terragrunt-atlantis-config icon indicating copy to clipboard operation
terragrunt-atlantis-config copied to clipboard

Published 20 hours ago verified publisher icon transcend-io

Terragrunt dependency blocks: why only check for changes to terragrunt.hcl?

Open mustafa89 opened this issue 2 years ago • 10 comments

Thanks for this great tool!

Everything works as intended, I just had a small question regarding dependencies.

I see that when we have a dependency block in the terragrunt.hcl of say main-web-app project, and it depends on the output from the iam-roles project


# main-web-app/terragrunt.hcl
dependency "iam_roles" {
  config_path = "../iam-roles"
  mock_outputs = {
    role_arn = "placeholder"
  }
}

inputs = {
  role_arn = dependency.iam_roles.outputs.role_arn
}

why does the atlantis.yaml only check the single ../iam-roles/terragrunt.hcl file for changes.

- autoplan:
    enabled: true
    when_modified:
    - '*.hcl'
    - '*.tf*'
    - ../terragrunt.hcl
    - ../iam-roles/terragrunt.hcl
  dir: infrastructure/dev/us-east-1/main-web-app

What if I delete that output for role_arn that main-web-app depend on? since I made no change to the terragrunt.hcl the change goes unnoticed, and the next time i run terragrunt in the main-web-app directory, we will get an error.

I understand that the change in main-web-app will only be reflected once the output is actually deleted, but why track terragrunt.hcl, feels redundant ?

Maybe I'm missing something here, If you could please advise here, would be appreciated. Thanks.

mustafa89 avatar May 04 '22 18:05 mustafa89

hello, would be great if someone could guide on the intended use case. If this is bug I'll try and create a PR for this. Many thanks :)

mustafa89 avatar May 17 '22 07:05 mustafa89

Hey @mustafa89! Could you share how the iam-roles module in this example declares it's source terraform module to use?

In theory, this tool does try to find all dependencies of dependencies recursively, so I would have expected main-web-app to not only list terragrunt.hcl from iam-roles, but also the .tf and other related files iam-roles depends on, so this may be a bug

dmattia avatar Jul 06 '22 21:07 dmattia

Hey, there are no modules in my example, main-web-app and iam-roles are terragrunt projects at the same level in a dir.

so I would have expected main-web-app to not only list terragrunt.hcl from iam-roles, but also the .tf and other related files iam-roles depends on

Exactly, and it does not do that.

I'm using version: 1.14.2

here is the project structure

staging-account
├── iam-roles
│   ├── main.tf
│   ├── terragrunt.hcl
│   └── versions.tf
└── main-web-app
    ├── main.tf
    ├── terragrunt.hcl
    └── versions.tf

mustafa89 avatar Jul 08 '22 21:07 mustafa89

Could you open a PR adding these files (can use dummy data) to the test_examples folder? I can then run some e2e tests and make sure the output is as expected with any fixes

dmattia avatar Jul 13 '22 14:07 dmattia

I am also seeing this behavior which I found odd.

I have one 'leaf' terraform module in a folder called myapp/k8s which declares a terragrunt dependency on myapp/main (or more precisely, ../main). I use terragrunt to pass some outputs from the main module to k8s module via inputs. Both modules also reference other local modules using the standard terraform module resource blocks.

terragrunt-atlantis-config generate --output bleb.yaml --autoplan --parallel --create-workspace --execution-order-groups

The output I get is:

...
- autoplan:
    enabled: true
    when_modified:
    - '*.hcl'
    - '*.tf*'
    - ../../terragrunt.hcl
    - ../../../../modules/aks/*.tf*
    - ../../../../modules/custom-dns-zone/*.tf*
    - ../../../../modules/storage_account/*.tf*
  dir: terraform/azure/tf/environments/tnd/myapp/main
  workspace: terraform_azure_tf_environments_tnd_myapp_main
- autoplan:
    enabled: true
    when_modified:
    - '*.hcl'
    - '*.tf*'
    - ../../terragrunt.hcl
    - ../main/terragrunt.hcl
    - ../../../../modules/aks/*.tf*
    - ../../../../modules/custom-dns-zone/*.tf*
    - ../../../../modules/storage_account/*.tf*
  dir: terraform/azure/tf/environments/tnd/myapp/k8s
  execution_order_group: 1
  workspace: terraform_azure_tf_environments_tnd_myapp_k8s
...

I would have expected the ../main/terragrunt.hcl line to also have an associated *.tf* line.

megakid avatar Jul 18 '22 22:07 megakid

I would have expected the ../main/terragrunt.hcl line to also have an associated .tf line.

It seems like it should have! If you can add a repro to the examples folder I can make sure it works

dmattia avatar Jul 19 '22 03:07 dmattia

I added the sample project directories. Hope they are in the correct format.

mustafa89 avatar Jul 29 '22 22:07 mustafa89

hey @dmattia, did you by any chance have time to test this out?

mustafa89 avatar Aug 10 '22 10:08 mustafa89

I haven't yet, but hope to in the coming weeks. Apologies for the delay!

dmattia avatar Aug 10 '22 19:08 dmattia

The generator used to do this IIRC.

However, I’d try to persuade you not to store your Terraform files in the Terragrunt repo. Even with the correct blast radius detection, unless your team has an iron discipline, changes to *.tf files may not be applied to all impacted Terragrunt modules. We found this sort of setup to be a drift machine, since there is no versioning of Terraform modules from the perspective of Terragrunt. Relative file references always point to the latest version. Change one tf file and if you commit it without applying ALL the downstream tg changes, you have just created a bunch of drift.

I find placing the Terraform modules into their own repo (similar to the TF registry pattern), and then using immutable version tags on them with Terragrunt Git protocol references for source Terraform modules (including the tag) far superior.

gmaghera avatar Sep 12 '22 15:09 gmaghera