How to update resource from another Terraform configuration

Question

I'm trying to build hub-spoke topology in Azure.

• Hub .NET - includes Azure firewall with default rules, has it's own TF state file
• Spoke .NET - includes other Azure resources (Blobs, Key vaults etc.), there are many Spoke .NETs (each per project/environment) each with it's own TF state file.

Problem: After deploying each Spoke .NET, there is randomly generated Blob Storage name which I need to pass and update Azure firewall rule in other TF configuration.

Question: Is it possible to do it automatically?

Possible solution: I will terraform apply Spoke .NET and use randomly generated blob storage name as an output. Pass it to.sh script which will update.tfvars file used by Hub .NET with Firewall. Then terraform apply this Hub .NET configuration. I have to do this also in reverse while destroying any of the Spoke .NETs. But this is not very elegant. Is there any better way? Maybe using Terragrunt hooks?

Answer 1

In case of terragrunt, you can easily pass outputs from one module (ie Hub .NET) as inputs to the modules that depend on it (ie Spoke .NET). The code snippet would look like the following:

hub-.net/terragrunt.hcl :

dependency "spoke-a-vnet" {
  config_path = "../spoke-a-vnet"
  mock_ouptuts = {
    blob-name = ""
  }
}

dependency "spoke-b-vnet" {
  config_path = "../spoke-b-vnet"
  mock_ouptuts = {
    blob-name = ""
  }
}

inputs {
  blob-names = [dependency.spoke-a-vnet.outputs.blob-name, dependency.spoke-v-vnet.outputs.blob-name]
}

And then in your Hub .NET module you'll have a behavior configured that a blob-name should be skipped, if it equals "" .

During the Spoke removal operation, you'll need to run two steps:

1. run destroy for the relevant Spoke .NET module
2. run apply afterwards (effectively it's a re-apply) for the Hub .NET module, where the mock value "" would take effect as the blob-storage input and therefore skipped (based on the conditional approach described above).