Seperate modules using different aws profiles

gruntwork-io / terragrunt

Terragrunt is a flexible orchestration tool that allows Infrastructure as Code written in OpenTofu/Terraform to scale.

https://terragrunt.gruntwork.io/

MIT License

8.04k stars 975 forks source link

Seperate modules using different aws profiles #595

Closed ijaveed closed 5 years ago

ijaveed commented 5 years ago

Hi all

I want to know if there is a way I can switch AWS profiles in flight between my modules...

e.g

s3 Module --> Creates bucket in AWS Account A (dependant on s3 Module) r53 module --> Crerate Alias in AWS Account B

Is this even possible?

I currently am using TERRAGRUNT_IAM_ROLE=AWS_ARN which points to Account A?

Obviously this fails with Access denied when trying to create the ALIAS in Account B....

Thanks in advance!

brikis98 commented 5 years ago

One option is to assume different roles in your Terraform code using assume_role in the AWS provider. You then authenticate to some account that has permissions to assume either role and Terraform will do the rest.

ijaveed commented 5 years ago

I tried adding the following to the terraforms main.yml

assume_role { role_arn = "arn:aws:iam::ACCOUNT_NUMBER_B:role/SuperAdmin" session_name = "ops-profile" external_id = "ops-profile" }

I still had the TERRAGRUNT_IAM_ROLE=AWS_ARN exported which pointed to Account A?

but received...

Error: Error refreshing state: 1 error(s) occurred:

provider.aws: The role "arn:aws:iam::ACCOUNT_NUMBER_B:role/SuperAdmin" cannot be assumed.

There are a number of possible causes of this - the most common are:
- The credentials used in order to assume the role are invalid
- The credentials do not have appropriate permission to assume the role
- The role ARN is not valid

I forgot to mention, I am also looking up a value in Account A from a state file...

ijaveed commented 5 years ago

I managed to resolve this the way you stated, I had to allow the correct permission with the assume roles within IAM between the accounts,

works perfectly now, thank you

miked0004 commented 5 years ago

Can terragrunt use named profiles in the modules backends explicitly? For my use case, I don't want to set environment credentials in advance, I want terragrunt to do it in the same way terraform does.

i.e.

provider "aws" {
  profile = "${var.aws_profile}"
  region  = "${var.region}"

bradleyess commented 5 years ago

Can terragrunt use named profiles in the modules backends explicitly? For my use case, I don't want to set environment credentials in advance, I want terragrunt to do it in the same way terraform does.

i.e.
provider "aws" {
  profile = "${var.aws_profile}"
  region  = "${var.region}"

This would be the dream!