Best way to pass credential in terragrunt

Hi guys,

I’ve created a gitlab cicd pipeline for terragrunt. I am storing the credential in gitlab env.
I have given env variable in local block of herragrunt.hcl file like below

locals {
  #extract env variables
  db_password                = "${password}"

its treating ${password} as a actual password.

what is the best and secure way to pass credential in terragrunt using gitlab ci ?


I’m a bit confused as to the question. Specifically, I’m not sure if you are asking how to read out the environment variables in terragrunt, or for recommendations on how to manage secrets in terragrunt?

For the former question, you can either:

  • Use the get_env helper function (docs link has example usage).
  • Terragrunt passes through terraform variables set with prefix TF_VAR like Terraform, so you can set the password directly as the module input without going through terragrunt. E.g., if the module expects the variable db_password, you can set the env var as TF_VAR_db_password.

For the latter question, there are two recommended ways to handle secrets in general:

  • Use env vars with one of the methods described above.
  • Use a sops encrypted file, that is decoded by terragrunt using sops_decrypt_file.

Hope this helps!