Hi here,
Problem
We have the following setup:
environments/
├── development-foo
│ ├── main.tf
│ ├── outputs.tf
│ ├── state.tf
│ ├── terraform.tfvars
│ ├── variables.tf
│ └── versions.tf
├── development-bar
│ ├── main.tf
│ ├── outputs.tf
│ ├── state.tf
│ ├── terraform.tfvars
│ ├── variables.tf
│ └── versions.tf
├── integration-foo
│ ├── main.tf
│ ├── outputs.tf
│ ├── state.tf
│ ├── terraform.tfvars
│ ├── variables.tf
│ └── versions.tf
├── integration-bar
│ ├── main.tf
│ ├── outputs.tf
│ ├── state.tf
│ ├── terraform.tfvars
│ ├── variables.tf
│ └── versions.tf
├── live-foo
│ ├── main.tf
│ ├── outputs.tf
│ ├── state.tf
│ ├── terraform.tfvars
│ ├── variables.tf
│ └── versions.tf
└── live-bar
├── main.tf
├── outputs.tf
├── state.tf
├── terraform.tfvars
├── variables.tf
└── versions.tf
So effectively, we have multiple environments {live, integration, development}. There are several components (for simplicity, in the example here are only foo and bar), that are deployed in all those environments.
terraform apply is executed (via Atlantis) per environment.
Components foo and bar have interdependencies. They access resources via terraform_remote_state.
For example:
foo has an AWS RDS instances, that has security group attached to it.
bar has a component that would like to access to the RDS. bar refers to the RDS security group via foo's terraform_remote_state to get the security groups id to add its component security group as one that is allowed to access the RDS.
Problem here is that if AWS RDS security group changes in bar, foo won’t know about this until next execution of the terraform for foo. Until then foo will be broken.
Question
How do you manage changes in the remote states without breaking other environments?
Thanks