terragrunt

terragrunt documentation

Version in MegaLinter: 0.68.14
Visit Official Web Site
See How to configure terragrunt rules

Configuration in MegaLinter

Enable terragrunt by adding TERRAFORM_TERRAGRUNT in ENABLE_LINTERS variable
Disable terragrunt by adding TERRAFORM_TERRAGRUNT in DISABLE_LINTERS variable

Enable autofixes by adding TERRAFORM_TERRAGRUNT in APPLY_FIXES variable

Variable	Description	Default value
TERRAFORM_TERRAGRUNT_ARGUMENTS	User custom arguments to add in linter CLI call Ex: `-s --foo "bar"`
TERRAFORM_TERRAGRUNT_COMMAND_REMOVE_ARGUMENTS	User custom arguments to remove from command line before calling the linter Ex: `-s --foo "bar"`
TERRAFORM_TERRAGRUNT_FILTER_REGEX_INCLUDE	Custom regex including filter Ex: `(src\\|lib)`	Include every file
TERRAFORM_TERRAGRUNT_FILTER_REGEX_EXCLUDE	Custom regex excluding filter Ex: `(test\\|examples)`	Exclude no file
TERRAFORM_TERRAGRUNT_CLI_LINT_MODE	Override default CLI lint mode - `file`: Calls the linter for each file - `project`: Call the linter from the root of the project	`file`
TERRAFORM_TERRAGRUNT_FILE_EXTENSIONS	Allowed file extensions. `"*"` matches any extension, `""` matches empty extension. Empty list excludes all files Ex: `[".py", ""]`	`[".hcl"]`
TERRAFORM_TERRAGRUNT_FILE_NAMES_REGEX	File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: `["Dockerfile(-.+)?", "Jenkinsfile"]`	Include every file
TERRAFORM_TERRAGRUNT_PRE_COMMANDS	List of bash commands to run before the linter	None
TERRAFORM_TERRAGRUNT_POST_COMMANDS	List of bash commands to run after the linter	None
TERRAFORM_TERRAGRUNT_UNSECURED_ENV_VARIABLES	List of env variables explicitly not filtered before calling TERRAFORM_TERRAGRUNT and its pre/post commands	None
TERRAFORM_TERRAGRUNT_CONFIG_FILE	terragrunt configuration file nameUse `LINTER_DEFAULT` to let the linter find it	`terragrunt.hcl`
TERRAFORM_TERRAGRUNT_RULES_PATH	Path where to find linter configuration file	Workspace folder, then MegaLinter default rules
TERRAFORM_TERRAGRUNT_DISABLE_ERRORS	Run linter but consider errors as warnings	`false`
TERRAFORM_TERRAGRUNT_DISABLE_ERRORS_IF_LESS_THAN	Maximum number of errors allowed	`0`
TERRAFORM_TERRAGRUNT_CLI_EXECUTABLE	Override CLI executable	`['terragrunt']`

MegaLinter Flavors

This linter is available in the following flavors

Flavor	Description	Embedded linters
all	Default MegaLinter Flavor	124
cupcake	MegaLinter for the most commonly used languages	83
security	Optimized for security	24
terraform	Optimized for TERRAFORM based projects	54

Behind the scenes

How are identified applicable files

File extensions: .hcl
File name don't ends with: .tflint.hcl

How the linting is performed

terragrunt is called one time by identified file (file CLI lint mode)

Example calls

terragrunt hclfmt --terragrunt-check --terragrunt-hclfmt-file myfile.hcl

terragrunt hclfmt --terragrunt-check --terragrunt-config terragrunt.hcl --terragrunt-hclfmt-file myfile.hcl

Help content

NAME:
   terragrunt - Terragrunt is a flexible orchestration tool that allows Infrastructure as Code written in OpenTofu/Terraform to scale. For documentation, see https://terragrunt.gruntwork.io/.

USAGE:
   terragrunt <command> [options]

COMMANDS:
   aws-provider-patch     Overwrite settings on nested AWS providers to work around a Terraform bug (issue #13018).
   catalog                Launch the user interface for searching and managing your module catalog.
   graph                  Execute commands on the full graph of dependent modules for the current module, ensuring correct execution order.
   graph-dependencies     Prints the terragrunt dependency graph to stdout.
   hclfmt                 Recursively find hcl files and rewrite them into a canonical format.
   hclvalidate            Find all hcl files from the config stack and validate them.
   output-module-groups   Output groups of modules ordered by command (apply or destroy) as a list of list in JSON (useful for CI use cases).
   render-json            Render the final terragrunt config, with all variables, includes, and functions resolved, as json.
   run-all                Run a terraform command against a 'stack' by running the specified command in each subfolder.
   scaffold               Scaffold a new Terragrunt module.
   terragrunt-info        Emits limited terragrunt state on stdout and exits.
   validate-inputs        Checks if the terragrunt configured inputs align with the terraform defined variables.
   *                      Terragrunt forwards all other commands directly to Terraform

GLOBAL OPTIONS:
   --feature value                                   Set feature flags for the HCL code. [$TERRAGRUNT_FEATURE]
   --strict-control value                            Enables specific strict controls. For a list of available controls, see https://terragrunt.gruntwork.io/docs/reference/strict-mode . [$TERRAGRUNT_STRICT_CONTROL]
   --strict-mode                                     Enables strict mode for Terragrunt. For more information, see https://terragrunt.gruntwork.io/docs/reference/strict-mode . [$TERRAGRUNT_STRICT_MODE]
   --terragrunt-auth-provider-cmd value              The command and arguments that can be used to fetch authentication configurations. [$TERRAGRUNT_AUTH_PROVIDER_CMD]
   --terragrunt-config value                         The path to the Terragrunt config file. Default is terragrunt.hcl. [$TERRAGRUNT_CONFIG]
   --terragrunt-debug                                Write terragrunt-debug.tfvars to working folder to help root-cause issues. [$TERRAGRUNT_DEBUG]
   --terragrunt-disable-bucket-update                When this flag is set Terragrunt will not update the remote state bucket. [$TERRAGRUNT_DISABLE_BUCKET_UPDATE]
   --terragrunt-disable-command-validation           When this flag is set, Terragrunt will not validate the terraform command. [$TERRAGRUNT_DISABLE_COMMAND_VALIDATION]
   --terragrunt-disable-log-formatting               If specified, logs will be displayed in key/value format. By default, logs are formatted in a human readable format. [$TERRAGRUNT_DISABLE_LOG_FORMATTING]
   --terragrunt-download-dir value                   The path to download OpenTofu/Terraform modules into. Default is .terragrunt-cache in the working directory. [$TERRAGRUNT_DOWNLOAD]
   --terragrunt-exclude-dir value                    Unix-style glob of directories to exclude when running *-all commands. [$TERRAGRUNT_EXCLUDE_DIR]
   --terragrunt-excludes-file value                  Path to a file with a list of directories that need to be excluded when running *-all commands. (default: .terragrunt-excludes) [$TERRAGRUNT_EXCLUDES_FILE]
   --terragrunt-fail-on-state-bucket-creation        When this flag is set Terragrunt will fail if the remote state bucket needs to be created. [$TERRAGRUNT_FAIL_ON_STATE_BUCKET_CREATION]
   --terragrunt-fetch-dependency-output-from-state   The option fetches dependency output directly from the state file instead of init dependencies and running terraform on them. [$TERRAGRUNT_FETCH_DEPENDENCY_OUTPUT_FROM_STATE]
   --terragrunt-forward-tf-stdout                    If specified, the output of OpenTofu/Terraform commands will be printed as is, without being integrated into the Terragrunt log. [$TERRAGRUNT_FORWARD_TF_STDOUT]
   --terragrunt-iam-assume-role-duration value       Session duration for IAM Assume Role session. Can also be set via the TERRAGRUNT_IAM_ASSUME_ROLE_DURATION environment variable. [$TERRAGRUNT_IAM_ASSUME_ROLE_DURATION]
   --terragrunt-iam-assume-role-session-name value   Name for the IAM Assumed Role session. Can also be set via TERRAGRUNT_IAM_ASSUME_ROLE_SESSION_NAME environment variable. [$TERRAGRUNT_IAM_ASSUME_ROLE_SESSION_NAME]
   --terragrunt-iam-role value                       Assume the specified IAM role before executing OpenTofu/Terraform. Can also be set via the TERRAGRUNT_IAM_ROLE environment variable. [$TERRAGRUNT_IAM_ROLE]
   --terragrunt-iam-web-identity-token value         For AssumeRoleWithWebIdentity, the WebIdentity token. Can also be set via TERRAGRUNT_IAM_ASSUME_ROLE_WEB_IDENTITY_TOKEN environment variable [$TERRAGRUNT_IAM_ASSUME_ROLE_WEB_IDENTITY_TOKEN]
   --terragrunt-ignore-dependency-errors             *-all commands continue processing components even if a dependency fails. [$TERRAGRUNT_IGNORE_DEPENDENCY_ERRORS]
   --terragrunt-ignore-dependency-order              *-all commands will be run disregarding the dependencies [$TERRAGRUNT_IGNORE_DEPENDENCY_ORDER]
   --terragrunt-ignore-external-dependencies         *-all commands will not attempt to include external dependencies [$TERRAGRUNT_IGNORE_EXTERNAL_DEPENDENCIES]
   --terragrunt-include-dir value                    Unix-style glob of directories to include when running *-all commands [$TERRAGRUNT_INCLUDE_DIR]
   --terragrunt-include-external-dependencies        *-all commands will include external dependencies [$TERRAGRUNT_INCLUDE_EXTERNAL_DEPENDENCIES]
   --terragrunt-json-log                             If specified, Terragrunt will output its logs in JSON format. [$TERRAGRUNT_JSON_LOG]
   --terragrunt-log-disable                          Disable logging [$TERRAGRUNT_LOG_DISABLE]
   --terragrunt-log-level value                      Sets the logging level for Terragrunt. Supported levels: stderr, stdout, error, warn, info, debug, trace (default: info) [$TERRAGRUNT_LOG_LEVEL]
   --terragrunt-log-show-abs-paths                   Show absolute paths in logs [$TERRAGRUNT_LOG_SHOW_ABS_PATHS]
   --terragrunt-modules-that-include value           If flag is set, 'run-all' will only run the command against Terragrunt modules that include the specified file. [$TERRAGRUNT_MODULES_THAT_INCLUDE]
   --terragrunt-no-auto-approve -auto-approve        Don't automatically append -auto-approve to the underlying OpenTofu/Terraform commands run with 'run-all'. (default: true) [$TERRAGRUNT_NO_AUTO_APPROVE]
   --terragrunt-no-auto-init                         Don't automatically run 'terraform/tofu init' during other terragrunt commands. You must run 'terragrunt init' manually. (default: true) [$TERRAGRUNT_NO_AUTO_INIT]
   --terragrunt-no-auto-retry                        Don't automatically re-run command in case of transient errors. (default: true) [$TERRAGRUNT_NO_AUTO_RETRY]
   --terragrunt-no-color                             If specified, Terragrunt output won't contain any color. [$TERRAGRUNT_NO_COLOR]
   --terragrunt-no-destroy-dependencies-check        When this flag is set, Terragrunt will not check for dependent modules when destroying. [$TERRAGRUNT_NO_DESTROY_DEPENDENCIES_CHECK]
   --terragrunt-non-interactive                      Assume "yes" for all prompts. [$TERRAGRUNT_NON_INTERACTIVE]
   --terragrunt-parallelism value                    *-all commands parallelism set to at most N modules (default: 2147483647) [$TERRAGRUNT_PARALLELISM]
   --terragrunt-provider-cache                       Enables Terragrunt's provider caching. [$TERRAGRUNT_PROVIDER_CACHE]
   --terragrunt-provider-cache-dir value             The path to the Terragrunt provider cache directory. By default, 'terragrunt/providers' folder in the user cache directory. [$TERRAGRUNT_PROVIDER_CACHE_DIR]
   --terragrunt-provider-cache-hostname value        The hostname of the Terragrunt Provider Cache server. By default, 'localhost'. [$TERRAGRUNT_PROVIDER_CACHE_HOSTNAME]
   --terragrunt-provider-cache-port value            The port of the Terragrunt Provider Cache server. By default, assigned automatically. [$TERRAGRUNT_PROVIDER_CACHE_PORT]
   --terragrunt-provider-cache-registry-names value  The list of remote registries to cached by Terragrunt Provider Cache server. By default, 'registry.terraform.io', 'registry.opentofu.org'. (default: registry.terraform.io,registry.opentofu.org) [$TERRAGRUNT_PROVIDER_CACHE_REGISTRY_NAMES]
   --terragrunt-provider-cache-token value           The Token for authentication to the Terragrunt Provider Cache server. By default, assigned automatically. [$TERRAGRUNT_PROVIDER_CACHE_TOKEN]
   --terragrunt-queue-include-units-reading value    If flag is set, 'run-all' will only run the command against Terragrunt units that read the specified file via an HCL function. [$TERRAGRUNT_QUEUE_INCLUDE_UNITS_READING]
   --terragrunt-source value                         Download OpenTofu/Terraform configurations from the specified source into a temporary folder, and run Terraform in that temporary folder. [$TERRAGRUNT_SOURCE]
   --terragrunt-source-map value                     Replace any source URL (including the source URL of a config pulled in with dependency blocks) that has root source with dest. [$TERRAGRUNT_SOURCE_MAP]
   --terragrunt-source-update                        Delete the contents of the temporary folder to clear out any old, cached source code before downloading new source code into it. [$TERRAGRUNT_SOURCE_UPDATE]
   --terragrunt-strict-include                       If flag is set, only modules under the directories passed in with '--terragrunt-include-dir' will be included. [$TERRAGRUNT_STRICT_INCLUDE]
   --terragrunt-tf-logs-to-json                      If specified, Terragrunt will wrap Terraform stdout and stderr in JSON. [$TERRAGRUNT_TF_JSON_LOG]
   --terragrunt-tfpath value                         Path to the Terraform binary. Default is tofu (on PATH). (default: terraform) [$TERRAGRUNT_TFPATH]
   --terragrunt-use-partial-parse-config-cache       Enables caching of includes during partial parsing operations. Will also be used for the --terragrunt-iam-role option if provided. [$TERRAGRUNT_USE_PARTIAL_PARSE_CONFIG_CACHE]
   --terragrunt-working-dir value                    The path to the directory of Terragrunt configurations. Default is current directory. [$TERRAGRUNT_WORKING_DIR]
   --help, -h                                        Show help
   --version, -v                                     Show terragrunt version

VERSION: v0.68.14

AUTHOR: Gruntwork <www.gruntwork.io>

Installation on mega-linter Docker image

Dockerfile commands :

# renovate: datasource=docker depName=alpine/terragrunt
ARG TERRAFORM_TERRAGRUNT_VERSION=1.9.8
FROM alpine/terragrunt:${TERRAFORM_TERRAGRUNT_VERSION} AS terragrunt
COPY --link --from=terragrunt /usr/local/bin/terragrunt /usr/bin/