🔥Let's Do DevOps: Recursive Terraform with Terragrunt
Hey all!
Terraform is capable of remarkable things, not least of which is speaking API commands for many dozens of providers, which lets terraform configuration do amazing things. That isn’t to say that terraform is perfect, or as flexible as we’d like it to be, which is why some free-lancers have built wrappers around terraform to add functionality.
One that has gained significant traction is Terragrunt. Terragrunt is a tool that permits terraform to run in parallel, on lots of different main.tf files, and to go even further towards a DRY (Don’t Repeat Yourself) implementation with sym-links to shared files. The github page for the tool goes into greater depth and specificity than I’d be able to, so visit it if you’re interested!
Terragrunt also permits something cool — to recursively dive into a folder structure and execute all the main.tf files that are found there. Terragrunt can also manage each of these files’ state files and help store them in an appropriate back-end.
This recursive property lets you separate your resources out into n number of data stacks, all with separate state files. This is particularly useful within the context of a CI/CD that has to be hard-coded to execute a single or few commands, e.g. terraform against a single location. If your users are going to be adding main.tf files with new resources in new folders, you’ll have to constantly be updating your CI/CD to point at those new main.tf files. Or you can use terragrunt and tell it to dive into a folder structure recursively and grab them all, each time its run, automatically.
During this blog I’ll walk through how to set up terragrunt, how to separate resources and reference them from different main.tf files, all in the context of what I hope is) an interesting example — building public and private subnets, 2x servers, a load balancer, listener, target group, and all sorts of other cool stuff. At the end of this demo, you’ll have an internet-facing Application Load Balancer in AWS that can accept incoming http connections and load-share them between the 2x ec2 servers we’ll build.
AWS Bootstrap — S3, IAM
Before we can run terragrunt against an AWS environment, we need to add some resources, which would include an S3 bucket to store the remote state, as well as an IAM user with a policy that lets them do things.
First, log into your AWS account and in the top right, click on My Security Credentials. This is your root user, with unlimited abilities. We don’t want to do a ton with this, but we’ll use it to get started
Then click on “Access keys” drop-down to expose your keys. If there aren’t any there, that’s fine.
Click on “Create New Access Keys”, then on “show access keys”. Copy those down, then export them into your browser session. These exports will work on a linux or mac computer — you’ll need to export in windows syntax for a windows session.
export AWS_ACCESS_KEY_ID=secret_key_id | |
export AWS_SECRET_ACCESS_KEY=secret_access_key |
That will permit your terminal to authenticate to your AWS and do things.
Navigate to projects/ado_init on your local disk and update the ado_init_variables.tf file with custom names. The S3 name has to be globally unique, the rest are whatever names make sense to you.
Then run “terraform apply” against the main.tf there. It will build an S3 bucket and the IAM user with policies that you can assume.
Find that IAM user in the IAM panel, click on Users on left side, and find the new IAM user that we built. Click on it to open it up, then click on “Secure Credentials”. Click “create access key” to generate some CLI creds.
Now we’re ready to get started in terragrunt, so let’s dive in!
Terragrunt Properties
Terragrunt is written in the same language as Terraform — HCL, so it’ll look very familiar. Here’s an example of a “terragrunt.hcl” file that exists in the networking folder of my terraform project.
# terragrunt.hcl | |
remote_state { | |
backend = "s3" | |
config = { | |
bucket = "s3-terragrunt-kyler-ue1-tfstate" | |
key = "projects/networking/terraform.tfstate" | |
region = "us-east-1" | |
encrypt = true | |
dynamodb_table = "aws-locks-projects-networking" | |
} | |
} |
Notice that it looks exactly like how a remote state backend is written in terraform. And rather than having all this information in both places, terragrunt requires us to remove that information from the terraform main.tf file. Really all that’s left in the terraform file is the terraform init statement.
# Init terraform | |
terraform { | |
backend "s3" {} | |
} |
Here’s what my folder structure looks like. Notice that there are several different “projects”, which are components of my environment, broken out into main.tf files. All are under the “projects” folder, so that’s where we can run our terragrunt commands.
Each project component will have its own terragrunt.hcl file, but they’ll vary slightly. The reason for this is that each one will maintain a separate state file. Here’s the terragrunt.hcl file for the security_group project. Notice that the s3 bucket stays the same — we’re putting all our remote state files into the same s3 bucket, but the “key” (folder path and filename) changes, as well as the dynamo-db table.
# terragrunt.hcl | |
remote_state { | |
backend = "s3" | |
config = { | |
bucket = "s3-terragrunt-kyler-ue1-tfstate" | |
key = "projects/security_groups/terraform.tfstate" | |
region = "us-east-1" | |
encrypt = true | |
dynamodb_table = "aws-locks-projects-security_groups" | |
} | |
} |
You’ll need to sync down the Terragrunt git repo for this demo to your local comp.
Go through the various terragrunt.hcl files and update the S3 bucket to the one you created in the ado_init step earlier. You can also update the name of the dynamoDB table if you’d like — terragrunt will automatically create these for you if they don’t exist yet.
Now it’s time to run it!
Run Terragrunt
Navigate to the projects folder and run command “terragrunt apply-all”. This command will tell terragrunt to recurse through the directories and execute the main.tf files in each directory that has a terragrunt.hcl file. It’ll read the terragrunt.hcl file in each directory and grab (or push) the terraform state to that remote location.
You’ll see log messages from each of the main.tf files as it goes, and it can sometimes be hard to tell where the log messages come from.
You may need to run the command a few times — there are inter-dependencies among the several files, and some files can’t execute at all when their data sources reference something in a data stack that doesn’t exist yet.
Try it out and let me know what you think! Good luck out there.
kyler