Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Terragrunt not respecting the provider.tf variables #3524

Open
cheops82 opened this issue Oct 29, 2024 · 5 comments
Open

Terragrunt not respecting the provider.tf variables #3524

cheops82 opened this issue Oct 29, 2024 · 5 comments
Labels
awaiting response Waiting for a response or more data from issue reporter

Comments

@cheops82
Copy link

cheops82 commented Oct 29, 2024

I have an odd issue. I have this root terragrunt.hcl:

# ---------------------------------------------------------------------------------------------------------------------
# TERRAGRUNT CONFIGURATION
# Terragrunt is a thin wrapper for Terraform/OpenTofu that provides extra tools for working with multiple modules,
# remote state, and locking: https://github.com/gruntwork-io/terragrunt
# ---------------------------------------------------------------------------------------------------------------------

locals {
  # Automatically load domain-level variables
  domain_vars = read_terragrunt_config(find_in_parent_folders("domain.hcl"))

  # Automatically load region-level variables
  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))

  # Automatically load tenant-level variables
  project_vars = read_terragrunt_config(find_in_parent_folders("project.hcl"))

  # Automatically load common variables
  common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl"))

  # Extract the variables we need for each access - corrected to use .locals
  auth_url          = local.common_vars.locals.os_auth_url
  tenant_id         = local.project_vars.locals.os_project_id
  tenant_name       = local.project_vars.locals.os_project_name
  user_domain_id    = local.domain_vars.locals.os_user_domain_id
  user_domain_name  = local.domain_vars.locals.os_user_domain_name
  project_domain_id = local.domain_vars.locals.os_project_domain_id
  region            = local.region_vars.locals.os_region_name
}

# Generate an Openstack provider block
generate "provider" {
  path      = "provider.tf"
  if_exists = "overwrite"
  contents  = <<EOF
terraform {
  required_version = ">= 1.6.0"
  required_providers {
    openstack = {
      source  = "terraform-provider-openstack/openstack"
      version = "~> 1.48.0"
    }
  }
}

provider "openstack" {
  auth_url            = "${local.auth_url}"
  tenant_id           = "${local.tenant_id}"
  tenant_name         = "${local.tenant_name}"
  user_domain_name    = "${local.user_domain_name}"
  project_domain_id   = "${local.project_domain_id}"
  region              = "${local.region}"
  enable_logging      = true
  user_name           = sensitive(coalesce(local.os_username, "${get_env("OS_USERNAME", "")}"))
  password            = sensitive(coalesce(local.os_password, "${get_env("OS_PASSWORD", "")}"))
}
EOF
}

I have a module down a couple of levels:

# terragrunt.hcl
include "root" {
  path = find_in_parent_folders()
}

terraform {
  source = "git::ssh://GITHUB/infrastructure-modules.git//composite/project-network?ref=v0.0.1"
}

inputs = {
  module_version = "v0.0.1"
  network_name = "template-project-network"
  subnet_cidr = "10.0.0.0/24"
  external_network_id = "12345"

  security_group_rules = [
    {
      direction        = "ingress"
      ethertype       = "IPv4"
      protocol        = "tcp"
      port_range_min  = 22
      port_range_max  = 22
      remote_ip_prefix = "0.0.0.0/0"
      remote_group_id = null
    }
  ]
}

When I run the terragrunt apply, it will create these resources, but in the wrong tenant, the tenant that is default to the keystone user I'm using.

The provider.tf being generated in .terragrunt-cache is correct:

# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
terraform {
  required_version = ">= 1.6.0"
  required_providers {
    openstack = {
      source  = "terraform-provider-openstack/openstack"
      version = "~> 1.48.0"
    }
  }
}

provider "openstack" {
  auth_url            = "https://keystone.TEST.com:5000/v3"
  tenant_id           = "5aaaaaaaaaa"
  tenant_name         = "template-project"
  user_domain_name    = "admin_domain"
  project_domain_id   = "caaaaaaaaa"
  region              = "us1"
  enable_logging      = true
  user_name           = sensitive(coalesce(local.os_username, "admin"))
  password            = sensitive(coalesce(local.os_password, "aaaaaaa11112222"))

The only way I can get this to work with terragrunt is if I set the OS_PROJECT_ID="5aaaaaaaaaa" via export. Then it works as expected but that is not an option since this is something generated by a project.hcl file in the project level.

Interesting enough, I can go into the .terragrunt-cache directory where all the files are generated, backend.tf, main.tf, outputs.tf, provider.tf and variables.tf and using this, I can run a terraform apply or a tofu apply and the resources will be created in the correct tenant.

I've tried literally everything I know to troubleshoot this and tried very different version of terragrunt to see if this is the issue but no luck.

Looking for any insight. Thanks!

@cheops82
Copy link
Author

cheops82 commented Oct 29, 2024

Running terragrunt like this works:

OS_PROJECT_ID=5aaaaaaaaaa terragrunt apply

@cheops82
Copy link
Author

cheops82 commented Oct 29, 2024

I've also removed the following from the provider and it still works because it uses the users default tenant. So it's as if these aren't recognized unless set via ENV.

tenant_id           = "${local.tenant_id}"
tenant_name         = "${local.tenant_name}"

@cheops82
Copy link
Author

I found a workaround but this seems like it should work without this by default:

terraform {

  extra_arguments "project_vars" {
    commands = ["init", "plan", "apply", "destroy"]
    env_vars = {
      OS_PROJECT_ID = local.project_vars.locals.os_project_id
    }
  }
...

@denis256
Copy link
Member

Hi,
it looks strange,
can you confirm that there is no OS_PROJECT_ID environment variable set when you run terraform apply in the .terragrunt-cache directory?

@denis256 denis256 added the awaiting response Waiting for a response or more data from issue reporter label Oct 31, 2024
@yhakbar
Copy link
Collaborator

yhakbar commented Nov 22, 2024

Hey @cheops82 ,

To avoid having this go stale, can we either close out this issue or continue the discussion?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
awaiting response Waiting for a response or more data from issue reporter
Projects
None yet
Development

No branches or pull requests

3 participants