Pipelines Configurations as Code
Block Reference
For a more comprehensive walkthrough of how blocks work please see the Pipelines Configurations as Code concepts.
environment
block
environment
labeled-blockEnvironment blocks are used to define configurations that are applicable to a specific environment within a repository.
The label applied to an environment block is the name of the environment. This is a user-defined label for the environment, and must be globally unique.
See more below.
Example
# .gruntwork/environments.hcl
environment "an_environment" {
filter {
paths = ["an-environment/*"]
}
authentication {
aws_oidc {
account_id = aws.accounts.all.an_account.id
plan_iam_role_arn = "arn:aws:iam::${aws.accounts.all.an_account.id}:role-to-assume-for-plans"
apply_iam_role_arn = "arn:aws:iam::${aws.accounts.all.an_account.id}:role-to-assume-for-applies"
}
}
}
aws {
accounts "all" {
path = "aws/accounts.yml"
}
}
unit
block
unit
blockUnit blocks are used to define configurations that are applicable to a single unit of IaC within a repository. See more below.
Example
unit {
authentication {
aws_oidc {
account_id = "an-aws-account-id"
plan_iam_role_arn = "arn:aws:iam::an-aws-account-id:role-to-assume-for-plans"
apply_iam_role_arn = "arn:aws:iam::an-aws-account-id:role-to-assume-for-applies"
}
}
}
authentication
block
authentication
blockAuthentication blocks are components used by environment and unit blocks to determine how Pipelines will authenticate with cloud platforms when running Terragrunt commands. See more below.
Example
authentication {
aws_oidc {
account_id = "an-aws-account-id"
plan_iam_role = "arn:aws:iam::an-aws-account-id:role-to-assume-for-plans"
apply_iam_role = "arn:aws:iam::an-aws-account-id:role-to-assume-for-applies"
}
}
repository
block
repository
blockRepository blocks are used to define configurations that are applicable to the entire repository. See more below.
Example
repository {
deploy_branch_name = "main"
}
filter
block
filter
blockThe ceiling of retention days that can be configured via a backup plan for the given vault
aws
block
aws
blockAWS blocks are configurations used by aws-oidc authentication blocks to have commonly re-used AWS configurations codified and referenced by multiple authentication blocks.
There can only be one aws block defined within global configurations.
Nested within the aws block are accounts blocks that define the configurations for collections of AWS accounts.
The label applied to an accounts block is the name of the Accounts block. This is a user-defined label for the collection of AWS accounts defined by the block, and must be unique within the context of the aws block.
For more information on importing accounts from accounts.yml
click here
See more below.
Example
aws {
accounts "all" {
path = "aws/accounts.yml"
}
}
accounts
block
accounts
labeled blockAccounts blocks define the configurations for collections of AWS accounts.
The label applied to an accounts block is the name of the Accounts block. This is a user-defined label for the collection of AWS accounts defined by the block, and must be unique within the context of the aws block.
aws_oidc
block
aws_oidc
blockAn AWS OIDC authentication block that determines how Pipelines will authenticate with AWS using OIDC. See more below.
Block Attributes
environment
block attributes
filter
blockA filter block that determines which units the environment is applicable to. See more below.
Every unit must be uniquely matched by the filters of a single environment block. If a unit is matched by multiple environment blocks, Pipelines will throw an error.
authentication
blockAn authentication block that determines how Pipelines will authenticate with cloud platforms when running Terragrunt commands. See more below.
unit
block attributes
authentication
blockAn authentication block that determines how Pipelines will authenticate with cloud platforms when running Terragrunt commands. See more below.
authentication
block attributes
aws_oidc
blockAn AWS OIDC authentication block that determines how Pipelines will authenticate with AWS using OIDC See more below.
repository
block attributes
deploy_branch_name
stringThe branch that Pipelines will deploy infrastructure changes from.
main
consolidate_added_or_changed
booleanWhether or not Pipelines will consolidate added or changed resources when running Terragrunt commands. Job consolidation is the mechanism whereby Pipelines will take multiple jobs (e.g. ModuleAdded, ModuleChanged) and consolidate them into a single job (e.g. ModulesAddedOrChanged) when running Terragrunt commands. This is a useful optimization that Pipelines can perform, as it divides the CI/CD costs of running Terragrunt in CI by the number of jobs that are consolidated. In addition, this results in more accurate runs, as it allows Terragrunt to leverage the Directed Acyclic Graph (DAG) to order updates. e.g. Instead of running the following jobs: A. ModuleAdded B. ModuleChanged Where ModuleChanged depends on ModuleAdded, Pipelines will consolidate these jobs into a single job: C. ModulesAddedOrChanged Because the underlying implementation of a ModulesAddedOrChanged uses the run-all Terragrunt command, it will use the DAG to ensure that the ModuleAdded job runs before the ModuleChanged job.Job Consolidation Definition
true
consolidate_deleted
booleanWhether or not Pipelines will consolidate deleted resources when running Terragrunt plan commands.
This is disabled by default because there can be unintended consequences to deleting additional resources via a run-all
Terragrunt command. It is recommended to enable this feature only when you are confident that you understand the implications of doing so.
false
filter
block attributes
paths
array[string]A list of path globs that the filter should match against. Paths are relative to the directory containing the .gruntwork directory.
aws
block attributes
accounts
block attributes
path
stringThe path to the accounts.yml
file that contains the definition of AWS accounts.
The value used for the path
attribute is relative to the directory containing the .gruntwork directory.
e.g. If the accounts.yml
file is located at the root of the repository, and the configuration containing the aws
block is located in .gruntwork/aws.hcl
, then the value of the path
attribute would be ../accounts.yml
.
This is to make it convenient to tuck the accounts.yml
file away somewhere in the .gruntwork
directory if you like.
aws_oidc
block attributes
account_id
stringThe AWS account ID that Pipelines will authenticate with.
plan_iam_role_arn
stringThe IAM role ARN that Pipelines will assume when running Terragrunt plan commands.
apply_iam_role_arn
stringThe IAM role ARN that Pipelines will assume when running Terragrunt apply commands.
region
stringThe AWS region that Pipelines will use when running Terragrunt commands.
us-east-1
session_duration
numberThe duration in seconds that the AWS session will be valid for.
3600