#terragrunt (2019-11)

Hi, what do you think is it overkill to use config dependencies in terragrunt? It works ok, but my feeling is that it takes to much time to resolve/read all state files from different components. Honestly, i am not sure if I should switch back to data source or data remote state to retrieve outputs.

i prefer the terragrunt dependency approach. it de-couples the terraform modules. data sources are a good option also, if you’re careful. i really dislike reading from the remote state data source though

As you mentioned we werent careful enough with naming so we had situation to retrieve more than 1 vpc with data source for example

exactly

hello all, just getting into terragrunt (using TF12) and wanted to make sure I’m approaching this correctly… I’m basing my example on https://github.com/gruntwork-io/terragrunt-infrastructure-live-example and the corresponding modules repo

simple example I’m working through in my head right now is spinning up standalone EC2 instance, creating a role and instance profile, creating a S3 policy to attach. The collection of this I’m naming “service-a”. I have a module created for each of these and in live I have a “service-a” directory with the following under it ec2, instance-profile, s3-policy. All of the modules and connections are done in terragrunt.hcl rather than combining modules into meta modules

for example, if this was a common pattern, it would be nice to create a module that wraps up these three modules and create “service-b”, “service-c” etc.

hi guys

is there anyway I can do 2 parent terragrunt.hcl ?

Here is the case I want to test. as we have 2 terragrunt.hcl in parent folder net and serv. Serv folder can be run only after Net folder is completely run. I also want to use a dependencies case as : [ ../net] in folder serv.

no

terragrunt only support one-level of includes…

maybe you can achive what you want without terragrunt.hcl? I have something like that

anyone have an example of passing common tags through to modules? for example, set some tags at region level, then environment level, then service. Are you passing them as separate variables into module and merging in final resource? or is there some way to merge them so the module only has a single tags variable?

null-label in every module and variables in terragrunt.hcl

locals {
  namespace           = "namespace"
  name                = "app"
  environment         = "stage"
}

inputs = {
  namespace           = local.namespace
  name                = local.name
  environment         = local.environment
}

overwrite var from regional.tfvars and env.tfvars

  extra_arguments "common_vars" {
    commands = get_terraform_commands_that_need_vars()

    optional_var_files = [
      "${get_parent_terragrunt_dir()}/terraform.tfvars",
      "${get_parent_terragrunt_dir()}/common.tfvars",
      "${get_parent_terragrunt_dir()}/${path_relative_to_include()}/${find_in_parent_folders("regional.tfvars")}",
      "${get_parent_terragrunt_dir()}/${path_relative_to_include()}/${find_in_parent_folders("env.tfvars")}",
    ]
  }

example module

module "label" {
  source = "git::<https://github.com/cloudposse/terraform-null-label.git?ref=0.15.0>"

  namespace   = var.namespace
  environment = var.environment
  name        = var.name
  stage       = var.stage
  attributes  = var.attributes
  delimiter   = var.delimiter
  label_order = var.label_order
  tags        = var.tags
}

module "ecr" {
  source = "git::<https://github.com/cloudposse/terraform-aws-ecr.git?ref=0.7.0>"

  name                       = module.label.id
  enabled                    = var.enabled
  max_image_count            = var.max_image_count
  use_fullname               = var.use_fullname
  principals_readonly_access = var.principals_readonly_access
  principals_full_access     = var.principals_full_access
}

hmm, ok, so you are using a separate label module in each module? completely different than how I was trying to approach it (just passing a map of tags in)… interesting

exactly

ok, have another one.. I started playing with init-from-module hook to copy common provider block. I think I saw some discussion on this already in all the reading the past couple days, but the copied file is showing up in my live structure as well. I think the solution was to gitignore them for now?

yep, I have also hide this file in vscode

.gitignore

**/.terragrunt-cache
account_1/**/main_providers.tf
account_2/**/main_providers.tf
!account_1/common/main_providers.tf
!account_2/common/main_providers.tf

great, thanks!

anyone have any best practices when creating a web of security groups? I was looking to use something similar to https://github.com/terraform-aws-modules/terraform-aws-security-group but have the scenario of circular dependencies (i.e. group-a references group-b and group-b references group-a). In general I would break out the group creation from rules to create groups first but having a hard time fitting this into terragrunt.

I don’t think I have my head wrapped around “root” modules and then modules that sit on top of those root modules

there is a pull request to add create_group (https://github.com/terraform-aws-modules/terraform-aws-security-group/pull/80), but with that would I have two terragrunt.hcl files for each group I want to create?

@Sam I can’t speak for the creator of the module, you might want to ask @antonbabenko in #terraform-aws-modules but I’m not sure if your PR is going to make it for the following reason. Security Group implementation of AWS is done in a bad way API wise, it boils down to that if you use a security group with inline rules and aws_security_group_rules next to it, everything messes up and terraform doesn’t know where is what.

This particular security group module made sure that this mess-up does not happen as there are no inline rules defined.

The PR you propose makes it easy for users to mistakenly create a security group with a few inline rules and somewhere else use the module for the rest of the rules.. This will simply not work.

With regards to your question, what is keeping you from creating the security groups group-a and group-b and referencing both ID’s with a set of aws_security_group_rule in your own implementation ?

With regards to your question, what is keeping you from creating the security groups group-a and group-b and referencing both ID’s with a set of aws_security_group_rule ?

A less elegant solution, but more practical one is to create a security group C, with the open ports to SELF, and apply this security group C to both instances. Security-wise this might not always work out.

I was trying to have a single terragrunt file create the security group and create the rules as well (not inline rules but create them separately). I don’t think I can do this in a single call because the rules reference one another. The approach I think I’m going to take is 2 terragrun files per security group, the first to create the group (empty), and the second to add the rules

anyone have any luck using the terragrunt dependency block to get an element from a list? For example, I have a vpc module which has public and private subnet list outputs. I’m trying to pass the first subnet into another module. I’ve tried the following element(dependency.vpc.outputs.private_subnet_ids, 0) but it passes the entire list. Tried wrapping it in jsondecode as well

Hi guys

I was wondering, if there is a way I can do a migrate tfstate from this backend to other backend (AWS s3) with Terragrunt. So far, i undestand that terragrunt will download .terraform-cache contain the tfstate info from the old backend configuration we defined.

If you change backend, terragrunt / terraform will prompt you if you want to copy existing state to new backend

Hey ! I just open-sourced terraform and terragrunt version manager. Please feel free to try it here. https://github.com/aaratn/terraenv