Terraform State file in separate AWS Account | Terragrunt Approach or Best Terraform Approach!


We are planning to keep our Terraform state files in a separate AWS account different from target account where resources are created. Can we achieve this in Terragrunt?

The idea is to create an Assume Role in the target account to which Terragrunt can Assume Role to create resources using --terragrunt-iam-role.
We could see an option in AWS provider to assume role so that resources are created using that role. Can we use that option with Terragrunt or is there any better option to achieve this?

provider "aws" {
    assume_role {
        role_arn = "arn:aws:iam::INFRA-ACCT:role/ROLE_NAME“

Our account architecture is as below, appreciate if you can provide a better approach save and access terraform state files in separate account.

  • We have three accounts
    1. Security Account (Where all user management done)
    2. Terraform Admin Account (Where only S3 and DynamoDB will be there. And this is where state file is saved)
    3. Infrastructure Account (Where the actual infrastructure is created)

Currently we are doing Assume Role from Security Account to Terraform Admin Account.

@yoriy @jim Can you please help here?


Use role_arn https://www.terraform.io/docs/backends/types/s3.html#role_arn in the s3 backend block:

terraform {
  backend "s3" {
    bucket = "mybucket"
    key    = "path/to/my/key"
    region = "us-east-1"
   role_arn = "arn:aws:iam::ADMIN-ACCT:role/ROLE_NAME"

You can also move role_arn values in provider block or backend block to terragrunt configuration file, but for now this can be run with terragrunt.