Iam_role does not work

mhumeSF · November 13, 2018, 5:22am

Playing around with multi-account structure. I aim to have each account to store state in an s3 bucket of their account. Then hoping that subsequent module declarations would inherit the iam_role delcared in the terraform.tfvars just under the root account folder (banana or kiwi). But iam_role seems to get ignored when using terragrunt apply-all. I can, however export the role with export TERRAGRUNT_IAM_ROLE=... and run terragrunt apply-all under each account, and the resources are created as expected.

├── accounts
│   ├── banana
│   │   ├── terraform.tfvars
│   │   └── us-east-1
│   │       └── ecs_cluster
│   │           └── terraform.tfvars
│   └── kiwi
│       ├── terraform.tfvars
│       └── us-east-1
│           └── ecs_cluster
│               └── terraform.tfvars
└── modules
    └── ecs_cluster
        ├── README.md
        ├── main.tf
        ├── outputs.tf
        └── vars.tf

Sample terraform.tfvars under banana:

terragrunt = {
  remote_state {
    backend = "s3"
    config {
      bucket = "banana-state"
      key    = "${path_relative_to_include()}/terraform.tfstate"
      region = "us-east-1"
      role_arn = "arn:aws:iam::0123456789:role/provisioner"
    }
  }
  iam_role = "arn:aws:iam::0123456789:role/provisioner"
}

toni · November 16, 2018, 2:03pm

Hi @mhumeSF

You can include tfvars files in parent directories using interpolation syntax with the terragrunt block. Take a look at the find_in_parent_folders function here: https://github.com/gruntwork-io/terragrunt#find_in_parent_folders

Cheers
Toni

mhumeSF · November 16, 2018, 6:48pm

Hey @toni,

So I am currently already doing this. banana/us-east-1/ecs_cluster/terraform.tfvars references banana/terraform.tfvars for s3 config. What I am hoping to see is terraform.tfvars under the banana folder where iam_role is defined, to be picked up when I run terragrunt apply-all. This currently isn’t the case and cannot find a way to execute terragrunt under an assumed role without using an environment variable or flag of TERRAGRUNT_IAM_ROLE=.... iam_role in terraform.tfvars does not work as expected.

tl;dr
iam_role does not work in any capacity

Topic		Replies	Views
Can I set IAM roles for all accounts in one place in the terragrunt.hcl file? Gruntwork Customers terragrunt , provider , backend , iam_role	2	1518	October 22, 2020
Terraform State file in separate AWS Account \| Terragrunt Approach or Best Terraform Approach! Gruntwork Customers terragrunt , terraform-state , aws , terraform , separate-account	1	1458	March 24, 2020
Minimum permissions needed for S3 backed? Gruntwork Customers terragrunt	4	8853	June 30, 2018
Terragrunt IAM Module Versioning Strategies Across Environments Gruntwork Customers terragrunt , aws , modules	1	771	December 20, 2021
Best practice (or advice?) about reorganizing Terragrunt directory structure Gruntwork Customers	2	2270	April 5, 2019

Iam_role does not work

Related topics