Provider error while trying to configure terragrunt in Atlantis CI
_This message was extracted from a discussion that originally took place in Gruntwork Community Slack. Names and URLs have been removed where appropriate_ **From a customer** Good morning. A basic question, sorry. I get errors using some of your account-baseline modules, due to an aws provider block embedded in the code that does not have any profile information. I assume the credentials should be taken from the root module (where the profile is defined) but it seems this doesn't happen. How would you expect me to pass the right credentials to that child module? ``` ╷ │ Error: error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found. │ │ Please see https://registry.terraform.io/providers/hashicorp/aws │ for more information about providing credentials. │ │ Error: NoCredentialProviders: no valid providers in chain. Deprecated. │ For verbose messaging see aws.Config.CredentialsChainVerboseErrors │ │ │ with module.account-baseline-app.module.config.provider["http://registry.terraform.io/hashicorp/aws"].seed, │ on .terraform/modules/account-baseline-app.config/modules/aws-config-multi-region/main.tf line 25, in provider "aws": │ 25: provider "aws" { ``` In your module repo: https://github.com/gruntwork-io/terraform-aws-security/blob/master/modules/aws-config-multi-region/main.tf ``` # Set up a seed provider to query for the list of available regions provider "aws" { alias = "seed" region = var.seed_region } ``` I am a bit confused since from the documentation it looks like no provider should be defined in a module: ``` Each resource in the configuration must be associated with one provider configuration. Provider configurations, unlike most other concepts in Terraform, are global to an entire Terraform configuration and can be shared across module boundaries. Provider configurations can be defined only in a root Terraform module. A module intended to be called by one or more other modules must not contain any provider blocks. ```
**From a grunt** Ah so with our Landing Zone modules, because there are resources that need to be deployed in every region, we need to define the providers inside the modules so that the user doesn’t have the burden of defining R providers, one for each region. This is indeed an anti-pattern according to terraform, and we are working on refactoring the multi-region approach to not need this (which is now possible thanks to new features in terraform 0.15). In general, we recommend using an external tool that handles the AWS credentials and feeds it to the CLI via environment variables (e.g., [aws-vault](https://github.com/99designs/aws-vault)). If you do wish to use the credentials file with profiles, you should be able to make it work if you set the `AWS_PROFILE` environment variable BTW, feel free to ask basic questions as well! It's perfectly reasonable. We're working on a way to make it easier to find answers.