gruntwork-io · nilsdebruin · Feb 10, 2021
@@ -135,6 +135,20 @@ Where:
   Scaling Groups, ECS Clusters, Databases, Load Balancers, and so on. Note that the Terraform code for most of these
   resources lives in the [terragrunt-infrastructure-modules-example repo](https://github.com/gruntwork-io/terragrunt-infrastructure-modules-example).
 
+## Multi-account set-up with assumed roles
+When you would like to make use of AWS assumed roles, you can use the `terragrunt-assumed-role.hcl` file and rename this to `terragrunt.hcl`.
+
+For this simple example to work, we assume that you have created your initial AWS account and created two sub-accounts, one for `non-prod` and one for `prod`
+and have filled in the account ids for these accounts in the `non-prod` and `prod` `account.hcl` files.
+
+When new sub-accounts are created, a default role will be created with the name `OrganizationAccountAccessRole`.
+You have to enable an AWS profile with administrator access and set the environment variable in your terminal.
+
+Before running the session, do the following to activate this profile: `export AWS_PROFILE=terragrunt`
+
+Now you can perform the same deployment steps as mentioned earlier.
+
+
 ## Creating and using root (account) level variables
 
 In the situation where you have multiple AWS accounts or regions, you often have to pass common variables down to each

@@ -4,4 +4,5 @@ locals {
   account_name   = "non-prod"
   aws_account_id = "replaceme" # TODO: replace me with your AWS account ID!
   aws_profile    = "non-prod"
+  role_to_assume = "OrganizationAccountAccessRole" # TODO: replace me with a role to assume
 }
@@ -4,4 +4,5 @@ locals {
   account_name   = "prod"
   aws_account_id = "replaceme" # TODO: replace me with your AWS account ID!
   aws_profile    = "prod"
+  role_to_assume = "OrganizationAccountAccessRole" # TODO: replace me with a role to assume if needed
 }
@@ -0,0 +1,71 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# TERRAGRUNT CONFIGURATION
+# Terragrunt is a thin wrapper for Terraform that provides extra tools for working with multiple Terraform modules,
+# remote state, and locking: https://github.com/gruntwork-io/terragrunt
+# ---------------------------------------------------------------------------------------------------------------------
+
+locals {
+  # Automatically load account-level variables
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+
+  # Automatically load region-level variables
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+
+  # Automatically load environment-level variables
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+
+  # Extract the variables we need for easy access
+  account_name = local.account_vars.locals.account_name
+  account_id   = local.account_vars.locals.aws_account_id
+  role_to_assume = local.account_vars.locals.role_to_assume
+  aws_region   = local.region_vars.locals.aws_region
+}
+
+# Generate an AWS provider block
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+provider "aws" {
+  region = "${local.aws_region}"
+
+  # Only these AWS Account IDs may be operated on by this template
+  allowed_account_ids = ["${local.account_id}"]
+assume_role {
+    role_arn = "arn:aws:iam::${local.account_id}:role/${local.role_to_assume}"
+  }
+}
+EOF
+}
+
+# Configure Terragrunt to automatically store tfstate files in an S3 bucket
+remote_state {
+  backend = "s3"
+  config = {
+    encrypt        = true
+    bucket         = "${get_env("TG_BUCKET_PREFIX", "")}terragrunt-example-terraform-state-${local.account_name}-${local.aws_region}"
+    key            = "${path_relative_to_include()}/terraform.tfstate"
+    region         = local.aws_region
+    dynamodb_table = "terraform-locks"
+    role_arn = "arn:aws:iam::${local.account_id}:role/${local.role_to_assume}"
+  }
+  generate = {
+    path      = "backend.tf"
+    if_exists = "overwrite_terragrunt"
+  }
+}
+
+
+# ---------------------------------------------------------------------------------------------------------------------
+# GLOBAL PARAMETERS
+# These variables apply to all configurations in this subfolder. These are automatically merged into the child
+# `terragrunt.hcl` config via the include block.
+# ---------------------------------------------------------------------------------------------------------------------
+
+# Configure root level variables that all resources can inherit. This is especially helpful with multi-account configs
+# where terraform_remote_state data sources are placed directly into the modules.
+inputs = merge(
+  local.account_vars.locals,
+  local.region_vars.locals,
+  local.environment_vars.locals,
+)