#terragrunt (2019-11)

terragrunt

Terragrunt discussions

Archive: https://archive.sweetops.com/terragrunt/

2019-11-01

Milos Backonja avatar
Milos Backonja

Hi, what do you think is it overkill to use config dependencies in terragrunt? It works ok, but my feeling is that it takes to much time to resolve/read all state files from different components. Honestly, i am not sure if I should switch back to data source or data remote state to retrieve outputs.

loren avatar

i prefer the terragrunt dependency approach. it de-couples the terraform modules. data sources are a good option also, if you’re careful. i really dislike reading from the remote state data source though

Milos Backonja avatar
Milos Backonja

As you mentioned we werent careful enough with naming so we had situation to retrieve more than 1 vpc with data source for example

loren avatar

exactly

2019-11-06

Sam Holton avatar
Sam Holton

hello all, just getting into terragrunt (using TF12) and wanted to make sure I’m approaching this correctly… I’m basing my example on https://github.com/gruntwork-io/terragrunt-infrastructure-live-example and the corresponding modules repo

simple example I’m working through in my head right now is spinning up standalone EC2 instance, creating a role and instance profile, creating a S3 policy to attach. The collection of this I’m naming “service-a”. I have a module created for each of these and in live I have a “service-a” directory with the following under it ec2, instance-profile, s3-policy. All of the modules and connections are done in terragrunt.hcl rather than combining modules into meta modules

Sam Holton avatar
Sam Holton

for example, if this was a common pattern, it would be nice to create a module that wraps up these three modules and create “service-b”, “service-c” etc.

2019-11-07

Phuc avatar

hi guys

Phuc avatar

is there anyway I can do 2 parent terragrunt.hcl ?

Phuc avatar

Here is the case I want to test. as we have 2 terragrunt.hcl in parent folder net and serv. Serv folder can be run only after Net folder is completely run. I also want to use a dependencies case as : [ ../net] in folder serv.

loren avatar

no

loren avatar

terragrunt only support one-level of includes…

maarten avatar
maarten

it can however force terragrunt/terraform to use multiple tfvars within a certain hierarchy

loren avatar

true! there is a tracking issue for this… and a workaround of using yaml/json and yamldecode/jsondecode… https://github.com/gruntwork-io/terragrunt/issues/303

Only one level of includes is allowed · Issue #303 · gruntwork-io/terragrunt

I'm trying to enable a multi-include scenario where I can cascade includes at different points in my configurations. Given the below layout: └── root ├── regions │ ├── us-east-1 │ │ ├── regiona…

Phuc avatar

Well, so is there any command that I can run terragrunt apply-all on the first folder, and then do again for the second one. What I want is to achieve multi-stage build. as we plan to use in CI/CD

Adrian avatar

maybe you can achive what you want without terragrunt.hcl? I have something like that

Sam Holton avatar
Sam Holton

anyone have an example of passing common tags through to modules? for example, set some tags at region level, then environment level, then service. Are you passing them as separate variables into module and merging in final resource? or is there some way to merge them so the module only has a single tags variable?

Adrian avatar

null-label in every module and variables in terragrunt.hcl

locals {
  namespace           = "namespace"
  name                = "app"
  environment         = "stage"
}

inputs = {
  namespace           = local.namespace
  name                = local.name
  environment         = local.environment
}

overwrite var from regional.tfvars and env.tfvars

  extra_arguments "common_vars" {
    commands = get_terraform_commands_that_need_vars()

    optional_var_files = [
      "${get_parent_terragrunt_dir()}/terraform.tfvars",
      "${get_parent_terragrunt_dir()}/common.tfvars",
      "${get_parent_terragrunt_dir()}/${path_relative_to_include()}/${find_in_parent_folders("regional.tfvars")}",
      "${get_parent_terragrunt_dir()}/${path_relative_to_include()}/${find_in_parent_folders("env.tfvars")}",
    ]
  }
Adrian avatar

example module

module "label" {
  source = "git::<https://github.com/cloudposse/terraform-null-label.git?ref=0.15.0>"

  namespace   = var.namespace
  environment = var.environment
  name        = var.name
  stage       = var.stage
  attributes  = var.attributes
  delimiter   = var.delimiter
  label_order = var.label_order
  tags        = var.tags
}

module "ecr" {
  source = "git::<https://github.com/cloudposse/terraform-aws-ecr.git?ref=0.7.0>"

  name                       = module.label.id
  enabled                    = var.enabled
  max_image_count            = var.max_image_count
  use_fullname               = var.use_fullname
  principals_readonly_access = var.principals_readonly_access
  principals_full_access     = var.principals_full_access
}
Sam Holton avatar
Sam Holton

hmm, ok, so you are using a separate label module in each module? completely different than how I was trying to approach it (just passing a map of tags in)… interesting

Adrian avatar

exactly

Sam Holton avatar
Sam Holton

ok, have another one.. I started playing with init-from-module hook to copy common provider block. I think I saw some discussion on this already in all the reading the past couple days, but the copied file is showing up in my live structure as well. I think the solution was to gitignore them for now?

Adrian avatar

yep, I have also hide this file in vscode

Adrian avatar

.gitignore

**/.terragrunt-cache
account_1/**/main_providers.tf
account_2/**/main_providers.tf
!account_1/common/main_providers.tf
!account_2/common/main_providers.tf
Sam Holton avatar
Sam Holton

great, thanks!

2019-11-08

Sam Holton avatar
Sam Holton

anyone have any best practices when creating a web of security groups? I was looking to use something similar to https://github.com/terraform-aws-modules/terraform-aws-security-group but have the scenario of circular dependencies (i.e. group-a references group-b and group-b references group-a). In general I would break out the group creation from rules to create groups first but having a hard time fitting this into terragrunt.

I don’t think I have my head wrapped around “root” modules and then modules that sit on top of those root modules

Sam Holton avatar
Sam Holton

there is a pull request to add create_group (https://github.com/terraform-aws-modules/terraform-aws-security-group/pull/80), but with that would I have two terragrunt.hcl files for each group I want to create?

2019-11-09

maarten avatar
maarten

@Sam I can’t speak for the creator of the module, you might want to ask @antonbabenko in #terraform-aws-modules but I’m not sure if your PR is going to make it for the following reason. Security Group implementation of AWS is done in a bad way API wise, it boils down to that if you use a security group with inline rules and aws_security_group_rules next to it, everything messes up and terraform doesn’t know where is what.

This particular security group module made sure that this mess-up does not happen as there are no inline rules defined.

The PR you propose makes it easy for users to mistakenly create a security group with a few inline rules and somewhere else use the module for the rest of the rules.. This will simply not work.

With regards to your question, what is keeping you from creating the security groups group-a and group-b and referencing both ID’s with a set of aws_security_group_rule in your own implementation ?

With regards to your question, what is keeping you from creating the security groups group-a and group-b and referencing both ID’s with a set of aws_security_group_rule ?

maarten avatar
maarten

A less elegant solution, but more practical one is to create a security group C, with the open ports to SELF, and apply this security group C to both instances. Security-wise this might not always work out.

1

2019-11-11

Sam Holton avatar
Sam Holton

I was trying to have a single terragrunt file create the security group and create the rules as well (not inline rules but create them separately). I don’t think I can do this in a single call because the rules reference one another. The approach I think I’m going to take is 2 terragrun files per security group, the first to create the group (empty), and the second to add the rules

maarten avatar
maarten

Are the open ports the same from A to B and from B to A ?

Sam Holton avatar
Sam Holton

no

2019-11-14

Sam Holton avatar
Sam Holton

anyone have any luck using the terragrunt dependency block to get an element from a list? For example, I have a vpc module which has public and private subnet list outputs. I’m trying to pass the first subnet into another module. I’ve tried the following element(dependency.vpc.outputs.private_subnet_ids, 0) but it passes the entire list. Tried wrapping it in jsondecode as well

Sam Holton avatar
Sam Holton

nevermind, seems I had an issue with the upstream outputs being a list within a list, so the element in inputs is working as intended

2019-11-19

Phuc avatar

Hi guys

Phuc avatar

I was wondering, if there is a way I can do a migrate tfstate from this backend to other backend (AWS s3) with Terragrunt. So far, i undestand that terragrunt will download .terraform-cache contain the tfstate info from the old backend configuration we defined.

2019-11-20

aaratn avatar

If you change backend, terragrunt / terraform will prompt you if you want to copy existing state to new backend

aaratn avatar

Hey ! I just open-sourced terraform and terragrunt version manager. Please feel free to try it here. https://github.com/aaratn/terraenv

aaratn/terraenv

Terraform & Terragrunt Version Manager. Contribute to aaratn/terraenv development by creating an account on GitHub.

cool-doge2
    keyboard_arrow_up