Transit gateways between accounts / VPCs - best practices in IAC?
A customer asked: > In an effort to establish transit gateways between accounts/vpcs. what is the best way to go about accessing these VPC IDs from terraform states across accounts/s3 buckets? is there a recommendation from gruntwork for this? or does a statically created file make most sense? --- <ins datetime="2022-05-27T17:10:48Z"> <p><a href="https://support.gruntwork.io/hc/requests/108670">Tracked in ticket #108670</a></p> </ins>
This is not something we currently support cleanly. There is a workaround, but it is not very clean. The way to handle this is to authenticate directly to the IAM User (the one in the Security account) on the command line, and then have Terragrunt assume the roles in the target accounts using the [iam_role attribute](https://terragrunt.gruntwork.io/docs/reference/config-blocks-and-attributes/#iam_role) in the terragrunt.hcl for each config. Note that this has a major downside where the dependency configs need the iam_role attribute for terragrunt to assume the right role when reading the state information. Another approach is to configure the state bucket for cross account access. This requires creating a new module that appends the new policies to the S3 bucket policy to allow access from the account reading the bucket data. The other approach is to read the dependencies in the terraform module using data sources instead of going through Terragrunt. In this approach, you configure a provider in the terraform module with assume role blocks specifically for reading into each of the accounts and then extracting the VPC IDs. This approach only works for a static set of accounts: if you need to dynamically add accounts, then it gets tricky because you can’t for_each a provider config. For something like VPC IDs, we typically recommend using a static look up table. It is more manual, but it ends up being a lot cleaner in the end because you avoid all the cross account concerns which gets very messy in Terraform/Terragrunt.