search

gruntwork-io / terragrunt

Terragrunt is a flexible orchestration tool that allows Infrastructure as Code written in OpenTofu/Terraform to scale.
https://terragrunt.gruntwork.io/
MIT License
8.01k stars 971 forks source link

Dependency with backend config using extra argument env vars #1932

Open lukasstanek opened 2 years ago

lukasstanek commented 2 years ago

Hi,

I'm trying to access a dependency with a backend config (azurerm) which uses env vars for authentication credentials (ARM_ACCESS_KEY) and gets them from the extra_arguments -> env_vars block. this works fine for normal deployment but when used in a dependency than terragrunt is not able to access the remote state. It is working though when setting the env var ARM_ACCESS_KEY directly in the shell environment (this is not feasible in my case).

This config is included in both the module i'm trying to deploy and the dependency. And this works fine as long as a module with this config is used as an dependency.

terraform {
  extra_arguments "access-key" {
    arguments = []
    commands  = [
      "init",
      "apply",
      "refresh",
      "import",
      "plan",
      "taint",
      "untaint"
    ]
    env_vars  = {
      ARM_ACCESS_KEY = get_env("storage_dev_access_key")
    }
  }
}

# Configure remote state
remote_state {
  backend  = "azurerm"
  # Auto-generate the backend configuration
  generate = {
    path      = "backend.generated.tf"
    if_exists = "overwrite"
  }
  # Specify azure storage account & container to store TF state in
  config   = {
    tenant_id            = local.vars.tenant-id
    subscription_id      = local.vars.dev-subscription-id
    resource_group_name  = local.vars.state-storage-rg-name
    storage_account_name = local.vars.state-storage-account-name
    container_name       = local.vars.state-storage-container-name
    key                  = "${path_relative_to_include()}/terraform.tfstate"
    snapshot             = true
  }
}

Can you help me with this?

yorinasub17 commented 2 years ago

This is not something terragrunt can really support currently. I'm not quite sure what the best construct is to support this use case, but I think something like https://github.com/gruntwork-io/terragrunt/pull/1262 would be what is necessary here.

bober2000 commented 1 year ago

Also tried that but with no luck. In my case it was attempt to fully automate creation of DB permissions and users:

terraform {
  source = "github.com/jparnaudeau/terraform-postgresql-database-admin//create-database?ref=v2.0.3"
  extra_arguments "pg_passwd" {
    commands = [
      "init",
      "apply",
      "refresh",
      "import",
      "plan",
      "taint",
      "untaint"
    ]    
    env_vars = {
      TF_VAR_rds_root_password="${local.secret_vars.secrets.db_password}"
    }
  }
}

locals {
  secret_vars = yamldecode(sops_decrypt_file(find_in_parent_folders("secrets.enc.yaml")))
  ...
}