Terragrunt: Provider placement with 'essential complexity' in mind

Created on 23 Feb 2017 · 3Comments · Source: gruntwork-io/terragrunt

so this is more of a question than an issue, at least at this point.

we use terraform to manage up to hundreds of account...

my AWS provider statement looks something like this...

provider "aws" {
  region     = "us-east-1"
  assume_role {
    role_arn = "arn:aws:iam::0123456789:role/ABCTerraform"
    session_name = "ABCTerraform"
  }
}

I'm running on an EC2 instance that has the ability to assume these roles in a number of sub-accounts.

I'm using terragrunt for the remote lock and state management. Developer teams can read from the remote_state data source (bucket) and build on top of the base infra that I lay down. vpc-id, internal-subnets, external-subnets, roles, policies, buckets, etc.

There's a set of modules like the docs describe which are in a separate infra-moudles repo.

Then there's another repo that has all of the account configuration terraform and I'm trying to widdle that down to the bare essentials, things that differentiate those accounts.

I'm using 'find_in_parent_folders' and 'path_relative_to_include' and love it. makes life really simple.

I want to take it further and use what the documentation calls the notion of 'essential complexity' and have just a single file, terraform.tfvars in each account subdirectory in the repo.

here's the folder structure...

├── lab_accounts
│   ├── awslabs76
│   │   ├── setenv.sh
│   │   ├── terraform.tfvars -> ../../terraform.tfvars
│   │   └── us-east-1
│   │       └── vpc
│   │           └── terraform.tfvars
│   ├── awslabs77
│   │   ├── setenv.sh
│   │   ├── terraform.tfvars -> ../../terraform.tfvars
│   │   └── us-east-1
│   │       └── vpc
│   │           └── terraform.tfvars
├── README.md
└── terraform.tfvars

this is basically what the terraform.tfvars file looks like now...

terragrunt = {
  include {
    path = "${find_in_parent_folders()}"
  }
  terraform {
    source = "git::ssh://[email protected]/Team/terraform-modules//vpc"
  }
}

environment        = "np"
region             = "us-east-1"
cidr               = "10.230.72.0/23"
internal_subnets   = ["10.230.72.64/26" ,"10.230.72.192/26", "10.230.73.64/26"]
external_subnets   = ["10.230.72.0/26" ,"10.230.72.128/26", "10.230.73.0/26"]
availability_zones = ["us-east-1a", "us-east-1b", "us-east-1d"]

Here's my question, and I apologize if it should be apparent. Where is the appropriate place to put the provider block/statement? I've been banging my head and have moved it into the module (not ideal I believe) and can't seem to make it work in the terraform.tfvars file. Clearly I'm overlooking something, probably simple so I apologize.

I've had a couple of moments of panic where I think I'm affecting an account when I've actually not assumed the role (it fails quietly) and instead have been affecting resources within the account i'm operating in.

Appreciate any feedback.

question

Source

mmorianos

All 3 comments

Here's my question, and I apologize if it should be apparent. Where is the appropriate place to put the provider block/statement? I've been banging my head and have moved it into the module (not ideal I believe) and can't seem to make it work in the terraform.tfvars file.

The providers should go in your .tf files, which, as far as I understand, are in your infra-modules repo. The .tfvars files are solely for setting variables, not for defining resources, providers, or anything else.

That said, while Terraform has explicit support built-in for the assume_role configuration, Terragrunt does not. Terragrunt, as of now, only supports the standard auth options of all AWS SDK apps: AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY env vars, ~/.aws/credentials, the instance profile if you're on an EC2 instance, etc.

brikis98 on 23 Feb 2017

Oh, one other thing about providers: you can parameterize them with variables too.

provider "aws" {
  region = "${var.aws_region}"
  assume_role {
    role_arn = "${var.role_arn}"
    session_name = "${var.session_name}"
  }
}

That way, you can set aws_region, role_arn, and session_name to a different value in each .tfvars file.

brikis98 on 23 Feb 2017

👍1

I'm clear now and your feedback, and some sleep, helped a great deal. Thank you.

mmorianos on 23 Feb 2017

👍1

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Treat variables defined in leaf terraform.tfvars as the highest precedent variables

skang0601 · 4Comments

Terragrunt moves stuff around in backend.tf between command runs

dingobar · 3Comments

execute script as a git repo

dzirg44 · 3Comments

terragrunt conflicts with tfenv

MacFlurry · 4Comments

How to pass local path to SOURCE of main.tf! BIG-TEAM workflow

goseeped · 3Comments