Terragrunt: Question: how to add resources in specific environments
I have a question regarding the best-practice when separating resources in environments.
Using the example code in https://github.com/gruntwork-io/terragrunt-infrastructure-modules-example and https://github.com/gruntwork-io/terragrunt-infrastructure-live-example.
Example: I would like to add an IAM role to the stage environment but not in production, how would I handle this?
Thank you!
arthurk
All 8 comments
So based on how-is-the-code-in-this-repo-organized
How I do it is:
- Create a generic module for IAM Role on the modules repo.
- Add the resource in the corresponding path I want to use it:
account
â”” _global
â”” region
â”” _global
â”” stage
â”” resource -> IAM Role
â”” production
â”” resource
Make sure the IAM role have access to only other staging resources based on the policy you will create.
I hope that makes sense arthurk.
vas1468
on 12 Feb 2019
If stage and production should have different IAM Roles, I cannot include the same module. Should I write two modules (iam-staging, iam-prod)?
arthurk
on 12 Feb 2019
I think that's the easiest way to go initially yes.
Another way is with an if statement if you have all roles in a single module:
# Stage role
resource "aws_iam_role" "stage" {
count = "${var.create_stage_role ? 1 : 0}"
.
.
.
}
Investigate this here
Regarding best practice I am not sure, someone else might be able to give advise. I would love to hear @brikis98 suggestion.
vas1468
on 12 Feb 2019
Please read https://github.com/gruntwork-io/terragrunt#keep-your-terraform-code-dry.
The idea is that you define the Terraform code for your infrastructure just once, in a single repo, called, for example, modules [...]
This repo contains typical Terraform code, with one difference: anything in your code that should be different between environments should be exposed as an input variable.
So create your IAM role module and anything in that module that should behave differently in different environments should be exposed as an input variable. You can then have a stage/iam-roles/terraform.tfvars that sets the appropriate values for stage and a prod/iam-roles/terraform.tfvars that sets the appropriate values for prod.
brikis98
on 12 Feb 2019
I think I explained a little unclear. My problem is this: I make a generic IAM module that has the following code in it:
resource "google_project_iam_member" "project" {
project = "${var.projectid}"
role = "${var.role}"
member = "user:${var.email}"
}
but now in stage environment i would like 3 google_project_iam_member resources but in production environment I want only 1 google_project_iam_member resource. My question is how I can create a module that makes either 1 or 3 resources depending on the environment. I guess I'd have to make changes in the -live repo, but I'm not sure what to change.
arthurk
on 12 Feb 2019
Take in the list of member names as an input variable and use count to loop over each name and create multiple google_project_iam_member resources. https://blog.gruntwork.io/terraform-tips-tricks-loops-if-statements-and-gotchas-f739bbae55f9
brikis98
on 12 Feb 2019
@brikis98 thank you very much for the answer. I really appreciate you answering questions in github issues, not everyone does that.
arthurk
on 13 Feb 2019
No prob!
brikis98
on 13 Feb 2019
Related issues
MacFlurry
·
4Comments
zachwhaley
·
3Comments
mpkerr
·
3Comments
Tensho
·
3Comments
dmlemos
·
3Comments
Most helpful comment
Please read https://github.com/gruntwork-io/terragrunt#keep-your-terraform-code-dry.
So create your IAM role module and anything in that module that should behave differently in different environments should be exposed as an input variable. You can then have a
stage/iam-roles/terraform.tfvarsthat sets the appropriate values for stage and aprod/iam-roles/terraform.tfvarsthat sets the appropriate values for prod.