remote

package
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 27, 2026 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	DefaultS3BucketAccessLoggingTargetPrefix = "TFStateLogs/"
	SidRootPolicy                            = "RootAccess"
	SidEnforcedTLSPolicy                     = "EnforcedTLS"
)
View Source 
const DEFAULT_PATH_TO_LOCAL_STATE_FILE = "terraform.tfstate"

When storing Terraform state locally, this is the default path to the tfstate file

View Source 
const DEFAULT_PATH_TO_REMOTE_STATE_FILE = "terraform.tfstate"

When using remote state storage, Terraform keeps a local copy of the state file in this folder

View Source 
const MAX_RETRIES_WAITING_FOR_GCS_BUCKET = 12
View Source 
const MAX_RETRIES_WAITING_FOR_S3_BUCKET = 12
View Source 
const SLEEP_BETWEEN_RETRIES_WAITING_FOR_GCS_BUCKET = 5 * time.Second
View Source 
const SLEEP_BETWEEN_RETRIES_WAITING_FOR_S3_BUCKET = 5 * time.Second

Variables

View Source 
var (
	ErrRemoteBackendMissing             = fmt.Errorf("the remote_state.backend field cannot be empty")
	ErrGenerateCalledWithNoGenerateAttr = fmt.Errorf("generate code routine called when no generate attribute is configured")
)

Custom errors

Functions

func AddLabelsToGCSBucket 

func AddLabelsToGCSBucket(gcsClient *storage.Client, config *ExtendedRemoteStateConfigGCS, terragruntOptions *options.TerragruntOptions) error

func CreateGCSBucket 

func CreateGCSBucket(gcsClient *storage.Client, config *ExtendedRemoteStateConfigGCS, terragruntOptions *options.TerragruntOptions) error

Create the GCS bucket specified in the given config

func CreateGCSBucketWithVersioning 

func CreateGCSBucketWithVersioning(gcsClient *storage.Client, config *ExtendedRemoteStateConfigGCS, terragruntOptions *options.TerragruntOptions) error

CreateGCSBucketWithVersioning creates the given GCS bucket and enables versioning for it.

func CreateGCSClient 

func CreateGCSClient(gcsConfigRemote RemoteStateConfigGCS) (*storage.Client, error)

CreateGCSClient creates an authenticated client for GCS

func CreateLogsS3BucketIfNecessary 

func CreateLogsS3BucketIfNecessary(s3Client *s3.S3, logsBucketName *string, terragruntOptions *options.TerragruntOptions) error

func CreateS3Bucket 

func CreateS3Bucket(s3Client *s3.S3, bucket *string, terragruntOptions *options.TerragruntOptions) error

Create the S3 bucket specified in the given config

func CreateS3BucketWithVersioningSSEncryptionAndAccessLogging 

func CreateS3BucketWithVersioningSSEncryptionAndAccessLogging(s3Client *s3.S3, config *ExtendedRemoteStateConfigS3, terragruntOptions *options.TerragruntOptions) error

Create the given S3 bucket and enable versioning for it

func CreateS3Client 

func CreateS3Client(config *awsauth.AwsSessionConfig, terragruntOptions *options.TerragruntOptions) (*s3.S3, error)

Create an authenticated client for DynamoDB

func DoesGCSBucketExist 

func DoesGCSBucketExist(gcsClient *storage.Client, config *RemoteStateConfigGCS) bool

DoesGCSBucketExist returns true if the GCS bucket specified in the given config exists and the current user has the ability to access it.

func DoesS3BucketExist 

func DoesS3BucketExist(s3Client *s3.S3, bucket *string) bool

Returns true if the S3 bucket specified in the given config exists and the current user has the ability to access it.

func EnableAccessLoggingForS3BucketWide 

func EnableAccessLoggingForS3BucketWide(s3Client *s3.S3, config *RemoteStateConfigS3, terragruntOptions *options.TerragruntOptions, logsBucket string, logsBucketPrefix string) error

Enable bucket-wide Access Logging for the AWS S3 bucket specified in the given config

func EnableEnforcedTLSAccesstoS3Bucket 

func EnableEnforcedTLSAccesstoS3Bucket(s3Client *s3.S3, bucket string, config *ExtendedRemoteStateConfigS3, terragruntOptions *options.TerragruntOptions) error

Add a policy to enforce TLS based access to the bucket

func EnablePublicAccessBlockingForS3Bucket 

func EnablePublicAccessBlockingForS3Bucket(s3Client *s3.S3, bucketName string, terragruntOptions *options.TerragruntOptions) error

Block all public access policies on the bucket and objects. These settings ensure that a misconfiguration of the bucket or objects will not accidentally enable public access to those items. See https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html for more information.

func EnableRootAccesstoS3Bucket 

func EnableRootAccesstoS3Bucket(s3Client *s3.S3, config *ExtendedRemoteStateConfigS3, terragruntOptions *options.TerragruntOptions) error

Add a policy to allow root access to the bucket

func EnableSSEForS3BucketWide 

func EnableSSEForS3BucketWide(s3Client *s3.S3, bucketName string, algorithm string, config *ExtendedRemoteStateConfigS3, terragruntOptions *options.TerragruntOptions) error

Enable bucket-wide Server-Side Encryption for the AWS S3 bucket specified in the given config

func EnableVersioningForS3Bucket 

func EnableVersioningForS3Bucket(s3Client *s3.S3, config *RemoteStateConfigS3, terragruntOptions *options.TerragruntOptions) error

Enable versioning for the S3 bucket specified in the given config

func TagS3Bucket 

func TagS3Bucket(s3Client *s3.S3, config *ExtendedRemoteStateConfigS3, terragruntOptions *options.TerragruntOptions) error

func TagS3BucketAccessLogging 

func TagS3BucketAccessLogging(s3Client *s3.S3, config *ExtendedRemoteStateConfigS3, terragruntOptions *options.TerragruntOptions) error

func UpdateLockTableSetSSEncryptionOnIfNecessary 

func UpdateLockTableSetSSEncryptionOnIfNecessary(s3Config *RemoteStateConfigS3, config *ExtendedRemoteStateConfigS3, terragruntOptions *options.TerragruntOptions) error

Update a table for locks in DynamoDB if the user has configured a lock table and the table's server-side encryption isn't turned on

func WaitUntilGCSBucketExists 

func WaitUntilGCSBucketExists(gcsClient *storage.Client, config *RemoteStateConfigGCS, terragruntOptions *options.TerragruntOptions) error

GCP is eventually consistent, so after creating a GCS bucket, this method can be used to wait until the information about that GCS bucket has propagated everywhere.

func WaitUntilS3BucketExists 

func WaitUntilS3BucketExists(s3Client *s3.S3, config *RemoteStateConfigS3, terragruntOptions *options.TerragruntOptions) error

AWS is eventually consistent, so after creating an S3 bucket, this method can be used to wait until the information about that S3 bucket has propagated everywhere

Types

type BucketCreationNotAllowed 

type BucketCreationNotAllowed string

func (BucketCreationNotAllowed) Error 

func (bucketName BucketCreationNotAllowed) Error() string

type CantParseTerraformStateFile 

type CantParseTerraformStateFile struct {
	Path          string
	UnderlyingErr error
}

func (CantParseTerraformStateFile) Error 

func (err CantParseTerraformStateFile) Error() string

type ExtendedRemoteStateConfigGCS 

type ExtendedRemoteStateConfigGCS struct {
	Project                string            `mapstructure:"project"`
	Location               string            `mapstructure:"location"`
	GCSBucketLabels        map[string]string `mapstructure:"gcs_bucket_labels"`
	SkipBucketVersioning   bool              `mapstructure:"skip_bucket_versioning"`
	SkipBucketCreation     bool              `mapstructure:"skip_bucket_creation"`
	EnableBucketPolicyOnly bool              `mapstructure:"enable_bucket_policy_only"`
	// contains filtered or unexported fields
}

* We use this construct to separate the config key 'gcs_bucket_labels' from the others, as they * are specific to the gcs backend, but only used by terragrunt to tag the gcs bucket in case it * has to create them.

type ExtendedRemoteStateConfigS3 

type ExtendedRemoteStateConfigS3 struct {
	S3BucketTags                   map[string]string `mapstructure:"s3_bucket_tags"`
	DynamotableTags                map[string]string `mapstructure:"dynamodb_table_tags"`
	AccessLoggingBucketTags        map[string]string `mapstructure:"accesslogging_bucket_tags"`
	SkipBucketVersioning           bool              `mapstructure:"skip_bucket_versioning"`
	SkipBucketSSEncryption         bool              `mapstructure:"skip_bucket_ssencryption"`
	SkipBucketAccessLogging        bool              `mapstructure:"skip_bucket_accesslogging"`
	SkipBucketRootAccess           bool              `mapstructure:"skip_bucket_root_access"`
	SkipBucketEnforcedTLS          bool              `mapstructure:"skip_bucket_enforced_tls"`
	SkipBucketPublicAccessBlocking bool              `mapstructure:"skip_bucket_public_access_blocking"`
	DisableBucketUpdate            bool              `mapstructure:"disable_bucket_update"`
	EnableLockTableSSEncryption    bool              `mapstructure:"enable_lock_table_ssencryption"`
	DisableAWSClientChecksums      bool              `mapstructure:"disable_aws_client_checksums"`
	AccessLoggingBucketName        string            `mapstructure:"accesslogging_bucket_name"`
	AccessLoggingTargetPrefix      string            `mapstructure:"accesslogging_target_prefix"`
	BucketSSEAlgorithm             string            `mapstructure:"bucket_sse_algorithm"`
	BucketSSEKMSKeyID              string            `mapstructure:"bucket_sse_kms_key_id"`
	// contains filtered or unexported fields
}

* We use this construct to separate the three config keys 's3_bucket_tags', 'dynamodb_table_tags' * and 'accesslogging_bucket_tags' from the others, as they are specific to the s3 backend, * but only used by terragrunt to tag the s3 bucket, the dynamo db and the s3 bucket used to the * access logs, in case it has to create them.

func ParseExtendedS3Config 

func ParseExtendedS3Config(config map[string]interface{}) (*ExtendedRemoteStateConfigS3, error)

Parse the given map into an extended S3 config

func (*ExtendedRemoteStateConfigS3) GetAwsSessionConfig 

func (c *ExtendedRemoteStateConfigS3) GetAwsSessionConfig() *awsauth.AwsSessionConfig

Builds a session config for AWS related requests from the RemoteStateConfigS3 configuration

type GCSInitializer 

type GCSInitializer struct{}

func (GCSInitializer) GetTerraformInitArgs 

func (gcsInitializer GCSInitializer) GetTerraformInitArgs(config map[string]interface{}) map[string]interface{}

func (GCSInitializer) Initialize 

func (gcsInitializer GCSInitializer) Initialize(remoteState *RemoteState, terragruntOptions *options.TerragruntOptions) error

Initialize the remote state GCS bucket specified in the given config. This function will validate the config parameters, create the GCS bucket if it doesn't already exist, and check that versioning is enabled.

func (GCSInitializer) NeedsInitialization 

func (gcsInitializer GCSInitializer) NeedsInitialization(remoteState *RemoteState, existingBackend *TerraformBackend, terragruntOptions *options.TerragruntOptions) (bool, error)

Returns true if:

1. Any of the existing backend settings are different than the current config 2. The configured GCS bucket does not exist

type InvalidAccessLoggingBucketEncryption 

type InvalidAccessLoggingBucketEncryption struct {
	BucketSSEAlgorithm string
}

func (InvalidAccessLoggingBucketEncryption) Error 

func (err InvalidAccessLoggingBucketEncryption) Error() string

type MaxRetriesWaitingForS3ACLExceeded 

type MaxRetriesWaitingForS3ACLExceeded string

func (MaxRetriesWaitingForS3ACLExceeded) Error 

func (err MaxRetriesWaitingForS3ACLExceeded) Error() string

type MaxRetriesWaitingForS3BucketExceeded 

type MaxRetriesWaitingForS3BucketExceeded string

func (MaxRetriesWaitingForS3BucketExceeded) Error 

func (err MaxRetriesWaitingForS3BucketExceeded) Error() string

type MissingRequiredGCSRemoteStateConfig 

type MissingRequiredGCSRemoteStateConfig string

func (MissingRequiredGCSRemoteStateConfig) Error 

func (configName MissingRequiredGCSRemoteStateConfig) Error() string

type MissingRequiredS3RemoteStateConfig 

type MissingRequiredS3RemoteStateConfig string

func (MissingRequiredS3RemoteStateConfig) Error 

func (configName MissingRequiredS3RemoteStateConfig) Error() string

type MultipleTagsDeclarations 

type MultipleTagsDeclarations string

func (MultipleTagsDeclarations) Error 

func (target MultipleTagsDeclarations) Error() string

type RemoteState 

type RemoteState struct {
	Backend                       string
	DisableInit                   bool
	DisableDependencyOptimization bool
	Generate                      *RemoteStateGenerate
	Config                        map[string]interface{}
}

Configuration for Terraform remote state NOTE: If any attributes are added here, be sure to add it to remoteStateAsCty in config/config_as_cty.go

func (*RemoteState) FillDefaults 

func (remoteState *RemoteState) FillDefaults()

Fill in any default configuration for remote state

func (*RemoteState) GenerateTerraformCode 

func (remoteState *RemoteState) GenerateTerraformCode(terragruntOptions *options.TerragruntOptions) error

Generate the terraform code for configuring remote state backend.

func (*RemoteState) Initialize 

func (remoteState *RemoteState) Initialize(terragruntOptions *options.TerragruntOptions) error

Perform any actions necessary to initialize the remote state before it's used for storage. For example, if you're using S3 or GCS for remote state storage, this may create the bucket if it doesn't exist already.

func (*RemoteState) NeedsInit 

func (remoteState *RemoteState) NeedsInit(terragruntOptions *options.TerragruntOptions) (bool, error)

Returns true if remote state needs to be configured. This will be the case when:

1. Remote state has not already been configured 2. Remote state has been configured, but with a different configuration 3. The remote state initializer for this backend type, if there is one, says initialization is necessary

func (*RemoteState) String 

func (remoteState *RemoteState) String() string

func (RemoteState) ToTerraformInitArgs 

func (remoteState RemoteState) ToTerraformInitArgs() []string

Convert the RemoteState config into the format used by the terraform init command

func (*RemoteState) Validate 

func (remoteState *RemoteState) Validate() error

Validate that the remote state is configured correctly

type RemoteStateConfigGCS 

type RemoteStateConfigGCS struct {
	Bucket        string `mapstructure:"bucket"`
	Credentials   string `mapstructure:"credentials"`
	AccessToken   string `mapstructure:"access_token"`
	Prefix        string `mapstructure:"prefix"`
	Path          string `mapstructure:"path"`
	EncryptionKey string `mapstructure:"encryption_key"`

	ImpersonateServiceAccount          string   `mapstructure:"impersonate_service_account"`
	ImpersonateServiceAccountDelegates []string `mapstructure:"impersonate_service_account_delegates"`
}

A representation of the configuration options available for GCS remote state

type RemoteStateConfigS3 

type RemoteStateConfigS3 struct {
	Encrypt          bool   `mapstructure:"encrypt"`
	Bucket           string `mapstructure:"bucket"`
	Key              string `mapstructure:"key"`
	Region           string `mapstructure:"region"`
	Endpoint         string `mapstructure:"endpoint"`
	DynamoDBEndpoint string `mapstructure:"dynamodb_endpoint"`
	Profile          string `mapstructure:"profile"`
	RoleArn          string `mapstructure:"role_arn"`
	ExternalID       string `mapstructure:"external_id"`
	SessionName      string `mapstructure:"session_name"`
	LockTable        string `mapstructure:"lock_table"` // Deprecated in Terraform version 0.13 or newer.
	DynamoDBTable    string `mapstructure:"dynamodb_table"`
	CredsFilename    string `mapstructure:"shared_credentials_file"`
	S3ForcePathStyle bool   `mapstructure:"force_path_style"`
}

A representation of the configuration options available for S3 remote state

func (*RemoteStateConfigS3) GetLockTableName 

func (s3Config *RemoteStateConfigS3) GetLockTableName() string

The DynamoDB lock table attribute used to be called "lock_table", but has since been renamed to "dynamodb_table", and the old attribute name deprecated. The old attribute name has been eventually removed from Terraform starting with release 0.13. To maintain backwards compatibility, we support both names.

type RemoteStateGenerate 

type RemoteStateGenerate struct {
	Path     string `cty:"path" mapstructure:"path"`
	IfExists string `cty:"if_exists" mapstructure:"if_exists"`
}

Code gen configuration for Terraform remote state

type RemoteStateInitializer 

type RemoteStateInitializer interface {
	// Return true if remote state needs to be initialized
	NeedsInitialization(remoteState *RemoteState, existingBackend *TerraformBackend, terragruntOptions *options.TerragruntOptions) (bool, error)

	// Initialize the remote state
	Initialize(remoteState *RemoteState, terragruntOptions *options.TerragruntOptions) error

	// Return the config that should be passed on to terraform via -backend-config cmd line param
	// Allows the Backends to filter and/or modify the configuration given from the user
	GetTerraformInitArgs(config map[string]interface{}) map[string]interface{}
}

type S3BucketUpdatesRequired 

type S3BucketUpdatesRequired struct {
	Versioning    bool
	SSEEncryption bool
	RootAccess    bool
	EnforcedTLS   bool
	AccessLogging bool
	PublicAccess  bool
}

type S3Initializer 

type S3Initializer struct{}

func (S3Initializer) GetTerraformInitArgs 

func (s3Initializer S3Initializer) GetTerraformInitArgs(config map[string]interface{}) map[string]interface{}

func (S3Initializer) Initialize 

func (s3Initializer S3Initializer) Initialize(remoteState *RemoteState, terragruntOptions *options.TerragruntOptions) error

Initialize the remote state S3 bucket specified in the given config. This function will validate the config parameters, create the S3 bucket if it doesn't already exist, and check that versioning is enabled.

func (S3Initializer) NeedsInitialization 

func (s3Initializer S3Initializer) NeedsInitialization(remoteState *RemoteState, existingBackend *TerraformBackend, terragruntOptions *options.TerragruntOptions) (bool, error)

Returns true if:

1. Any of the existing backend settings are different than the current config 2. The configured S3 bucket or DynamoDB table does not exist

type TerraformBackend 

type TerraformBackend struct {
	Type   string
	Config map[string]interface{}
}

The structure of the "backend" section of the Terraform .tfstate file

type TerraformState 

type TerraformState struct {
	Version int
	Serial  int
	Backend *TerraformBackend
	Modules []TerraformStateModule
}

The structure of the Terraform .tfstate file

func ParseTerraformStateFile 

func ParseTerraformStateFile(path string) (*TerraformState, error)

ParseTerraformStateFile Parse the Terraform .tfstate file at the given path

func ParseTerraformStateFileFromLocation 

func ParseTerraformStateFileFromLocation(backend string, config map[string]interface{}, workingDir, dataDir string) (*TerraformState, error)

Parses the Terraform .tfstate file. If a local backend is used then search the given path, or return nil if the file is missing. If the backend is not local then parse the Terraform .tfstate file from the location specified by workingDir. If no location is specified, search the current directory. If the file doesn't exist at any of the default locations, return nil.

func (*TerraformState) IsRemote 

func (state *TerraformState) IsRemote() bool

Return true if this Terraform state is configured for remote state storage

type TerraformStateModule 

type TerraformStateModule struct {
	Path      []string
	Outputs   map[string]interface{}
	Resources map[string]interface{}
}

The structure of a "module" section of the Terraform .tfstate file

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.