#terragrunt (2019-12)
Terragrunt discussions
Archive: https://archive.sweetops.com/terragrunt/
2019-12-31
Hello - I am hoping someone can help me understand how to configure backends and make them available across a multi-account setup using terragrunt.
My understanding of using the S3 state buckets is that a bucket is created in each account e.g. staging = test-staging-tfstate , shared-services = test-shared-services-tfstate. Is this correct?
If the there is a state bucket for each account, how do you handle authentication cross-account for data lookups?
Specifically, I need the ability to use a data lookup for remote state from (shared-services) while in the (stage) account. This is for grabbing data for a peering connection.
From the vpc-app wrapper in staging
data "terraform_remote_state" "mgmt_vpc" {
backend = "s3"
config = {
region = var.terraform_state_aws_region
bucket = var.terraform_state_s3_bucket
key = "${var.aws_region}/mgmt/vpc/terraform.tfstate"
}
}
The data lookup could use a specific provider, and said provider uses a specific role/profile etc.
I’d be keen to understand why you want to share/access remote state from different accounts/environments?
Aim for an environment to be completely isolated
Ah, passing explicit provider isn’t necesary https://www.terraform.io/docs/providers/terraform/d/remote_state.html
@joshmyers Thanks for taking the time to answer. I’m only interested in sharing state for data lookups. In this case, peering from the “dev” account and the share-services or “mgmt” account. The “dev” account needs information about the “shared-services” vpc for peering and the routes for the peering.
Fair enough. Not a fan of sharing anything generally and have seen this idea of shared services VPC cause issues down the line
but if you want/need to go that route, use terraform_remote_state data source with a profile/role, similar to how would do for the actual backend state
I realized the obvious answer last night several hours after posting my question.
- Create a bucket policy allowing s3:GetObject, s3:ListBucket
- Add the role needed to the Principal
Indeed
I will investigate the link you provided as well. Multiple options are always good to have
but again, use data lookups sparingly if possible, they have a tendency to tightly couple things together
It was so obvious, I overlooked it. LOL
Agreed, This happens to be the the only cross account/state data lookup I need.
Is there any way (cli or configuration) to change the interval that “Still creating…” to something other than every 10 seconds? I’m not finding anything with TheGoogle nor via help pages or docs. I’ll dig through the code next, but I suspect that the answer will be “no” if I get to that point.
Ugh, that’s a terraform output. I don’t know how I missed that. Sorry for bugging you.