[Question] How do I set different iam_role for prod and non-prod folders ?

Question

[Question] How do I set different iam_role for prod and non-prod folders ?

Opened this issue 4 years ago · 3 comments

How do I set different iam_role for prod and non-prod folders?

considering this PR from 2018 => https://github.com/gruntwork-io/terragrunt/pull/599/files#diff-04c6e90faac2675aa89e2176d2eec7d8 it seems that I can configure a specific iam_role to be used by terragrunt (and terraform).

My goal is to have a CI/CD (Atlantis) to assume roles when executing the terragrunt command.

How can I set up one role for non-prod folder and a different one for the prod folder?

Answer 1 · 2020-09-03T08:24:07.000Z

There are a number of options, including:

Have a different root prod/terragrunt.hcl and non-prod/terragrunt.hcl, each with different iam_role setting, that all the child modules include.
Have a single root terragrunt.hcl that uses generate to generate a provider block with an assume_role block within. The assume_role block can set role_arn to a variable, which in prod envs you set to a different value than non-prod envs.

Answer 2 · 2020-10-02T11:09:16.000Z

To add another option:

I am making use of direnv (https://direnv.net) for which I create .envrc files in the different account folders. This is what I include:
export TERRAGRUNT_IAM_ROLE=arn:aws:iam::ACCOUNTID:role/ROLE and other env variables as needed.

I am then able to go into the directory with the right role assumed and then being able to run Terragrunt.

Answer 3 · 2021-02-10T23:11:55.000Z

Based on the input of @brikis98, I have created an example for option 2, see:

https://github.com/nilsdebruin/terragrunt-infrastructure-live-example/tree/assumed-role-example

If it is interesting enough, I could create a pull request for it.