If you have deployed each VNet in each subscription, I think you can do a two-step process: setup subscription/Vnet in one run and peering in a second. The terraform peering configuration will like this, use alias
for one specific subscription that you will refer to, use data
to query the existing resources in each subscription. Ensure that the Service Principal you're using either has permissions to both Subscriptions or a different Service Principal is used for each Provider block (with the associated permissions).
For example,
provider "azurerm" {
version = "xxx"
tenant_id = "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
subscription_id = "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
client_id = "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
client_secret = "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
alias = "dev"
}
provider "azurerm" {
version = "xxx"
tenant_id = "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
subscription_id = "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
client_id = "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
client_secret = "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
alias = "test"
}
data "azurerm_virtual_network" "dev" {
name = "dev-network"
resource_group_name = "dev-network-rg"
provider = "azurerm.dev"
}
data "azurerm_virtual_network" "test" {
name = "test-network"
resource_group_name = "test-network-rg"
provider = "azurerm.test"
}
resource "azurerm_virtual_network_peering" "dev-to-test" {
name = "dev-to-test"
resource_group_name = "${data.azurerm_virtual_network.test.resource_group_name}"
virtual_network_name = "${data.azurerm_virtual_network.test.name}"
remote_virtual_network_id = "${data.azurerm_virtual_network.test.id}"
allow_virtual_network_access = true
allow_forwarded_traffic = true
provider = "azurerm.dev"
}
resource "azurerm_virtual_network_peering" "test-to-dev" {
name = "test-to-dev"
resource_group_name = "${data.azurerm_virtual_network.dev.resource_group_name}"
virtual_network_name = "${data.azurerm_virtual_network.dev.name}"
remote_virtual_network_id = "${data.azurerm_virtual_network.dev.id}"
allow_virtual_network_access = true
allow_forwarded_traffic = true
provider = "azurerm.test"
}
If you are using the Azure CLI auth, you could refer to this.
Alternatively, as you thought, you could try to use a depends_on
attribute in the azurerm_virtual_network_peering
block refer to this example.
resource "azurerm_virtual_network" "spoke1-vnet" {
provider = "azurerm.dev"
name = "spoke1-vnet"
location = azurerm_resource_group.spoke1-vnet-rg.location
resource_group_name = azurerm_resource_group.spoke1-vnet-rg.name
address_space = ["10.1.0.0/16"]
}
resource "azurerm_virtual_network_peering" "spoke1-hub-peer" {
provider = "azurerm.dev"
name = "spoke1-hub-peer"
resource_group_name = azurerm_resource_group.spoke1-vnet-rg.name
virtual_network_name = azurerm_virtual_network.spoke1-vnet.name
remote_virtual_network_id = azurerm_virtual_network.hub-vnet.id
allow_virtual_network_access = true
allow_forwarded_traffic = true
allow_gateway_transit = false
use_remote_gateways = true
depends_on = ["azurerm_virtual_network.spoke1-vnet", "azurerm_virtual_network.hub-vnet" , "azurerm_virtual_network_gateway.hub-vnet-gateway"]
}
For more information, you could refer to this blog1 and blog2 for deploying to multiple subscriptions with terraform.