#terragrunt

Terragrunt discussions Archive: https://archive.sweetops.com/terragrunt/

2019-11-14

Sam Holton

anyone have any luck using the terragrunt dependency block to get an element from a list? For example, I have a vpc module which has public and private subnet list outputs. I’m trying to pass the first subnet into another module. I’ve tried the following element(dependency.vpc.outputs.private_subnet_ids, 0) but it passes the entire list. Tried wrapping it in jsondecode as well

Sam Holton

nevermind, seems I had an issue with the upstream outputs being a list within a list, so the element in inputs is working as intended

2019-11-11

Sam Holton

I was trying to have a single terragrunt file create the security group and create the rules as well (not inline rules but create them separately). I don’t think I can do this in a single call because the rules reference one another. The approach I think I’m going to take is 2 terragrun files per security group, the first to create the group (empty), and the second to add the rules

Are the open ports the same from A to B and from B to A ?

Sam Holton

no

2019-11-09

@Sam I can’t speak for the creator of the module, you might want to ask @antonbabenko in #terraform-aws-modules but I’m not sure if your PR is going to make it for the following reason. Security Group implementation of AWS is done in a bad way API wise, it boils down to that if you use a security group with inline rules and aws_security_group_rules next to it, everything messes up and terraform doesn’t know where is what.

This particular security group module made sure that this mess-up does not happen as there are no inline rules defined.

The PR you propose makes it easy for users to mistakenly create a security group with a few inline rules and somewhere else use the module for the rest of the rules.. This will simply not work.

With regards to your question, what is keeping you from creating the security groups group-a and group-b and referencing both ID’s with a set of aws_security_group_rule in your own implementation ?

With regards to your question, what is keeping you from creating the security groups group-a and group-b and referencing both ID’s with a set of aws_security_group_rule ?

A less elegant solution, but more practical one is to create a security group C, with the open ports to SELF, and apply this security group C to both instances. Security-wise this might not always work out.

1

2019-11-08

Sam Holton

anyone have any best practices when creating a web of security groups? I was looking to use something similar to https://github.com/terraform-aws-modules/terraform-aws-security-group but have the scenario of circular dependencies (i.e. group-a references group-b and group-b references group-a). In general I would break out the group creation from rules to create groups first but having a hard time fitting this into terragrunt.

I don’t think I have my head wrapped around “root” modules and then modules that sit on top of those root modules

Sam Holton

there is a pull request to add create_group (https://github.com/terraform-aws-modules/terraform-aws-security-group/pull/80), but with that would I have two terragrunt.hcl files for each group I want to create?

2019-11-07

hi guys

is there anyway I can do 2 parent terragrunt.hcl ?

Here is the case I want to test. as we have 2 terragrunt.hcl in parent folder net and serv. Serv folder can be run only after Net folder is completely run. I also want to use a dependencies case as : [ ../net] in folder serv.

loren

no

loren

terragrunt only support one-level of includes…

it can however force terragrunt/terraform to use multiple tfvars within a certain hierarchy

loren

true! there is a tracking issue for this… and a workaround of using yaml/json and yamldecode/jsondecode… https://github.com/gruntwork-io/terragrunt/issues/303

Only one level of includes is allowed · Issue #303 · gruntwork-io/terragrunt

I'm trying to enable a multi-include scenario where I can cascade includes at different points in my configurations. Given the below layout: └── root ├── regions │ ├── us-east-1 │ │ ├── regiona…

Well, so is there any command that I can run terragrunt apply-all on the first folder, and then do again for the second one. What I want is to achieve multi-stage build. as we plan to use in CI/CD

Adrian

maybe you can achive what you want without terragrunt.hcl? I have something like that

Sam Holton

anyone have an example of passing common tags through to modules? for example, set some tags at region level, then environment level, then service. Are you passing them as separate variables into module and merging in final resource? or is there some way to merge them so the module only has a single tags variable?

Adrian

null-label in every module and variables in terragrunt.hcl

locals {
  namespace           = "namespace"
  name                = "app"
  environment         = "stage"
}

inputs = {
  namespace           = local.namespace
  name                = local.name
  environment         = local.environment
}

overwrite var from regional.tfvars and env.tfvars

  extra_arguments "common_vars" {
    commands = get_terraform_commands_that_need_vars()

    optional_var_files = [
      "${get_parent_terragrunt_dir()}/terraform.tfvars",
      "${get_parent_terragrunt_dir()}/common.tfvars",
      "${get_parent_terragrunt_dir()}/${path_relative_to_include()}/${find_in_parent_folders("regional.tfvars")}",
      "${get_parent_terragrunt_dir()}/${path_relative_to_include()}/${find_in_parent_folders("env.tfvars")}",
    ]
  }
Adrian

example module

module "label" {
  source = "git:<i class="em em-<https"></i>//github.com/cloudposse/terraform-null-label.git?ref=0.15.0>"

  namespace   = var.namespace
  environment = var.environment
  name        = var.name
  stage       = var.stage
  attributes  = var.attributes
  delimiter   = var.delimiter
  label_order = var.label_order
  tags        = var.tags
}

module "ecr" {
  source = "git:<i class="em em-<https"></i>//github.com/cloudposse/terraform-aws-ecr.git?ref=0.7.0>"

  name                       = module.label.id
  enabled                    = var.enabled
  max_image_count            = var.max_image_count
  use_fullname               = var.use_fullname
  principals_readonly_access = var.principals_readonly_access
  principals_full_access     = var.principals_full_access
}
Sam Holton

hmm, ok, so you are using a separate label module in each module? completely different than how I was trying to approach it (just passing a map of tags in)… interesting

Adrian

exactly

Sam Holton

ok, have another one.. I started playing with init-from-module hook to copy common provider block. I think I saw some discussion on this already in all the reading the past couple days, but the copied file is showing up in my live structure as well. I think the solution was to gitignore them for now?

Adrian

yep, I have also hide this file in vscode

Adrian

.gitignore

**/.terragrunt-cache
account_1/**/main_providers.tf
account_2/**/main_providers.tf
!account_1/common/main_providers.tf
!account_2/common/main_providers.tf
Sam Holton

great, thanks!

2019-11-06

Sam Holton

hello all, just getting into terragrunt (using TF12) and wanted to make sure I’m approaching this correctly… I’m basing my example on https://github.com/gruntwork-io/terragrunt-infrastructure-live-example and the corresponding modules repo

simple example I’m working through in my head right now is spinning up standalone EC2 instance, creating a role and instance profile, creating a S3 policy to attach. The collection of this I’m naming “service-a”. I have a module created for each of these and in live I have a “service-a” directory with the following under it ec2, instance-profile, s3-policy. All of the modules and connections are done in terragrunt.hcl rather than combining modules into meta modules

Sam Holton

for example, if this was a common pattern, it would be nice to create a module that wraps up these three modules and create “service-b”, “service-c” etc.

2019-11-01

Milos Backonja

Hi, what do you think is it overkill to use config dependencies in terragrunt? It works ok, but my feeling is that it takes to much time to resolve/read all state files from different components. Honestly, i am not sure if I should switch back to data source or data remote state to retrieve outputs.

loren

i prefer the terragrunt dependency approach. it de-couples the terraform modules. data sources are a good option also, if you’re careful. i really dislike reading from the remote state data source though

Milos Backonja

As you mentioned we werent careful enough with naming so we had situation to retrieve more than 1 vpc with data source for example

loren

exactly

    keyboard_arrow_up