terragrunt-atlantis-config
terragrunt-atlantis-config copied to clipboard
Terragrunt dependency blocks: why only check for changes to terragrunt.hcl?
Thanks for this great tool!
Everything works as intended, I just had a small question regarding dependencies.
I see that when we have a dependency block in the terragrunt.hcl
of say main-web-app
project, and it depends on the output from the iam-roles
project
# main-web-app/terragrunt.hcl
dependency "iam_roles" {
config_path = "../iam-roles"
mock_outputs = {
role_arn = "placeholder"
}
}
inputs = {
role_arn = dependency.iam_roles.outputs.role_arn
}
why does the atlantis.yaml
only check the single ../iam-roles/terragrunt.hcl
file for changes.
- autoplan:
enabled: true
when_modified:
- '*.hcl'
- '*.tf*'
- ../terragrunt.hcl
- ../iam-roles/terragrunt.hcl
dir: infrastructure/dev/us-east-1/main-web-app
What if I delete that output for role_arn
that main-web-app
depend on? since I made no change to the terragrunt.hcl the change goes unnoticed, and the next time i run terragrunt in the main-web-app
directory, we will get an error.
I understand that the change in main-web-app
will only be reflected once the output is actually deleted, but why track terragrunt.hcl, feels redundant ?
Maybe I'm missing something here, If you could please advise here, would be appreciated. Thanks.
hello, would be great if someone could guide on the intended use case. If this is bug I'll try and create a PR for this. Many thanks :)
Hey @mustafa89! Could you share how the iam-roles
module in this example declares it's source terraform module to use?
In theory, this tool does try to find all dependencies of dependencies recursively, so I would have expected main-web-app
to not only list terragrunt.hcl
from iam-roles
, but also the .tf
and other related files iam-roles
depends on, so this may be a bug
Hey, there are no modules in my example, main-web-app
and iam-roles
are terragrunt projects at the same level in a dir.
so I would have expected main-web-app to not only list terragrunt.hcl from iam-roles, but also the .tf and other related files iam-roles depends on
Exactly, and it does not do that.
I'm using version: 1.14.2
here is the project structure
staging-account
├── iam-roles
│ ├── main.tf
│ ├── terragrunt.hcl
│ └── versions.tf
└── main-web-app
├── main.tf
├── terragrunt.hcl
└── versions.tf
Could you open a PR adding these files (can use dummy data) to the test_examples
folder? I can then run some e2e tests and make sure the output is as expected with any fixes
I am also seeing this behavior which I found odd.
I have one 'leaf' terraform module in a folder called myapp/k8s
which declares a terragrunt dependency on myapp/main
(or more precisely, ../main
). I use terragrunt to pass some outputs from the main
module to k8s
module via inputs
. Both modules also reference other local modules using the standard terraform module
resource blocks.
terragrunt-atlantis-config generate --output bleb.yaml --autoplan --parallel --create-workspace --execution-order-groups
The output I get is:
...
- autoplan:
enabled: true
when_modified:
- '*.hcl'
- '*.tf*'
- ../../terragrunt.hcl
- ../../../../modules/aks/*.tf*
- ../../../../modules/custom-dns-zone/*.tf*
- ../../../../modules/storage_account/*.tf*
dir: terraform/azure/tf/environments/tnd/myapp/main
workspace: terraform_azure_tf_environments_tnd_myapp_main
- autoplan:
enabled: true
when_modified:
- '*.hcl'
- '*.tf*'
- ../../terragrunt.hcl
- ../main/terragrunt.hcl
- ../../../../modules/aks/*.tf*
- ../../../../modules/custom-dns-zone/*.tf*
- ../../../../modules/storage_account/*.tf*
dir: terraform/azure/tf/environments/tnd/myapp/k8s
execution_order_group: 1
workspace: terraform_azure_tf_environments_tnd_myapp_k8s
...
I would have expected the ../main/terragrunt.hcl
line to also have an associated *.tf*
line.
I would have expected the ../main/terragrunt.hcl line to also have an associated .tf line.
It seems like it should have! If you can add a repro to the examples folder I can make sure it works
I added the sample project directories. Hope they are in the correct format.
hey @dmattia, did you by any chance have time to test this out?
I haven't yet, but hope to in the coming weeks. Apologies for the delay!
The generator used to do this IIRC.
However, I’d try to persuade you not to store your Terraform files in the Terragrunt repo. Even with the correct blast radius detection, unless your team has an iron discipline, changes to *.tf files may not be applied to all impacted Terragrunt modules. We found this sort of setup to be a drift machine, since there is no versioning of Terraform modules from the perspective of Terragrunt. Relative file references always point to the latest version. Change one tf file and if you commit it without applying ALL the downstream tg changes, you have just created a bunch of drift.
I find placing the Terraform modules into their own repo (similar to the TF registry pattern), and then using immutable version tags on them with Terragrunt Git protocol references for source Terraform modules (including the tag) far superior.