Remote-state & credential security
Protect the crown jewels.
Terragrunt inherits Terraform’s security model and concentrates one part of it: the remote state backend, now shared across your whole estate, holds the state for every unit — and state can contain secrets in plaintext. So the state bucket (and its lock table) is a crown-jewel asset: lock it down with least-privilege access, enable versioning for recovery, turn on encryption at rest, and, where the backend supports it, prefer client-side/state encryption (OpenTofu) so the contents are ciphertext, not just the object.
remote_state {backend = "s3"config = {bucket = "acme-tf-state"key = "${path_relative_to_include()}/terraform.tfstate"region = "us-east-1"encrypt = true # SSE on the bucketdynamodb_table = "tf-locks" # locking, no concurrent applies# bucket policy: least-privilege, versioned, access-logged}}
Credentials across accounts
Because Terragrunt spans accounts, credential handling matters: generate provider config that assumes a per-account role (short-lived, scoped) rather than embedding static keys, and give each environment the least privilege it needs. In CI, use OIDC to obtain short-lived cloud credentials per run, exactly as the CI/CD course prescribes. The wrapper makes it easy to apply many accounts — which makes scoping each account’s role correctly all the more important.
generate "provider" {path = "provider.tf"if_exists = "overwrite"contents = <<EOFprovider "aws" {region = "us-east-1"assume_role { role_arn = "arn:aws:iam::${local.account_id}:role/terragrunt-deploy" }}EOF}