How do I read dependencies in Terragrunt across accounts?
I want to construct a `dependency` block that reads data from state stored in another account. How do I do that in `terragrunt`? --- <ins datetime="2022-05-16T14:51:14Z"> <p><a href="https://support.gruntwork.io/hc/requests/108609">Tracked in ticket #108609</a></p> </ins>
This is not something that Terragrunt currently supports cleanly. There is a workaround, but is not very clean. Here are 3 options: - The way to handle this is to authenticate directly to the IAM User (the one in the Security account) on the command line, and then have Terragrunt assume the roles in the target accounts using the [iam_role attribute](https://terragrunt.gruntwork.io/docs/reference/config-blocks-and-attributes/#iam_role) in the `terragrunt.hcl` for each config. Note that this has a major downside where the dependency configs need the `iam_role` attribute for `terragrunt` to assume the right role when reading the state information. - Another approach is to configure the state bucket for cross account access. This requires creating a new module that appends the new policies to the S3 bucket policy to allow access from the account reading the bucket data. - The other approach is to read the dependencies in the Terraform module using `data` sources instead of going through Terragrunt. In this approach, you configure a provider in the Terraform module with assume role blocks specifically for reading into each of the accounts and then extracting the data you need. This approach only works for a static set of accounts: if you need to dynamically add accounts, then it gets tricky because you can’t `for_each` a provider config. With all that said, in most cases, the data you need across accounts tends to be static in nature (e.g., account IDs, or VPC IDs) that don't change very often. For this type of data, we typically recommend using a static look up table in a `json` or `hcl` file checked into the repo, and then reading it out using `jsondecode` or `read_terragrunt_config`. It is more manual, but it ends up being a lot cleaner in the end because you avoid all the cross account concerns which gets very messy in Terraform/Terragrunt.