How to update resource from another Terraform configuration

Question

I'm trying to build hub-spoke topology in Azure.

• Hub VNET - includes Azure firewall with default rules, has it's own TF state file
• Spoke VNET - includes other Azure resources (Blobs, Key vaults etc.), there are many Spoke VNETs (each per project/environment) each with it's own TF state file.

Problem: After deploying each Spoke VNET, there is randomly generated Blob Storage name which I need to pass and update Azure firewall rule in other TF configuration.

Question: Is it possible to do it automatically?

Possible solution: I will terraform apply Spoke VNET and use randomly generated blob storage name as an output. Pass it to .sh script which will update .tfvars file used by Hub VNET with Firewall. Then terraform apply this Hub VNET configuration. I have to do this also in reverse while destroying any of the Spoke VNETs. But this is not very elegant. Is there any better way? Maybe using Terragrunt hooks?

Answer 1

In case of terragrunt, you can easily pass outputs from one module (i.e. Hub VNET) as inputs to the modules that depend on it (i.e. Spoke VNET). The code snippet would look like the following:

hub-vnet/terragrunt.hcl:

dependency "spoke-a-vnet" {
  config_path = "../spoke-a-vnet"
  mock_ouptuts = {
    blob-name = ""
  }
}

dependency "spoke-b-vnet" {
  config_path = "../spoke-b-vnet"
  mock_ouptuts = {
    blob-name = ""
  }
}

inputs {
  blob-names = [dependency.spoke-a-vnet.outputs.blob-name, dependency.spoke-v-vnet.outputs.blob-name]
}

And then in your Hub VNET module you'll have a behavior configured that a blob-name should be skipped, if it equals "".

During the Spoke removal operation, you'll need to run two steps:

1. run destroy for the relevant Spoke VNET module
2. run apply afterwards (effectively it's a re-apply) for the Hub VNET module, where the mock value "" would take effect as the blob-storage input and therefore skipped (based on the conditional approach described above).