Best way to pass credential in terragrunt

abhinav5656 · September 22, 2021, 12:25pm

Hi guys,

I’ve created a gitlab cicd pipeline for terragrunt. I am storing the credential in gitlab env.
I have given env variable in local block of herragrunt.hcl file like below

locals {
  #extract env variables
  db_password                = "${password}"
}

its treating ${password} as a actual password.

what is the best and secure way to pass credential in terragrunt using gitlab ci ?

yoriy · September 24, 2021, 9:52pm

Hi,

I’m a bit confused as to the question. Specifically, I’m not sure if you are asking how to read out the environment variables in terragrunt, or for recommendations on how to manage secrets in terragrunt?

For the former question, you can either:

Use the get_env helper function (docs link has example usage).
Terragrunt passes through terraform variables set with prefix TF_VAR like Terraform, so you can set the password directly as the module input without going through terragrunt. E.g., if the module expects the variable db_password, you can set the env var as TF_VAR_db_password.

For the latter question, there are two recommended ways to handle secrets in general:

Use env vars with one of the methods described above.
Use a sops encrypted file, that is decoded by terragrunt using sops_decrypt_file.

Hope this helps!

Topic		Replies	Views
Pass env_vars to Terraform via CLI Gruntwork Customers env_vars , extra_arguments	4	1142	November 16, 2021
Making modules DRYer Gruntwork Customers modules	2	815	January 19, 2021
Posibble to access CLI parameter values in the terragrunt.hcl? Gruntwork Customers terragrunt , terraform	7	1189	December 8, 2021
New To Terragrunt. Question about passing in aws_region as input and picked up by the root terragrunt.hcl Gruntwork Customers	1	1005	May 19, 2020
Provision multiple envs with the same config Gruntwork Customers	2	630	August 17, 2021

Best way to pass credential in terragrunt

Related topics