Hello @ArchiFleKs,

how would you manage secrets that would be part of the extra_values in the helm addons you extend in the terragrunt.hcl files ?

some preferences to use AWS SSM and not Vault (because it will be part of the cluster).

Thank you for your advices.

You could use sops which is integrated with terragrunt. If it is a String you can just use the terragrunt sops function and put it in extra values.

For more complex structure I guess it would be possible to use yamlencode instead of using heredoc for extra_values.

If you want to use SSM/Secret Manager it would be the same syntax as sops, you can read them from data source and integrate them in extra_values.

ok thank you for your advices, but I would avoid having to crypt files in git. (with sops)

here is maybe something I found that could works.

locals {
  aws-secrets-store =  jsondecode(lookup(
      jsondecode(run_cmd("--terragrunt-quiet", "aws", "secretsmanager", "get-secret-value", "--secret-id", path_relative_to_include() )),
      "SecretString"
    ))
  
  github-clientSecret = lookup(local.aws-secrets-store,
      "github-clientSecret"
  )
}

I think you should use the AWS provider and secret data source for better idempotency.

ok, I thought about it, but how do you use a secret data source reference in a terragrunt INPUT{} ?

ok, I thought about it, but how do you use a secret data source reference in a terragrunt INPUT{} ?

You need to use it in a separate module and use a dependency terragrunt block to get the output