AWS region env vars take precedence over remote state backend config on dependencies #4837
Description
Describe the bug
The AWS_REGION or AWS_REGION_DEFAULT environment vars override the region parameter in remote state backend config for a unit's dependency when fetching remote state directly from s3 (i.e. with --dependency-fetch-output-from-state)
Likely introduced in: #4779
Steps To Reproduce
After v0.86.3, simply set the AWS_REGION or AWS_REGION_DEFAULT vars to a region different than that of the region configured for the remote state backend for a unit's dependency. Then run Terragrunt with --dependency-fetch-output-from-state
Example:
❯ echo $AWS_REGION $AWS_DEFAULT_REGION
❯ terragrunt plan --dependency-fetch-output-from-state
09:24:26.576 STDOUT terraform: module.cross_region_replication_iam_role.data.aws_caller_identity.current: Reading...
09:24:26.576 STDOUT terraform: module.s3_bucket.data.aws_partition.current: Reading...
09:24:26.576 STDOUT terraform: module.cross_region_replication_iam_role.data.aws_partition.current: Reading...
09:24:26.576 STDOUT terraform: data.aws_partition.current: Reading...
09:24:26.576 STDOUT terraform: data.aws_region.current: Reading...
09:24:26.576 STDOUT terraform: module.s3_bucket.data.aws_region.current: Reading...
09:24:26.576 STDOUT terraform: module.s3_bucket.data.aws_caller_identity.current: Reading...
09:24:26.576 STDOUT terraform: data.aws_caller_identity.current: Reading...
09:24:26.578 STDOUT terraform: data.aws_partition.current: Read complete after 0s [id=aws]
09:24:26.578 STDOUT terraform: module.s3_bucket.data.aws_partition.current: Read complete after 0s [id=aws]
09:24:26.578 STDOUT terraform: module.s3_bucket.data.aws_region.current: Read complete after 0s [id=us-east-2]
09:24:26.578 STDOUT terraform: module.cross_region_replication_iam_role.data.aws_partition.current: Read complete after 0s [id=aws]
09:24:26.578 STDOUT terraform: data.aws_region.current: Read complete after 0s [id=us-east-2]
09:24:26.578 STDOUT terraform: module.s3_bucket.aws_s3_bucket.this[0]: Refreshing state... [id=mybucket]
09:24:26.617 STDOUT terraform: data.aws_caller_identity.current: Read complete after 0s [id=********]
09:24:26.620 STDOUT terraform: data.aws_iam_policy_document.abac_policy[0]: Reading...
09:24:26.622 STDOUT terraform: data.aws_iam_policy_document.abac_policy[0]: Read complete after 0s [id=********]
09:24:26.624 STDOUT terraform: data.aws_iam_policy_document.combined[0]: Reading...
09:24:26.624 STDOUT terraform: data.aws_iam_policy_document.combined[0]: Read complete after 0s [id=********]
09:24:26.657 STDOUT terraform: module.cross_region_replication_iam_role.data.aws_caller_identity.current: Read complete after 0s [id=********]
09:24:26.659 STDOUT terraform: module.cross_region_replication_iam_role.data.aws_iam_policy_document.assume_role_with_mfa[0]: Reading...
09:24:26.661 STDOUT terraform: module.cross_region_replication_iam_role.data.aws_iam_policy_document.assume_role_with_mfa[0]: Read complete after 0s [id=********]
09:24:26.696 STDOUT terraform: module.s3_bucket.data.aws_caller_identity.current: Read complete after 0s [id=********]
09:24:27.500 STDOUT terraform: module.s3_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]: Refreshing state... [id=mybucket]
09:24:27.501 STDOUT terraform: module.s3_bucket.aws_s3_bucket_public_access_block.this[0]: Refreshing state... [id=mybucket]
09:24:27.502 STDOUT terraform: module.s3_bucket.data.aws_iam_policy_document.deny_insecure_transport[0]: Reading...
09:24:27.503 STDOUT terraform: module.s3_bucket.data.aws_iam_policy_document.deny_insecure_transport[0]: Read complete after 0s [id=********]
09:24:27.503 STDOUT terraform: module.s3_bucket.data.aws_iam_policy_document.require_latest_tls[0]: Reading...
09:24:27.504 STDOUT terraform: module.s3_bucket.data.aws_iam_policy_document.require_latest_tls[0]: Read complete after 0s [id=********]
09:24:27.504 STDOUT terraform: module.s3_bucket.aws_s3_bucket_lifecycle_configuration.this[0]: Refreshing state... [id=mybucket]
09:24:27.507 STDOUT terraform: module.s3_bucket.data.aws_iam_policy_document.combined[0]: Reading...
09:24:27.507 STDOUT terraform: module.s3_bucket.data.aws_iam_policy_document.combined[0]: Read complete after 0s [id=********]
09:24:27.593 STDOUT terraform: module.s3_bucket.aws_s3_bucket_policy.this[0]: Refreshing state... [id=mybucket]
09:24:28.351 STDOUT terraform: No changes. Your infrastructure matches the configuration.
09:24:28.351 STDOUT terraform: Terraform has compared your real infrastructure against your configuration
09:24:28.352 STDOUT terraform: and found no differences, so no changes are needed.
❯ export AWS_REGION=us-west-2
❯ terragrunt plan --dependency-fetch-output-from-state
09:24:47.370 ERROR 2 errors occurred:
* operation error S3: GetObject, https response error StatusCode: 301, RequestID: *********, HostID: *********, api error PermanentRedirect: The bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint.
* operation error S3: GetObject, https response error StatusCode: 301, RequestID: *********, HostID: *********, api error PermanentRedirect: The bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint.
09:24:47.371 ERROR Unable to determine underlying exit code, so Terragrunt will exit with error code 1Expected behavior
Configured region should be used for S3/DDB calls when fetching remote state for dependencies.
Nice to haves
Versions
- Terragrunt version: affects v0.86.3+
- OpenTofu/Terraform version: 1.7.5
- Environment details (Ubuntu 20.04, Windows 10, etc.):
Additional context
Add any other context about the problem here.