archived the channel

What is terragrunt actually doing when it asks "Apply external dependencies" when using the dependency block? The word "apply" implies it's running an "apply" but I've noticed that if there are changes in the code that it won't actually deploy them. I'm thinking it's something closer to a "plan" that is able to get the outputs. anyone know definitively?

Cross-posting here
https://sweetops.slack.com/archives/CB6GHNLG0/p1715623846989469

Hi, terragrunt noob here. Question, I am learning somebody else’s code base and for a lot of AWS IAM stuff they are just doing inline here doc’s for the IAM policies and I am trying to fidn a better way to do this. Personally I would go with the data source aws_iam_policy_document, but I can not use this at the terragrunt module level?

Crosspost

Hi, i'm facing some issues with terragrunt scaffold command any idea what it could be? Running out of ideas 😛

tg scaffold <http://github.com/hotjar/terraform-aws-eks.git|github.com/hotjar/terraform-aws-eks.git> -var=SourceUrlType=git-ssh
INFO[0001] Scaffolding a new Terragrunt module git::<ssh://git@github.com/hotjar/terraform-aws-eks.git?ref=0.20.2> to /home/rick/github/hotjar/platform_aws-organization/eu-west-1/production/eks 
ERRO[0001] error downloading '<ssh://git@github.com/hotjar/terraform-aws-eks.git?ref=0.20.2>': /bin/git exited with 128: fatal: not a git repository (or any of the parent directories): .git 
ERRO[0001] Unable to determine underlying exit code, so Terragrunt will exit with error code 1 

Any tips on vscode terragrunt.hcl file formatting? I tried using a custom formatter, but I keep hitting weird issues on file save where file on disk has newer content (not entirely sure what's going on... but here is the relevant snippet from settings json:

"[hcl]": {
    "editor.defaultFormatter": "jkillian.custom-local-formatters",
  },
  "customLocalFormatters.formatters": [
      {
        "command": "terragrunt hclfmt -",
        "languages": ["hcl"]
      }
    ],

how are you all handling remote state lookups for outputs to module inputs?

is terragrunt dead? community seems quite inactive these days

Reposting here instead of #help.

Calling cp's api gateway module looks like this in terraform:

module "api_gateway" {
  source = "git::<https://github.com/cloudposse/terraform-aws-api-gateway.git?ref=0.3.1>"
  logging_level = var.logging_level
  context       = module.this.context
  openapi_config = jsondecode(file("${path.module}/${var.filename}"))
} 

In teragrunt, i wrote it as:

inputs = {
  context       = module.this.context
  openapi_config = jsondecode(file("dev-io.json"))
}

Which errors out with Unknown variable; There is no variable named "module".
The api gateway module expects to be passed the context variable which is another child module calling the labels module. The cp example i'm following is found here - https://github.com/cloudposse/terraform-aws-api-gateway/tree/main/examples/complete

How can I recreate this module call in terragrunt?

I have a terragrunt config where I have this tags.hcl file under workloads/production/eu-west-1

locals {
  env_tags = {
    Environment = "Production"
    Region = "eu-west-1"
    Managed_by = "Terraform"
  }
}

Now, in the child module, I have this terragrunt.hcl file

include "root" {
  path = find_in_parent_folders()
}

locals {
  common_tags = read_terragrunt_config(find_in_parent_folders("tags.hcl"))
}

Now in my resource definition, I am trying to use the common_tags

module "ec2-instance" {
  source  = "terraform-aws-modules/ec2-instance/aws"
  version = "5.1.0"
  name    = "important-ec2"

  ami                         = var.ami
  instance_type               = var.instance_type
  
  tags = merge(
    locals.common_tags,
    {
    App          = "xxx"
    Role         = "yyy"
  }
  )
}

But it fails with

│ A managed resource "locals" "common_tags" has not been declared in the root
│ module.

Pretty sure I am misinterpreting the last section where I have to define it in the ec2-instance module. What I am doing wrong? I asked in another slack and think that locals cannot be passed to the TF config. Is that a right assumption?

PSA: AWS is changing the way some IAM policy eventual is going to happen, it it might overly expose Terraform state buckets to an account: https://github.com/gruntwork-io/terragrunt/issues/2577. A team member wrong some code to remote the root bucket access config, but Terragrunt keeps trying to put it back - EnableRootAccesstoS3Bucket
More details in the Github issue thread - we see this as kind of a bit deal, since overly expose TF state buckets might unexpectedly expose sensitive material.

There’s an option to avoid having Terragrunt modify the S3 state bucket (https://terragrunt.gruntwork.io/docs/reference/config-blocks-and-attributes/#:~:text=skip_bucket_root_access), but really, Terragrunt should never try to do this modification.

Hi everyone, question: given that terragrunt requires you to set the sources for each module, how do you deal with module versions, even better across multiple accounts? Even just with one account I already have 4 cloudposse modules just for networking (2 labels, vpc and dynamic subnets), 2 for EKS (cluster and nodegroup), 1 for RDS and likely 3 or 4 for ECS, that's at least 10 version to keep track of, and there are already 4 of those accounts, having to keep track and update all those versions manually is not really ideal.. I have tried terrafile, but - while it works great using pure terragrunt (setting the source into the terragrunt.hcl ) thanks to the find_in_parent_folders function which manages to get the module from the terrafile local "cache", it fails using local modules because there's no way to set a relative path as a source targeting the terrafile's modules path into the root of terragrunt from the .terragrunt-cache. I hope it makes sense. Anyway, no luck with terrafile, the only way would be to create these local modules as git repos, and reference everything in terragrunt.hcl files, I'm not really happy to do so, because that would mean to add git auth to these deployments (or make them public) and maintain those modules which I would do just because of this issue. How did you sort this issue?

ok if not that question: why would an import say it was successful, but then state list doesn't show it in there?

I have a root github/ directory with a terragrunt.hcl that requires the provider integrations/github. I have a child module in a github/teams/ directory however, and it's not inheriting that provider. instead, it's pulling an "implicit" provider of hashicorp/github.

I can write my own github/teams/provider.tf file and require it, but that sort of defeats the purpose of terragrunt. does anyone know at a glance what I might be doing wrong here?

i'm finding that specifying role_arn here is ignored for the s3 bucket. it's used for the dynamo lock lookup, but for the s3 bucket init, it doesn't use the role_arn defined here https://www.terraform.io/language/settings/backends/s3#assume-role-configuration

and instead uses the local credentials.

Is anyone using https://github.com/terraform-linters/tflint with terragrunt ( maybe even terraform ) ? i am trying to setup it in gh action, but there isnt support for recursive modules, and thats pain

Anyone here in touch with Terragrunt folks? Was hoping to get some traction merging a minor PR which has been open for a month...

Is it possible to run a before/after hook only once instead of running it for each terragrunt config files when running run-all plan? Ex: AWS authentication is running multiple times

Using IDP Account staging to access OneLogin <https://api.us.onelogin.com>
Using IDP Account staging to access OneLogin <https://api.us.onelogin.com>
Using IDP Account staging to access OneLogin <https://api.us.onelogin.com>
Using IDP Account staging to access OneLogin <https://api.us.onelogin.com>

I have Terragrunt integration with Atlantis. I have a common variable that I want to pulldown during atlantis plan When running terragrunt plan I can see that it is getting the value of the variable. However terraform plan is not getting the variable value (which make sense). What is the best way to get this common variable value during atlantis plan?
terragrunt.hcl

locals {
  common_vars = read_terragrunt_config("../../_globalenv/common_variables.hcl")
}

include root {
  path = find_in_parent_folders()
}

inputs = {
  platform_ips = local.common_vars.locals.platform_ips
}

I was reading this blog post about using TFC and Terragrunt, and it contains an invalid link that I can't really find anymore

We have all the details you need to configure Terragrunt with TFC and TFE in the guide, including details on how to configure the remote backend, how to send variable inputs to TFC, and more.

^^^ above link does not work, I feel I'm missing some important configuration as when I run terragrunt plan the plan in TFC does not contain value of my variables, before adding the remote configuration terragrunt was able to pass the values without issues
Anyone knows where is this guide now?

Is there a way to preserve project names in atlantis.yaml file when using terragrunt-atlantis-config ?

How to migrate to Terraform cloud with Terragrunt Code base (and S3 bucket is backend)?

There must be some work around/guide.
Anyone would like to point?

Hello, I’m following this instruction to setup Atlantis with Terrgrunt. It looks like terragrunt is creating correct atlatis.yaml file. There are three projects in the atlantis.yaml file terragrunt created. However only one of them is running! Nothing in the Atlantis log indicating any issues! Any help would be appreciated

I’m new to terragrunt. Trying to create dynamic backend. I have key = "${path_relative_to_include()}/terraform.tfstate" in my top level terragrunt.hcl which is creating the s3 key as ./terraform.tfstate. Is there any way to remove the dot from that path?

Anyone using terragrunt workspace?
I have configure CI/CD pipeline for our infra, which is managed using TG.
Found env0 and Atlantis, as potential solutions. Anyone would like to share their experience?

Looks like no need to set “provider_installation”. Once I remove it, overall things works as expected. And due to use of “plugin_cache” it was not downloading all plugin again and again.

Hi,

How to reduce disk space for .terragrunt-cache?
As of now for every tg config, .terragrunt-cache took 200-500 MB disk space.

I am using following configuration for TF/TG

❯ cat ~/.terraformrc
#plugin_cache_dir   = "$HOME/.terraform.d/plugin-cache"
disable_checkpoint = true
provider_installation {
  filesystem_mirror {
    path = "$HOME/.terraform.d/provider"
  }
}

Can someone guide me?

Hello. I have a configuration that uses S3 remote states for our backend. I have one Github repository that builds something and another Github repository that builds something else. Both of these repositories create their own state files, but in the same S3 bucket.

How would I go about referencing the output of the other state file in the same bucket through terragrunt? Initially I thought through a dependency, but the remote terragrunt.hcl isn't local to this repository (so the config_path isn't valid). Appreciate the help.

Hi we’re using the kubernetes provider here and I’m wondering how others are using this when they have multiply clusters/contexts being used? thx!

something simple as below would only allow a single context to be access, what if i have multiply contexts?

provider "kubernetes" {
  config_paths    = [
                    "~/.kube/config",
                    "~/.kube_another_path/config"
                    ]
  config_context = "cluster01
}

Hello everyone , I am trying to achieve vpc cross region peering using terragrunt need some ideas/suggestion to use provider as alias in terragunt.hcl root

Hey there! 🙂
I have a situation where terragrunt auto-init executes all the time, even if the module is already initialized and nothing changed since the last init.
Are you experiencing the same kind of behavior? I found this issue that may be related and will add details to it asap. https://github.com/gruntwork-io/terragrunt/issues/1742 Thank you.

Hi there!
We're considering some refactoring on our terraform repo and I would have loved some feedback/insight from you before making any decision.

Currently, our file structure looks like this:

terraform
├── live
│   ├── terragrunt.hcl
│   └── aws_account_name
│       ├── account.hcl
│       └── eu-west-1
│           ├── region.hcl
│           ├── prod
│           │   ├── env.hcl
│           │   └── appA
│           │       └── terragrunt.hcl
│           └── dev
│               ├── env.hcl
│               └── appA
│                   └── terragrunt.hcl
└── modules
	└── appA
		├── ec2.tf
		└── route53.tf

In this example, the appA module defines all the AWS resources needed for the app, and accepts a few input variables for the things that should change between the dev and the prod environment (e.g. instance types).
Files in the "live" folder are really lightweight, whereas modules can get bigger in size depending on the application complexity.

We plan to host all of this in a menorepo.
We plan to use Atlantis + terragrunt-atlantis-config for the CI/CD part.

Now, here are some of my questions:
1. Does this design scale well?
2. Reading online documentation, it seems like everyone agrees module versioning is a best-practice. So that would mean I should version the appA module and use explicit version in the "live" folder, instead of just terraform { source = "../../../../../..//modules/appA" }. To me, it feels like something that would be extremely painful, even more so in a monorepo context. What's your take on this?
3. I read about terraform-related testing: module unit testing with tools such as terratest, and more serious testing through infrastructure promotion to production. In your experience, is all of this really necessary? Isn't a simple look at the plan enough to decide if the changes are OK?
4. Do you guys stick to just using a master branch with MR for changes, or do you use more than one branch? If so, what for?
I would be particularly interested in hearing your thoughts on all of this @David, I've carefully read your Transcend blog post and your feedbacks on this Slack, but there are still things I'm uncertain about. I'm fine with concise answers, unlike what it seems like with this long message :D

Thanks!

Hi! Is there anyone here who is running terragrunt inside CI/CD pipelines? If so, how are you dealing with things like dependencies?

Is possible to predownload provider ( not in tf registry ) from github and install it before terraform invocation ? Thanks

We use aws-google-auth to create aws credentials that expire after X hours. Oftentimes I’ll see an error from terragrunt like:

Error in function call; Call to function "read_terragrunt_config" failed: exit status 1.

which doesn’t make sense because I haven’t changed code near that, and the root cause is my aws credentials have expired.

Does anyone else get into this situation and have a way to deal with it? 🙏

one more question, if I wanted to store my tfstate locally, is there a proper way to facilitate that with terragrunt?
PS this is a one off situation, not something I plan on doing all the time

hello, just wondering if terragrunt can handle mfa with an assume role? Im passing my aws profile to use and it forces mfa but when I run terragrunt plan it doesnt prompt and just errors with access denied

I want to know whether Terragrunt and Terraform Cloud can work together without paying for any Gruntwork subscription.

Does anyone have a modern reference project in Terragrunt that showcases a modern working implementation for Dependencies?

I've never used configured terragrunt to use an SSH key that wasn't my default key. What is a sane way to set this up on a linux environment without mangling the URL committed to the repo? ( Which is what happens when the .ssh/config file is used to manage which SSH key is used when git is called. )

I'm dealing with a full buildout of all layers and if not for the clean input structure and lack of need to duplicate all my variable files from modules, I'd sure love native terraform. Terragrunt can be tricky to debug. However, the benefit of a clean terragrunt directory is pretty clear when I need to reproduce my prod deployment

Anyone feel like sharing some terragrunt insight? I have a solid project design using the 4 layers structure from Cloudposse but i'm confused on why all of a sudden my terragrunt isn't detecting changes.

Also, would love to see more examples of structure in terragrunt, if anyone combines multiple modules into one hcl file (with a tf file in the same directory?) if it would simplify things over 1 hcl = one remote module each time instead of a composite of a couple. I get i can use dependencies for that, but it does add some complication when dealing with running directories in order at times.

Gcp people how do you usually structure terragrunt repo? I mainly use aws so i didn't have opportunities to use it with gcp.

Is there anyway to reduce the effort in dependency mocks so I don't have to paste large output mocked examples in all the places I call it?

Would love any help i could get on this as I'm running into a few issues maybe easier to deal with if you know terragrunt well.

https://github.com/antonbabenko/terragrunt-reference-architecture/issues/8