Iam_role does not work

Gruntwork Customers
1

Playing around with multi-account structure. I aim to have each account to store state in an s3 bucket of their account. Then hoping that subsequent module declarations would inherit the iam_role delcared in the terraform.tfvars just under the root account folder (banana or kiwi). But iam_role seems to get ignored when using terragrunt apply-all. I can, however export the role with export TERRAGRUNT_IAM_ROLE=... and run terragrunt apply-all under each account, and the resources are created as expected.

├── accounts
│   ├── banana
│   │   ├── terraform.tfvars
│   │   └── us-east-1
│   │       └── ecs_cluster
│   │           └── terraform.tfvars
│   └── kiwi
│       ├── terraform.tfvars
│       └── us-east-1
│           └── ecs_cluster
│               └── terraform.tfvars
└── modules
    └── ecs_cluster
        ├── README.md
        ├── main.tf
        ├── outputs.tf
        └── vars.tf

Sample terraform.tfvars under banana:

terragrunt = {
  remote_state {
    backend = "s3"
    config {
      bucket = "banana-state"
      key    = "${path_relative_to_include()}/terraform.tfstate"
      region = "us-east-1"
      role_arn = "arn:aws:iam::0123456789:role/provisioner"
    }
  }
  iam_role = "arn:aws:iam::0123456789:role/provisioner"
}
2

Hi @mhumeSF

You can include tfvars files in parent directories using interpolation syntax with the terragrunt block. Take a look at the find_in_parent_folders function here: https://github.com/gruntwork-io/terragrunt#find_in_parent_folders

Cheers
Toni

3

Hey @toni,

So I am currently already doing this. banana/us-east-1/ecs_cluster/terraform.tfvars references banana/terraform.tfvars for s3 config. What I am hoping to see is terraform.tfvars under the banana folder where iam_role is defined, to be picked up when I run terragrunt apply-all. This currently isn’t the case and cannot find a way to execute terragrunt under an assumed role without using an environment variable or flag of TERRAGRUNT_IAM_ROLE=.... iam_role in terraform.tfvars does not work as expected.

tl;dr
iam_role does not work in any capacity