Terragrunt: [question] How to limit the deployment to nominated account id

We utilize the allowed_account_ids within the AWS provider and simply pass in the account via variable to the Terraform config.

Thanks, @jakauppila

Do you mean this

provider "aws" {
  allowed_account_ids = var.aws_allowed_accounts_ids
  region              = var.aws_region
}

when I feed in terragrunt.hcl, just set

inputs = {
  aws_allowed_accounts_ids = ["123456789012"]
  ...
}

This is real cool. :+1: .

@jakauppila

The suggestion looks great. But when I work on real codes. it doesn't work as expect.

Whatever I set the variable aws_allowed_accounts_ids with wrong IDs or set to `empty, the apply command deploy the changes successfully.

Can you share me the codes in this part for reference?

You can rely on directory structure to feed the account ID variable automatically by setting the aws_allowed_account_ids variable in a root terragrunt.hcl file that is included by child directories. E.g have aws_allowed_account_ids show up in the root terragrunt.hcl file for the account.

This has the benefits of defaulting to the right account and adding extra steps to override it (you have to edit another file that you don't normally touch on a day to day basis to deploy to a different account).

I played with running terragrunt using a rake task with a validator in: https://github.com/dinocorp/webs-infra/blob/master/lib/tasks/terragrunt.rake#L91

See the output here: https://github.com/dinocorp/webs-infra/blob/master/ACTUAL_README.md#devex

This was an example repo to stimulate debate a few months back. A step in the right direction from where the team were at the time.