolution = true
    }
  }

  # Standard naming
  naming = {
    namespace   = "eg"
    environment = "prod"
    stage       = "staging"
    name        = "app"
  }

  tags = {
    Project = "MyProject"
  }
}

Cross-Account Peering

module "vpc_peering" {
  source = "sourcefuse/arc-vpc-peering/aws"

  providers = {
    aws.accepter = aws.accepter
  }

  connections = {
    "main" = {
      requester_vpc_id                = "vpc-12345678"
      accepter_vpc_id                 = "vpc-87654321"
      peer_owner_id                   = "123456789012"
      allow_remote_vpc_dns_resolution = true
    }
  }

  tags = {
    Environment = "production"
  }
}

Cross-Region Peering

module "vpc_peering" {
  source = "sourcefuse/arc-vpc-peering/aws"

  providers = {
    aws          = aws.us_east
    aws.accepter = aws.us_west
  }

  connections = {
    "main" = {
      requester_vpc_id                = "vpc-12345678"
      accepter_vpc_id                 = "vpc-87654321"
      peer_region                     = "us-west-2"
      allow_remote_vpc_dns_resolution = true
    }
  }

  tags = {
    Environment = "production"
  }
}

Advanced Multi-Connection with Route Management

module "vpc_peering" {
  source = "sourcefuse/arc-vpc-peering/aws"

  providers = {
    aws.accepter = aws.accepter
  }

  connections = {
    "web-to-app" = {
      requester_vpc_id                = "vpc-12345678"
      accepter_vpc_id                 = "vpc-87654321"
      auto_accept                     = true
      allow_remote_vpc_dns_resolution = true

      manage_routes                   = true
      requester_route_table_ids       = ["rtb-12345678"]
      accepter_route_table_ids        = ["rtb-87654321"]
      requester_destination_cidrs     = ["10.2.0.0/16"]
      accepter_destination_cidrs      = ["10.1.0.0/16"]
    }

    "app-to-db" = {
      requester_vpc_id                = "vpc-87654321"
      accepter_vpc_id                 = "vpc-abcdef12"
      peer_owner_id                   = "123456789012"
      auto_accept                     = false
      allow_remote_vpc_dns_resolution = true

      manage_routes                   = true
      requester_route_table_ids       = ["rtb-87654321"]
      accepter_route_table_ids        = ["rtb-abcdef12"]
      requester_destination_cidrs     = ["10.3.0.0/16"]
      accepter_destination_cidrs      = ["10.2.0.0/16"]
    }
  }

  tags = {
    Environment = "production"
    Project     = "multi-tier-architecture"
  }
}
    Project     = "multi-tier-architecture"
  }
}

Provider Configuration

Same Account, Same Region

provider "aws" {
  region = "us-east-1"
}

provider "aws" {
  alias  = "accepter"
  region = "us-east-1"
}

Cross-Region

provider "aws" {
  region = "us-east-1"
}

provider "aws" {
  alias  = "accepter"
  region = "us-west-2"
}

Cross-Account

provider "aws" {
  region = "us-east-1"
}

provider "aws" {
  alias  = "accepter"
  region = "us-east-1"
  assume_role {
    role_arn = "arn:aws:iam::123456789012:role/CrossAccountRole"
  }
}

Examples

The examples/ directory contains complete, working examples:

• single-account: Basic same-account VPC peering
• cross-account: Cross-account peering with IAM roles
• cross-region: Cross-region VPC connectivity
• with-routes-dns: Full-featured peering with route management and DNS

Migration Guide

This module provides a clean, single interface for VPC peering across different scenarios using the connections map:

# Simple same-account peering
module "vpc_peering" {
  source = "sourcefuse/arc-vpc-peering/aws"

  providers = {
    aws.accepter = aws.accepter
  }

  connections = {
    "main" = {
      requester_vpc_id                = "vpc-12345678"
      accepter_vpc_id                 = "vpc-87654321"
      allow_remote_vpc_dns_resolution = false
    }
  }

  tags = {
    Environment = "production"
  }
}

# Cross-account peering
module "vpc_peering" {
  source = "sourcefuse/arc-vpc-peering/aws"

  providers = {
    aws.accepter = aws.accepter
  }

  connections = {
    "main" = {
      requester_vpc_id                = "vpc-12345678"
      accepter_vpc_id                 = "vpc-87654321"
      peer_owner_id                   = "123456789012"
      allow_remote_vpc_dns_resolution = true
    }
  }

  tags = {
    Environment = "production"
  }
}

# Cross-region peering
module "vpc_peering" {
  source = "sourcefuse/arc-vpc-peering/aws"

  providers = {
    aws          = aws.us_east
    aws.accepter = aws.us_west
  }

  connections = {
    "main" = {
      requester_vpc_id                = "vpc-12345678"
      accepter_vpc_id                 = "vpc-87654321"
      peer_region                     = "us-west-2"
      allow_remote_vpc_dns_resolution = true
    }
  }

  tags = {
    Environment = "production"
  }
}

Security Best Practices

• Least Privilege: Only create routes for specific CIDR blocks that need connectivity
• Cross-Account IAM: Ensure proper IAM roles for cross-account peering
• Network Segmentation: Use security groups and NACLs in addition to routing
• DNS Resolution: Only enable when required for your use case
• Route Table Management: Be explicit about which route tables to update
• CIDR Planning: Ensure no overlapping CIDR blocks between peered VPCs
• Monitoring: Set up CloudWatch metrics for peering connection status
• Tagging: Use consistent tagging for cost allocation and management

Requirements

Name	Version
terraform	>= 1.5.0
aws	>= 5.0, < 7.0

Providers

Name	Version
aws	6.26.0
aws.accepter	6.26.0

Modules

No modules.

Resources

Name	Type
aws_route.accepter	resource
aws_route.requester	resource
aws_vpc_peering_connection.this	resource
aws_vpc_peering_connection_accepter.cross_account	resource
aws_vpc_peering_connection_accepter.this	resource
aws_vpc_peering_connection_options.accepter	resource
aws_vpc_peering_connection_options.requester	resource

Inputs

Name	Description	Type	Default	Required
auto_accept_peering	Automatically accept peering connections (same account only)	bool	true	no
connections	Map of VPC peering connections to create	map(object({ requester_vpc_id = string accepter_vpc_id = string peer_region = optional(string) peer_owner_id = optional(string) auto_accept = optional(bool, true) # DNS settings allow_remote_vpc_dns_resolution = optional(bool, false) # Route management manage_routes = optional(bool, false) requester_route_table_ids = optional(list(string), []) accepter_route_table_ids = optional(list(string), []) requester_destination_cidrs = optional(list(string), []) accepter_destination_cidrs = optional(list(string), []) # Tags tags = optional(map(string), {}) }))	{}	no
dns_resolution	DNS resolution configuration	object({ requester_allow_remote_vpc_dns_resolution = optional(bool, true) accepter_allow_remote_vpc_dns_resolution = optional(bool, true) enable_dns_resolution = optional(bool, false) })	{}	no
naming	Naming configuration for resources	object({ name = optional(string, "") namespace = optional(string, "") environment = optional(string, "") stage = optional(string, "") delimiter = optional(string, "-") attributes = optional(list(string), []) label_order = optional(list(string), ["namespace", "environment", "stage", "name", "attributes"]) })	{}	no
tags	Default tags to apply to all resources	map(string)	{}	no
timeouts	VPC peering connection timeouts	object({ create = optional(string, "3m") update = optional(string, "3m") delete = optional(string, "5m") })	{}	no

Outputs

Name	Description
peering_connection_ids	Map of peering connection names to their IDs
peering_connection_status	Map of peering connection names to their status
peering_connections	Complete peering connection details

Versioning

This project uses a .version file at the root of the repo which the pipeline reads from and does a git tag.

When you intend to commit to main, you will need to increment this version. Once the project is merged, the pipeline will kick off and tag the latest git commit.

Development

Prerequisites

• terraform
• terraform-docs
• pre-commit
• golang
• golint

Configurations

• Configure pre-commit hooks

  pre-commit install

Versioning

while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch

For Example

git commit -m "your commit message #major"

By specifying this , it will bump the version and if you don't specify this in your commit message then by default it will consider patch and will bump that accordingly

Tests

• Tests are available in test directory
• Configure the dependencies

  cd test/
  go mod init github.com/sourcefuse/terraform-aws-arc-vpc-peering
  go get github.com/gruntwork-io/terratest/modules/terraform

• Now execute the test

  go test -timeout  30m

Authors

This project is authored by:

• SourceFuse ARC Team