Hello folks,

I am using terragrunt (plus atlantis) for some time now. Initially we include a file with the iam_role configuration and it works flawlessly:

service1/terragrunt.hcl

include "role_configuration" {
    path           = find_in_parent_folders("role_configuration.hcl")
    expose         = true
}

role_configuration.hcl

iam_role = "arn:aws:iam::xxxxxxxxxxxxxx:role/some-role"

But, if I put the externalID condition on the cross-account role trust policy, we just receive a plain 403 (which is expected). Something like:

ERRO[0000] AccessDenied: User: arn:aws:sts::xxxxxxxx:assumed-role/atlantis-role/session is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxx:role/some-role
	status code: 403, request id: <some uuid here>
ERRO[0000] Unable to determine underlying exit code, so Terragrunt will exit with error code 1

Ater that, I removed the role_configuration include from the service1/terragrunt.hcl file and tried to circumvect the error by templating the provider using the following declarations:

terragrunt.hcl

locals {
  account = "xxxxxx"
  region = "us-east-1"
  role_configuration = read_terragrunt_config(find_in_parent_folders("role_configuration.hcl"))
  cross_account_external_id = get_env("CROSS_ACCOUNT_EXTERNAL_ID", "testing")
}

generate "provider" {
  path = "provider.tf"
  if_exists = "overwrite_terragrunt"
  contents = templatefile("provider.tpl", {
    region = local.region.locals.aws_region,
    account_id = local.account.locals.aws_account_id,
    assume_role_arn = local.role_configuration.iam_role
    external_id = local.cross_account_external_id
  })
}

provider.tpl

provider "aws" {
  region = "${region}"
  # Only these AWS Account IDs may be operated on by this template
  allowed_account_ids = ["${account_id}"]

   # Make it faster by skipping something
  skip_get_ec2_platforms      = true
  skip_metadata_api_check     = true
  skip_region_validation      = true
  skip_credentials_validation = true

  %{ if assume_role_arn != "" }
  assume_role {
    role_arn = "${assume_role_arn}"
    external_id = "${external_id}"
  }
  %{ endif }
}

That time, terragrunt didn't reconigzed that should use a cross account role to access the s3 backend and asked about the bucket creation:

DEBU[0000] Initializing remote state for the s3 backend
remote state S3 bucket terraform-state-iac-xxxxxxxxx does not exist or you don't have permissions to access it. Would you like Terragrunt to create it? (y/n)

With that in mind, I ask: is there a way to set an external_id for the iam_role configuration? If not, do you think that a parameter called iam_role_external_id (and the correspondent environment variables) to support this case can be a good contribution? I'm willing to contribute if necessary.

Thanks in advance!