Acme's Infrastructure - Terragrunt Reference Architecture (updated: May 2020) This repository contains rather complete infrastructure configurations where Terragrunt is used to manage infrastructure for Acme Corporation . By the way! This code is very close to the one produced by modules.tf - open-source infrastructure as code generator from visual diagrams created with Cloudcraft.co . See it yourself in modules.tf-demo ! Introduction Acme has several environments (prod, staging and dev) entirely separated by AWS accounts. Infrastructure in each environment consists of multiple layers (autoscaling, alb, vpc, ...) where each layer is configured using one of Terraform AWS modules with arguments specified in terragrunt.hcl in layer's directory. Terragrunt is used to work with Terraform configurations which allows orchestrating of dependent layers, update arguments dynamically and keep configurations DRY . Environments Primary AWS region for all environments is eu-central-1 (Frankfurt) : acme-prod - Production configurations (AWS account - 111111111111) acme-staging - Staging configurations (AWS account - 444444444444) acme-master - Master AWS account (333333333333) contains: AWS Organizations IAM entities (users, groups) ECR repositories Route53 zones Pre-requirements Terraform 0.12 Terragrunt 0.22 or newer Terraform Docs pre-commit hooks to keep Terraform formatting and documentation up-to-date direnv to automatically set correct environment variables per AWS account as specified in .envrc (optional) If you are using macOS you can install all dependencies using Homebrew : $ brew install terraform terragrunt pre-commit Configure access to AWS account Acme has dedicated AWS account where IAM users, groups and roles managed. This AWS account is a jump account, where IAM users logged in, and then they assume role in other AWS account. The recommended way to configure access credentials to AWS account is using environment variables: $ export AWS_DEFAULT_REGION=eu-west-1 $ export AWS_ACCESS_KEY_ID=... $ export AWS_SECRET_ACCESS_KEY=... Alternatively, you can edit terragrunt.hcl and use another authentication mechanism as described in AWS provider documentation . aws-vault , vaulted , awsp or other tool can be used to manage your AWS credentials securely locally and switch roles. Create and manage your infrastructure Infrastructure consists of multiple layers (vpc, alb, ...) where each layer is described using one Terraform module with inputs arguments specified in terragrunt.hcl in respective layer's directory. Navigate through layers to review and customize values inside inputs block. There are two ways to manage infrastructure (slower&complete, or faster&granular): Region as a whole (slower&complete). Run this command to create infrastructure in all layers in a single region: $ cd acme-prod/eu-central-1 $ terragrunt apply-all As a single layer (faster&granular). Run this command to create infrastructure in a single layer (eg, vpc ): $ cd acme-prod/eu-central-1/vpc $ terragrunt apply After you confirm the creation of the infrastructure should succeed. If you want to suppress irrelevant output produced by Terragrunt, you can install this alias in your shell ( source to gist ): terragrunt () { local action=$1 shift 1 command terragrunt $action "$@" 2>&1 | sed -E "s|$(dirname $(pwd))/||g;s|^\[terragrunt\]( [0-9]{4}/[0-9]{2}/[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2})* ||g;s|(\[.*\]) [0-9]{4}/[0-9]{2}/[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}|\1|g" } References Terraform documentation and Terragrunt documentation for all available commands and features. Terraform AWS modules . Terraform modules registry . Author This project is created and maintained by Anton Babenko . License All content, including Terraform AWS modules used in these configurations, is released under the MIT License. Copyright (c) 2019-2020 Anton Babenko