Terragrunt: use different AWS profile in same plan/apply

sylr · February 15, 2021, 4:19pm

Hi,

I’m new to terragrunt and I am wondering if it possible for terragrunt to use multiple AWS profiles in the same run.

Given the following workspace dir struct:

terragrunt-workspace/aws/account-dev/terragrunt.hcl
terragrunt-workspace/aws/account-dev/eu-west-1/terragrunt.hcl main.tf ... etc
terragrunt-workspace/aws/account-dev/eu-west-3/terragrunt.hcl main.tf ... etc
terragrunt-workspace/aws/account-prod/terragrunt.hcl
terragrunt-workspace/aws/account-prod/eu-west-1/terragrunt.hcl main.tf ... etc
terragrunt-workspace/aws/account-prod/eu-west-3/terragrunt.hcl main.tf ... etc

terragrunt-workspace/aws/<account>/terragrunt.hcl looks like:

remote_state {
  backend = "s3"
  config  = {
    profile        = "<account>"
    bucket         = "<account>-terragrunt"
    key            = "${path_relative_to_include()}/terraform.tfstate"
    region         = "eu-west-3"
    encrypt        = true
    dynamodb_table = "<account>-terragrunt"
  }
}

terragrunt-workspace/aws/<account>/<region>/terragrunt.hcl looks like:

include {
  path = find_in_parent_folders()
}

I’m looking for a way to tell terragrunt that is ran from terragrunt-workspace/aws to use a specific AWS_PROFILE for each account but so far I came up empty.

Regards.

Luigi_Bakker · February 16, 2021, 11:50am

So your region attribute in the remote_state needs to refer to a var:

region = var.region

Then you need to set that var in your “terragrunt-workspace/aws//terragrunt.hcl”.
I would do that either by:

Clean but more files: create a “region.hcl” config file inside each region folder with the following locals:

locals{
  region = "eu-west-1"
}

Then inside your “root” terragrunt.hcl (terragrunt-workspace/aws//terragrunt.hcl) you load and use that var:

locals{
  region_vars = read_terragrunt_config("region.hcl")
  region = local.region_vars.locals.region
}

Extract it from the path (not tested):

locals{
// Extracting “eu-west-X” from the path by cutting on ‘/’
path_array = path_relative_to_include().split(‘/’)
region = element(path_array, length(path_array)-1)
}

yoriy · February 18, 2021, 4:22pm

What Luigi_Bakker said is the right approach here. You basically need to load in the data you need by taking advantage of the folder structure. The one thing I will add is that you can use find_in_parent_folder to load the data file in the parent config.

E.g.,

locals {
  profile = read_terragrunt_config(find_in_parent_folders("profile.hcl"))
}

remote_state {
  backend = "s3"
  config  = {
    profile        = local.profile.locals.account
    bucket         = "<account>-terragrunt"
    key            = "${path_relative_to_include()}/terraform.tfstate"
    region         = "eu-west-3"
    encrypt        = true
    dynamodb_table = "<account>-terragrunt"
  }
}

where profile.hcl is in terragrunt-workspace/aws/<account>/profile.hcl.

Topic		Replies	Views
Terraform State file in separate AWS Account \| Terragrunt Approach or Best Terraform Approach! Gruntwork Customers terragrunt , terraform-state , aws , terraform , separate-account	1	1515	March 24, 2020
Can I set IAM roles for all accounts in one place in the terragrunt.hcl file? Gruntwork Customers terragrunt , provider , backend , iam_role	2	1757	October 22, 2020
New To Terragrunt. Question about passing in aws_region as input and picked up by the root terragrunt.hcl Gruntwork Customers	1	1029	May 19, 2020
Region not being set by Terragrunt Gruntwork Customers terragrunt	6	6534	May 31, 2018
Terraform state is messed up after moving folders Gruntwork Customers	8	7342	October 22, 2020

Terragrunt: use different AWS profile in same plan/apply

Related topics