In this note, I demonstrate how to use Terragrunt to deploy the same Terraform configuration code (with environment-specific configurations) across two separate AWS accounts using GitHub Actions. The process can be classified into three high-level steps. These are:
- Create the pre-requisites in AWS and GitHub Actions,
- Add the environment-specific Terragrunt HCL code to the GitHub repository, and
- Run the HCL code via GitHub Actions.
Checkout my detailed note on that at -Deploy Across AWS Accounts Like a Pro: Terragrunt, Terraform, and GitHub Actions
Since I follow the setup above -a central automation account and two separate accounts for each environment- there are a few prerequisites to arrange before I can let the GitHub Actions automation run. These are:
(a) Configure OpenID Connect in the Automation AWS account to authenticate with GitHub actions,
(b) Create a role with appropriate permissions in the target AWS account (Dev and Test),
(c) Set up a trust relation between the AWS IAM roles (automation account and dev account roles and automation account and test account roles), and
(d) Create Environments in GitHub for each product environment.
The logic to manage the deployment is stored in the terragrunt.hcl file. Since deploying to multiple environments is the same, I am utilizing a reusable workflow. You can read about that at –using-reusable-workflows-github-actions.
There are two top-level folders – .github folder to store the pipeline workflow YAML files and the environment folder to store the environment-specific (dev and test) HCL configuration. I could have had another folder in the GitHub repository as infrastructure and kept the terraform code (.tf files) in the same repository; I do not have it that way.
Instead, I am (partially) following the recommendations made in the article –infrastructure-live for Terragrunt, where the Terraform code is stored independently of the Terragrunt configuration.
This code is released under the Unlincse License. See LICENSE.