get_aws_account_id don't use the profile from remote_state

[heino-vdbh]

terragrunt = v0.19.8 terraform = v0.12.4

When I use

remote_state {
  backend = "s3"
  config = {
  bucket                               = "12345678900-test-tf-state"
  key                                     = "${path_relative_to_include()}/terraform.tfstate"
  region                                = "eu-central-1"
  encrypt                              = true
  dynamodb_table               = "test-12345678900-tf-lock-table"
  profile                                = "test"
  }   
}

the tfstate get created in the account of profile test

when I use

remote_state {
  backend = "s3"
  config = {
  bucket                              = "test-${get_aws_account_id()}-tf-state"
  key                                     = "${path_relative_to_include()}/terraform.tfstate"
  region                                = "eu-central-1"
  encrypt                              = true
  dynamodb_table              = "test-${get_aws_account_id()}-tf-lock-table"
  profile                                = "test"
  }   
}

I get this error

Call to function "get_aws_account_id" failed: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors.

The get_aws_account_id() function don't use the profile parameter from the remote_state config.

[yorinasub17]

Unfortunately, it doesn't make intuitive sense for the function to retrieve the profile or creds info from the remote state config, since you are using the function call to configure the remote state config (circular dependency). As in, the function is evaluated before the config is fully rendered.

I believe the way to handle this would be to allow passing in function parameters to get_aws_account_id to be able to configure the credentials such as profile, although I am not sure if philosophically that makes sense. It feels like a more generic terragrunt AWS config option would be the way to go for maximum flexibility.

I think this requires some design thoughts to come up with the right solution here.

[heino-vdbh]

ok, the problem I see is that you can specify profile on some terraform resources but the terragrunt function only use the profile from the os environment. If I use my example in two different accounts with specified profile for provider resource and don't switch my os profile, terragrunt tries to create the state bucket with the same name.

Passing in function parameters sounds like a possible solution...

[nilsmeyer]

It's also very easy to trip over this when you have a default profile set - or an env_var. I like the idea of having a parameter for get_aws_account_id(), or perhaps just an additional function.

[yorinasub17]

I think adding in optional function parameters for specifying the profile is a viable workaround for now. PRs to implement that change are welcome!

Implementation requires:

• Update function implementation (https://github.com/gruntwork-io/terragrunt/blob/master/config/config_helpers.go#L304) to accept args. Use find_in_parent_folders as a reference for how to handle optional args (https://github.com/gruntwork-io/terragrunt/blob/master/config/config_helpers.go#L215)
• Update wrapper to support passing in args (https://github.com/gruntwork-io/terragrunt/blob/master/config/config_helpers.go#L93).
• Unit tests

[bartek-lopatka]

Any chances this behaviour will be updated?

[yorinasub17]

Unfortunately, no one has been able to take a look at this yet. I'm not sure our team has the capacity to take a look at this anytime soon as we don't rely on AWS profiles (we primarily use aws-vault). That doesn't mean we won't implement it, but we may take some time to get to this.

A PR from the community is likely to be the fastest route, if anyone has spare cycles!