Sharing resources between Terraform workspaces

Question

I have an infrastructure I'm deploying using Terraform in AWS. This infrastructure can be deployed to different environments, for which I'm using workspaces.

Most of the components in the deployment should be created separately for each workspace, but I have several key components that I wish to be shared between them, primarily:

1. IAM roles and permissions

2. They should use the same API Gateway, but each workspace should deploy to different paths and methods

For example:

resource "aws_iam_role" "lambda_iam_role" {

  name = "LambdaGeneralRole"

  policy = <...>

}

resource "aws_lambda_function" "my_lambda" {

  function_name = "lambda-${terraform.workspace}"

  role = "${aws_iam_role.lambda_iam_role.arn}"

}

The first resource is an IAM role that should be shared across all instances of that Lambda, and shouldn't be recreated more than once.

The second resource is a Lambda function whose name depends on the current workspace, so each workspace will deploy and keep track of the state of a different Lambda.

How can I share resources, and their state, between different Terraform workspaces?

Answer 1

  For the shared resources, create them in a separate template and then refer to them using terraform_remote_state in the template where you need information about them.

We will see templates of shared and individual resources so that you can differentiate between them

In shared service, template use terraform backend to store the output data for the shared services template in consul.

Share_service template

terraform {

  backend "consul" {

    address = "consul.aa.example.com:8500"

    path    = "terraform/shared_services"

  }

}

resource "aws_iam_role" "lambda_iam_role" {

  name = "LambdaGeneralRole"

  policy = <...>

}

output "lambda_iam_role_arn" {

  value = "${aws_iam_role.lambda_iam_role.arn}"

}

“A "backend" in Terraform determines how the state is loaded and how an operation such as apply is executed. This abstraction enables non-local file state storage, remote execution, etc.”

Whereas an individual template invokes the backend as a data source using terraform_remote _state

Individual template

data "terraform_remote_state" "shared_services" {

    backend = "consul"

    config {

        address = "consul.aa.example.com:8500"

        path    = "terraform/shared_services"

    }

}

# This is where you use the terraform_remote_state data source

resource "aws_lambda_function" "my_lambda" {

  function_name = "lambda-${terraform.workspace}"

  role = "${data.terraform_remote_state.shared_services.lambda_iam_role_arn}"

}

terraform_remote _state: Retrieves state metadata from a remote backend