#terragrunt (2019-12)

terragrunt

Terragrunt discussions Archive: https://archive.sweetops.com/terragrunt/

2019-12-31

FalseProphet avatar
FalseProphet

Hello - I am hoping someone can help me understand how to configure backends and make them available across a multi-account setup using terragrunt.

My understanding of using the S3 state buckets is that a bucket is created in each account e.g. staging = test-staging-tfstate , shared-services = test-shared-services-tfstate. Is this correct?

If the there is a state bucket for each account, how do you handle authentication cross-account for data lookups?

Specifically, I need the ability to use a data lookup for remote state from (shared-services) while in the (stage) account. This is for grabbing data for a peering connection.

From the vpc-app wrapper in staging

data "terraform_remote_state" "mgmt_vpc" {
  backend = "s3"
  config = {
    region = var.terraform_state_aws_region
    bucket = var.terraform_state_s3_bucket
    key    = "${var.aws_region}/mgmt/vpc/terraform.tfstate"
  }
}
joshmyers avatar
joshmyers

The data lookup could use a specific provider, and said provider uses a specific role/profile etc.

joshmyers avatar
joshmyers

I’d be keen to understand why you want to share/access remote state from different accounts/environments?

joshmyers avatar
joshmyers

Aim for an environment to be completely isolated

joshmyers avatar
joshmyers

Ah, passing explicit provider isn’t necesary https://www.terraform.io/docs/providers/terraform/d/remote_state.html

Terraform: terraform_remote_state - Terraform by HashiCorp

Accesses state meta data from a remote backend.

FalseProphet avatar
FalseProphet

@joshmyers Thanks for taking the time to answer. I’m only interested in sharing state for data lookups. In this case, peering from the “dev” account and the share-services or “mgmt” account. The “dev” account needs information about the “shared-services” vpc for peering and the routes for the peering.

joshmyers avatar
joshmyers

Fair enough. Not a fan of sharing anything generally and have seen this idea of shared services VPC cause issues down the line

joshmyers avatar
joshmyers

but if you want/need to go that route, use terraform_remote_state data source with a profile/role, similar to how would do for the actual backend state

FalseProphet avatar
FalseProphet

I realized the obvious answer last night several hours after posting my question.

  1. Create a bucket policy allowing s3:GetObject, s3:ListBucket
  2. Add the role needed to the Principal
joshmyers avatar
joshmyers

Indeed

FalseProphet avatar
FalseProphet

I will investigate the link you provided as well. Multiple options are always good to have

joshmyers avatar
joshmyers

but again, use data lookups sparingly if possible, they have a tendency to tightly couple things together

FalseProphet avatar
FalseProphet

It was so obvious, I overlooked it. LOL

FalseProphet avatar
FalseProphet

Agreed, This happens to be the the only cross account/state data lookup I need.

Todd Lyons avatar
Todd Lyons

Is there any way (cli or configuration) to change the interval that “Still creating…” to something other than every 10 seconds? I’m not finding anything with TheGoogle nor via help pages or docs. I’ll dig through the code next, but I suspect that the answer will be “no” if I get to that point.

Todd Lyons avatar
Todd Lyons

Ugh, that’s a terraform output. I don’t know how I missed that. Sorry for bugging you.

    keyboard_arrow_up