def describe_vpc_cached(vpc_id: str, account_id: str, region: str,
                        **kwargs) -> dict:
    Describe a specific VPC from our cache of VPC descriptions for a given account and region
    Return a dict if things go as expected.

    We accept additional arguments here to handle the case where the arguments are given as
    a dictionary with additional keys. Such as when filtering the main config for only VPCs
    which actually exist.

    :param vpc_id: A vpc id e.g. vpc-abc123
    :type vpc_id: str
    :param account_id: An AWS account id number
    :type account: str
    :param region: An AWS region where the service client should be created. e.g. us-east-1
    :type region: str
    :param **kwargs: Handle trailing arguments in case where dictionary of arguments is provided.
    :type **kwargs: dict
    :returns: A list of dictionaries representing all the VPCs for a given account and region.
    :rtype: list
        f'Fetching description of VPC {vpc_id} for account {account_id} in region {region}'
    vpcs = describe_account_vpcs_cached(account_id, region)
    if vpc_dict := next((x for x in vpcs if x['VpcId'] == vpc_id), None):
        return vpc_dict
def get_all_env_peerings(config: Sequence[dict], metadata: Mapping) -> List[dict]:
    Given the configuration, find all the peerings which exist across all accounts
    and regions.
    :param config: A list containing dictionaries representing the configuration for the environment
    :type config: list
    :param key: The key to deduplicate on.
    :returns: A deduplicated list of all peerings for this environment.
    :rtype: list
    # Get a dictionary of accounts, regions, vpcs and the vpcs they should be peered to
    config_peer_map = deepcopy(get_peering_map(config))
    # Initialise a filter to get vpc peerings relevant to the current environment being worked on
    filters = [{'Name': 'tag:peerd_created', 'Values': ['true']},
               {'Name': 'tag:peerd_environment', 'Values': [metadata['environment']]},
               {'Name': 'status-code', 'Values': ['active']}]
    # Get all existing peerings from accounts listed in the config file
    peerings: List[dict] = []
    for account_id in config_peer_map.keys():
        for region in config_peer_map[account_id].keys():
            peerings.extend(get_all_peerings(account_id, region, filters))
    # Now get all existing peerings from all accounts that participate in peerings
    # (There might be accounts not listed in the config file)
    for peering in peerings:
        for side in ('RequesterVpcInfo', 'AccepterVpcInfo'):
            account_id = peering[side]['OwnerId']
            region = peering[side]['Region']
            if not config_peer_map[account_id][region]:
                LOGGER.debug(f'Found peering to unconfigured account {account_id} region {region}. Inspecting...')
                peerings.extend(get_all_peerings(account_id, region, filters))
                config_peer_map[account_id][region] = True
                LOGGER.debug(f'Discovered additional peerings in {account_id} {region}')
    # Add the 2 lists, and ceduplicate peerings. These will be all existing peerings even between accounts deleted from the config file
    return deduplicate_list_dicts(peerings, 'VpcPeeringConnectionId')
def aws_client(account: str, service: str, region: str):
    Initialises a sts client, gets assume role credentials
    and initialises a AWS client connection to a requested resource.
    Returns the AWS product/resource client connection.
    Caches the client connection for re-use.
    For reference:

    :param account: An AWS account id number
    :type account: str
    :param service: An AWS service e.g. ec2
    :type service: str
    :param region: An AWS region where the service client should be created. e.g. us-east-1
    :type region: str

    global CLIENT_CACHE

    # In this block we get credentials for the target account by assuming
    # into the given account using a sts client connection
    # If we can't we return none and cache none.
    if not (credentials := get_role_credentials(account, aws_sts_client())):
            f'Unable to tokenise into {account} for service {service} in region {region}. Moving on'
        CLIENT_CACHE[account][region][service] = None
        return None
def common_vpc_cidrs(peer_desc: list) -> bool:
    Returns true if the VPCs share any CIDRs in common
    Returns false if the VPCs share no CIDRs in common

    Example Input:
            'account_id': '1234567890',
            'vpc_id': 'vpc-123',
            'region': 'us-west-2'
            'account_id': '3456789012',
            'vpc_id': 'vpc-456',
            'region': 'us-west-1'

    :param peer_desc: A list containing two dictionaries describing the account, vpc and region of two sides of a peering
    :type peer_desc: list
    :returns: True if there 1 or more common CIDRs, False otherwise.
    requester_vpc_cidrs = list_vpc_cidrs(peer_desc[0]['vpc_id'], peer_desc[0]['account_id'], peer_desc[0]['region'])
    accepter_vpc_cidrs = list_vpc_cidrs(peer_desc[1]['vpc_id'], peer_desc[1]['account_id'], peer_desc[1]['region'])
    if bool(set(requester_vpc_cidrs) & set(accepter_vpc_cidrs)):'VPC {peer_desc[0]["vpc_id"]} cidrs {requester_vpc_cidrs} and {peer_desc[0]["vpc_id"]} cidrs {accepter_vpc_cidrs} share a common cidr.')
    return bool(set(requester_vpc_cidrs) & set(accepter_vpc_cidrs))
def aws_sts_client() -> Any:
    Uses default boto credentials locations, such as the instance metadata
    to return a sts client connection and caches it as a global variable for reuse.

    :returns: AWS STS client connection

    sts_client = boto3.client('sts', config=Config(retries=dict(max_attempts=10)))'Found the following STS identity:\n{json.dumps(sts_client.get_caller_identity(), indent=2)}')
    return sts_client
def get_vpc_peering(vpc_id: str,
                    remote_vpc_id: str,
                    account_id: str,
                    region: str,
                    filters: list = []) -> dict:
    Returns a dictionary describing a specific VPC peering between two VPCs
    From the perspective of a given account.
    Note: Same peering can have slightly different content based on perspective account.
    Note: This function is greedy in the sense that the requester does not have to be
    the requester as AWS defines it in
    This function will match peerings even when the remote_vpc_id is the requester.

    Example usage:
    filters = [{'Name': 'tag:peerd_created', 'Values': ['true']},
                   {'Name': 'tag:peerd_environment', 'Values': [metadata['environment']]},
                   {'Name': 'status-code', 'Values': ['active']}]
        if not (peering := get_vpc_peering(vpc_id, remote_vpc_id, account_id, region, filters)):
            LOGGER.warning(f'No active peering between {vpc_id} and {remote_vpc_id} for this environment'
                           f' {metadata["environment"]}. It may exist as part of another environment.')

    :param vpc_id: A vpc id e.g. vpc-abc123
    :type vpc_id: str
    :param remote_vpc_id: A vpc id e.g. vpc-abc123
    :type remote_vpc_id: str
    :param account_id: An AWS account id number
    :type account: str
    :param region: An AWS region. e.g. us-east-1
    :type region: str
    :param filters: A standard list of boto3 filters (list of dics).
    :type filters: list
    :returns: A list containing all peering dictionaries for an account-region.
    :rtype: list
    vpc_peerings = get_all_peerings(account_id, region, filters)
    for peering in vpc_peerings:
        if peering['AccepterVpcInfo']['VpcId'] in [vpc_id, remote_vpc_id]:
            if peering['RequesterVpcInfo']['VpcId'] in [vpc_id, remote_vpc_id]:
                    f"Found peering {peering['VpcPeeringConnectionId']} between {vpc_id} and {remote_vpc_id}"
                return peering
        f"No active peering between {vpc_id} and {remote_vpc_id} for given filters {filters}"
    return None
def describe_account_vpcs_cached(account_id: str, region: str) -> List[dict]:
    Describe all the VPCs in a given account in a given region and return them as a list of descriptions

    :param account_id: An AWS account id number
    :type account: str
    :param region: An AWS region where the service client should be created. e.g. us-east-1
    :type region: str
    :returns: A list of dictionaries representing all the VPCs for a given account and region.
    :rtype: list
    """'Fetching description of all VPCs for account {account_id} in region {region}')
    ec2_client = aws_client(account_id, 'ec2', region)
    return ec2_client.describe_vpcs()['Vpcs']
def check_iam_role_capability(account_id: str) -> bool:
    Check that we can assume a role in each account and perform an ec2 action to validate it.
    Allows us to filter out accounts which do not work for the script and inform the user.

    :param account_id: An AWS Account Id
    :type account_id: str
    :returns: True if the role and EC2 client works. False otherwise.
    :rtype: bool
        if ec2_client := aws_client(account_id, 'ec2', 'us-east-1'):
  'Able to assume role in {account_id} and access the EC2 API.')
            return True
        LOGGER.warning(f'Unable to assume role in {account_id} and access the EC2 API.')
def tag_resource(client, resource: str, tags: dict, dryrun: bool = False):
    Tags an AWS resource with the provided tags.

    Example Usage:
    ec2_client = aws_client(account_id, 'ec2', region)
    tags = {'peerd_support': '*****@*****.**',
            'peerd_datetime': str(}
    tag_resource(ec2_client, peerding_id, tags)
    :param client: An AWS boto3 client connection to an AWS resource
    :type client: boto3 client
    :param resource: The name of the resource e.g. rt-abc123
    :type resource: string
    :param tags: Dictionary of tags to apply to a resource
    :type tags: dict
    :returns: Nothing
    :raises BaseException: Raises an exception if there was some problem tagging the resource
    tags = [{'Key': key, 'Value': value} for (key, value) in tags.items()]

    for x in range(5):
            LOGGER.debug(f'Tagging {resource}')
            client.create_tags(Resources=[resource], Tags=tags, DryRun=dryrun)
            LOGGER.debug(f'Tagging {resource} successful')
        except botocore.exceptions.ClientError as err:
            if err.response['Error']['Code'] == 'DryRunOperation':
                LOGGER.debug(f'Tagging {resource} successful')
                f'Tagging {resource} encountered error: {err.response["Error"]["Message"]}. Will retry.'
        except BaseException:
            LOGGER.warning("Unexpected error: %s",

    raise Exception(f'Could not tag resource {resource}')
def get_deletable_peerings(peerings: list, vpc_list: list) -> list:
    Given a list of peerings that exist in the infrastructure, and a
    list of vpcs that are configured to be members of this environment,
    returns a list of peerings which should be deleted.

    :param config: A list containing dictionaries representing the configuration for the environment
    :type config: list
    :param key: The key to deduplicate on.
    :returns: A deduplicated list of all peerings for this environment.
    :rtype: list
    peerings_to_delete = []
    for peering in peerings:
        accepter = peering['AccepterVpcInfo']
        requester = peering['RequesterVpcInfo']
        if (accepter['VpcId'] not in vpc_list) or (requester['VpcId'] not in vpc_list):
            LOGGER.debug(f"Peering between {requester['VpcId']} and {accepter['VpcId']} can be deleted.")
    return deduplicate_list_dicts(peerings_to_delete, 'VpcPeeringConnectionId')
def clean_route_tables(peering_id: str, vpc_id: str, account_id: str, region: str, dryrun: bool) -> None:
    Deletes any routes pointing at a given peering id for a given vpc.
    Only applies to route tables with tag peerd_eligible:true

    :param peering_id: A vpc peering id e.g. pcx-011a291e5affc8d95
    :type peering_id: str
    :param vpc_id: A vpc id e.g. vpc-abc123
    :type vpc_id: str
    :param account_id: An AWS account id number
    :type account: str
    :param region: An AWS region where the service client should be created. e.g. us-east-1
    :type region: str
    # Initialise EC2 client
    ec2_client = aws_client(account_id, 'ec2', region)

    # Get the route tables for the VPC
    if not (route_tables := vpc_route_tables(vpc_id, account_id, region)):
        LOGGER.warning(f'No peerd_eligible route tables in VPC {vpc_id}')
def get_role_credentials(account: str, sts_client: Any) -> dict:
    Assumes a role and returns credentials for said role.
    Requires the COMMON_PRINCIPAL_NAME to be set, usually from metadata.

    Example returned dictionary:
        "Expiration": "2020-01-27T11:55:44Z",
        "Token": "abc123",
        "SecretAccessKey": "def456",
        "AccessKeyId": "ABCDEF123",
        "Type": "AWS-SOMETHING",
        "LastUpdated": "2020-01-27T10:55:45Z",
        "Code": "Success"

    :param account: An AWS account id number
    :type account: str
    :param sts_client: an aws client connection to the sts service
    :type resource: boto3 client
    :returns: Dictionary containing the credentials from the assume role action
    :rtype: dict
        arn = f'arn:aws:iam::{account}:role/{COMMON_PRINCIPAL_NAME}''Attempting to tokenise into: {arn}')
        credentials = sts_client.assume_role(RoleArn=arn, RoleSessionName=ROLE_SESSION_NAME)['Credentials']'Successfully tokenised into: {arn}')
        return credentials
    except BaseException:
        LOGGER.warning("Unexpected error: %s", sys.exc_info()[1], exc_info=True)
        return {}
File: Progetto: intfrr/peerd
def accept_vpc_peerings(target_peerings: list, metadata: dict, dryrun: bool):
    Loops through a list of peerings, with existing peering id, to accept them.
    Requests, accepts and tags them.
    Repairs any half open peerings.

    Example target_peerings:
            "account_id": "415432961280",
            "peering_id": "pcx-41u5h345h2",
            "vpc_id": "vpc-e08fb484",
            "region": "ap-southeast-2",
            "cidr_overrides": [
            "peering_tags": [
                "peerd_az_affinity": "0"
            "account_id": 415432961280,
            "peering_id": "pcx-41u5h345h2",
            "vpc_id": "vpc-7a83b81e",
            "region": "ap-southeast-2"

    :param target_peerings: A list of lists representing the requester and accepter for each peering.
    :type target_peerings: list
    :param metadata: A dictionary with the environment, owner, etc for tagging
    :type metadata: list
    for peering_descriptor in target_peerings:

        # Unpack some common variables
        account_id = peering_descriptor[0]['account_id']
        vpc_id = peering_descriptor[0]['vpc_id']
        region = peering_descriptor[0]['region']
        local_tags = peering_descriptor[0].get('peering_tags', {})

        remote_account_id = peering_descriptor[1]['account_id']
        remote_vpc_id = peering_descriptor[1]['vpc_id']
        remote_region = peering_descriptor[1]['region']
        remote_tags = peering_descriptor[1].get('peering_tags', {})
        peering_id = peering_descriptor[1]['peering_id']
        tags = peering_descriptor[1]['tags']

            # Accept the VPC Peering
                f"Accepting peering request {peering_id} between {account_id} {vpc_id} {region} and "
                f"{remote_account_id} {remote_vpc_id} {remote_region}")
            ec2_client = aws_client(remote_account_id, 'ec2', remote_region)
            # Wait until the peering exists
            # The AWS API is eventually consistent and we need to wait.
  'Waiting for peering to exist...')
                WaiterConfig={'Delay': 5})
            # Tag the VPC Peering
            tags['Name'] = f'peerd peering to {account_id} {vpc_id} {region}'
            tags['peerd_role'] = 'accepter'
            tag_resource(ec2_client, peering_id, tags, dryrun=dryrun)
            # Accept the peering
                    VpcPeeringConnectionId=peering_id, DryRun=dryrun)
            except ClientError as err:
                if err.response['Error']['Code'] == 'DryRunOperation':
        except BaseException:
            LOGGER.error("Unexpected error: %s",
            f"Successfully accepted peering {peering_id} between {account_id} {vpc_id} "
            f"{region} and {remote_account_id} {remote_vpc_id} {remote_region}"
def create_vpc_peerings(target_peerings: Sequence, metadata: Mapping,
                        dryrun: bool) -> None:
    Loops through a list of peerings to create them.
    Requests, accepts and tags them.
    Repairs any half open peerings.

    Example target_peerings:
            "account_id": 415432961280,
            "vpc_id": "vpc-e08fb484",
            "region": "ap-southeast-2",
            "cidr_overrides": [
            "peering_tags": [
                "peerd_az_affinity": "0"
            "account_id": 415432961280,
            "vpc_id": "vpc-7a83b81e",
            "region": "ap-southeast-2"

    :param target_peerings: A list of lists representing the requester and accepter for each peering.
    :type target_peerings: list
    :param metadata: A dictionary with the environment, owner, etc for tagging
    :type metadata: list
    pending_acceptance_peerings = []
    for peering_descriptor in target_peerings:

        # Unpack some common variables
        account_id = peering_descriptor[0]['account_id']
        vpc_id = peering_descriptor[0]['vpc_id']
        region = peering_descriptor[0]['region']
        local_tags = peering_descriptor[0].get('peering_tags', {})

        remote_account_id = peering_descriptor[1]['account_id']
        remote_vpc_id = peering_descriptor[1]['vpc_id']
        remote_region = peering_descriptor[1]['region']
        remote_tags = peering_descriptor[1].get('peering_tags', {})

        # Create a VPC peering request
            ec2_client = aws_client(account_id, 'ec2', region)
            # If the peering doesn't exist, create it
            if not (peering := get_vpc_peering(vpc_id, remote_vpc_id,
                                               account_id, region)):
                    f"Creating peering request between {account_id} {vpc_id} {region}"
                    f" and {remote_account_id} {remote_vpc_id} {remote_region}"
                    ec2_peering_response = ec2_client.create_vpc_peering_connection(
                except ClientError as err:
                    if err.response['Error']['Code'] == 'DryRunOperation':
                peering_id = ec2_peering_response['VpcPeeringConnectionId']
                # Wait for the vpc peering to exist before moving on
      'Waiting for peering {peering_id} to exist...')
                    WaiterConfig={'Delay': 5})
            # If the peering exists and is active, do nothing.
            elif peering['Status']['Code'] == 'active':
                    f"Active peering {peering['VpcPeeringConnectionId']} between {account_id} {vpc_id} {region}"
                    f" and {remote_account_id} {remote_vpc_id} {remote_region}"
            # If the peering is pending acceptance move to tagging and acceptance
            # Only the remote account can accept the VPC peering.
            elif peering['Status']['Code'] == 'pending-acceptance' and peering[
                    'RequesterVpcInfo']['VpcId'] == vpc_id:
                peering_id = peering['VpcPeeringConnectionId']
                    f"Pending-Acceptance peering {peering_id} between {account_id} {vpc_id} {region}"
                    f" and {remote_account_id} {remote_vpc_id} {remote_region}. Will attempt recovery."
    # If we can't we return none and cache none.
    if not (credentials := get_role_credentials(account, aws_sts_client())):
        LOGGER.warning(f'Unable to tokenise into {account} for service {service} in region {region}. Moving on')
        return None

    # In this block we use the account credentials we got above, to create and cache a client
    # connection to an AWS service.
        client =  boto3.client(
        LOGGER.debug('Obtained fresh client connection.')
        return client
    except BaseException:
        LOGGER.error(f'Unexpected error: {sys.exc_info()[1]}', exc_info=True)

def tag_resource(client: Any, resource: str, tags: Mapping, dryrun: bool = False) -> None:
    Tags an AWS resource with the provided tags.

    Example Usage:
    ec2_client = aws_client(account_id, 'ec2', region)
    tags = {'peerd_support': '*****@*****.**',
            'peerd_datetime': str(}
    tag_resource(ec2_client, peerding_id, tags)
def update_route_tables(target_peerings: list, metadata: Mapping,
                        dryrun: bool) -> None:
    Loops through a list of peerings and updates the route tables on each side.

    Example target_peerings:
            "account_id": 415432961280,
            "vpc_id": "vpc-e08fb484",
            "region": "ap-southeast-2",
            "cidr_overrides": [
            "peering_tags": [
                "peerd_az_affinity": "0"
            "account_id": 415432961280,
            "vpc_id": "vpc-7a83b81e",
            "region": "ap-southeast-2"

    :param target_peerings: A list of lists representing the requester and accepter for each peering.
    :type target_peerings: list
    :param metadata: A dictionary with the environment, owner, etc for tagging
    :type metadata: list

    # We need to handle both sides of the peerings so we append reverse of each peering.
    # This means every side of every peering will be seen by a single loop.
    # We do this to avoid extra code handling the AWS concept of "accepter" and "requester"
    # We also construct our route table cache by account and region, which means if we looped
    # by requester and accepter we could cache stale route table contents.
    target_peerings.extend([x[::-1] for x in target_peerings])

    # Loop through the target peerings
    for peering_descriptor in target_peerings:
        # Unpack some common variables
        account_id = peering_descriptor[0]['account_id']
        vpc_id = peering_descriptor[0]['vpc_id']
        region = peering_descriptor[0]['region']

        remote_account_id = peering_descriptor[1]['account_id']
        remote_vpc_id = peering_descriptor[1]['vpc_id']
        remote_region = peering_descriptor[1]['region']
        # Get the remote CIDRs from the AWS VPC API, or use the overrides in the config if they exist.
        remote_cidrs = peering_descriptor[1].get(
            list_vpc_cidrs(remote_vpc_id, remote_account_id, remote_region))
            f"Inspecting route tables in {account_id} {vpc_id} "
            f"{region}, peer: {remote_account_id} {remote_vpc_id} {remote_region}"

        # Initialise a ec2 client connection
        ec2_client = aws_client(account_id, 'ec2', region)

        # Get active VPC peering if one exists, else continue
        # We want to avoid adding routes for inactive peerings.
        filters = [{
            'Name': 'tag:peerd_created',
            'Values': ['true']
        }, {
            'Name': 'tag:peerd_environment',
            'Values': [metadata['environment']]
        }, {
            'Name': 'status-code',
            'Values': ['active', 'provisioning']
        if not (peering := get_vpc_peering(vpc_id, remote_vpc_id, account_id,
                                           region, filters)):
            # Since we filter for the peerd environment, remind the user that there could be a peering
            # But that it might exist as part of another environment, and thus we won't be touching it.
                f'No active peering between {vpc_id} and {remote_vpc_id} for this environment'
                f' {metadata["environment"]}. It may exist as part of another environment.'
        peering_id = peering['VpcPeeringConnectionId']

        # Wait until the peering is active, not provisioning (boto waiter doesn't accept filters for vpc peering api)
        # We must wait for active state to install routes, otherwise the peering will be ignored.
        # Note, usually this step takes a few seconds, but can sometimes take up to a minute or two in rare cases.
        if peering['Status']['Code'] == 'provisioning':
            while not ec2_client.describe_vpc_peering_connections(
                        'Name': 'status-code',
                        'Values': ['active']
                    }, {
                        'Name': 'vpc-peering-connection-id',
                        'Values': [peering_id]
                    f'Waiting for peering {peering_id} to become active...')

        # Get the route tables for the local vpc relevant to the peering.
        # The vpc_route_tables function will only return peerd_eligible:true tables
        # Since we will have cases where RTs should not be altered.
        if not (route_tables := vpc_route_tables(vpc_id, account_id, region)):
            LOGGER.warning(f'No peerd_eligible route tables in VPC {vpc_id}')
def delete_unneeded_peerings(config: Sequence[dict], metadata: Mapping,
                             dryrun: bool) -> None:
    Compares the infrastructure with the configuration and applies
    route cleanup and peering deletion logic to remove VPC peerings.

    :param peering_id: A vpc peering id e.g. pcx-011a291e5affc8d95
    :type peering_id: str
    :param vpc_id: A vpc id e.g. vpc-abc123
    :type vpc_id: str
    :param account_id: An AWS account id number
    :type account: str
    :param region: An AWS region where the service client should be created. e.g. us-east-1
    :type region: str
    """'Beginning deletion phase...')
    # Get a list of all VPCs configured for this environment
    config_vpc_list = list_dict_values(config, 'vpc_id')
    # Get all peerings that exist for this environment
        f'Getting all peerings active in AWS for environment {metadata["environment"]}'
    # Only filter working accounts now, as there could be times where accounts don't work
    # but we might want to keep the peerings until we remove them from the configuration.
    filtered_config = filter_working_accounts(config)
    peerings = get_all_env_peerings(filtered_config, metadata)
    # Determine which peerings no longer relate to any vpc in the environment
        f'Calculating which peerings may be deleted (do not appear in configuration)'
    deletable_peerings = get_deletable_peerings(peerings, config_vpc_list)
    # Iterate through the deletable peerings
    for peering in deletable_peerings:
        peering_id = peering['VpcPeeringConnectionId']
            'Working on peering {} between {} {} {} and {} {} {}'.format(

        # Clean up the route tables on both sides
        for vpc_info in [
                peering['RequesterVpcInfo'], peering['AccepterVpcInfo']
            clean_route_tables(peering_id, vpc_info['VpcId'],
                               vpc_info['OwnerId'], vpc_info['Region'], dryrun)
        # Delete the peering"Deleting peering {peering_id}...")
        ec2_client = aws_client(peering['RequesterVpcInfo']['OwnerId'], 'ec2',
                VpcPeeringConnectionId=peering_id, DryRun=dryrun)
        except ClientError as err:
            if err.response['Error']['Code'] != 'DryRunOperation':
                raise"Deleted peering {peering_id} successfully.")
         f" and {remote_account_id} {remote_vpc_id} {remote_region}"
 # If the peering is pending acceptance move to tagging and acceptance
 # Only the remote account can accept the VPC peering.
 elif peering['Status']['Code'] == 'pending-acceptance' and peering[
         'RequesterVpcInfo']['VpcId'] == vpc_id:
     peerding_id = peering['VpcPeeringConnectionId']
         f"Pending peering between {account_id} {vpc_id} {region}"
         f" and {remote_account_id} {remote_vpc_id} {remote_region}. Will attempt recovery."
 # We're in some weird state and need to report to a human
         f"Peering between {account_id} {vpc_id} {region}"
         f" and {remote_account_id} {remote_vpc_id} {remote_region}"
         f" is in state {peering['Status']['Code']}.")
 # Tag the VPC Peering
 tags = {
     f'peerd peering to {remote_account_id} {remote_vpc_id} {remote_region}',
     'resource_owner': metadata['resource_owner'],
     'business_unit': metadata['business_unit'],
     'service_name': metadata['service_name'],
     'peerd_created': 'true',
     'peerd_support': metadata['support'],
     'peerd_datetime': str(,
     'peerd_role': 'requester',
     'peerd_environment': metadata['environment']