I’m a bit confused as to the question. Specifically, I’m not sure if you are asking how to read out the environment variables in terragrunt, or for recommendations on how to manage secrets in terragrunt?
For the former question, you can either:
- Use the get_env helper function (docs link has example usage).
- Terragrunt passes through terraform variables set with prefix
TF_VAR like Terraform, so you can set the password directly as the module input without going through terragrunt. E.g., if the module expects the variable
db_password, you can set the env var as
For the latter question, there are two recommended ways to handle secrets in general:
- Use env vars with one of the methods described above.
- Use a sops encrypted file, that is decoded by terragrunt using sops_decrypt_file.
Hope this helps!