🎉 v1.0.0 Release Terragrunt is now v1! This means that Terragrunt will no longer have any breaking changes in minor releases, with all future breaking changes taking place in (infrequent) future major releases. For a list of guarantees that will be observed by maintainers for the duration of Terragrunt 1.0, see the Terragrunt 1.0 Guarantees page in the docs. 🛠️ Breaking Changes Consistent .terragrunt-cache directory generation Terragrunt now creates a .terragrunt-cache directory for every run, regardless of whether the terragrunt.hcl file defines a terraform block with a source attribute. This change improves consistency across all Terragrunt executions, as OpenTofu/Terraform will now always run within the .terragrunt-cache directory. This standardized behavior simplifies troubleshooting and makes the execution model more predictable. Removal of tflint Terragrunt has been shipping with a version of tflint compiled into the binary to allow for more convenient usage without installing tflint directly. However due to the adoption of a BUSL license in tflint, the version included in Terragrunt was frozen. The dependency on tflint is now fully removed from Terragrunt. If you want to call tflint using a before_hook using Terragrunt, you will have to have tflint installed locally to do so. To reduce the burden of this breaking change, Terragrunt will continue to provide conveniences like automatically running tflint init on behalf of users, although it no longer ships with a compiled version of tflint in the terragrunt binary. To learn more, read the documentation on the integration with tflint. Discovery commands discover hidden configurations by default The find and list commands now discover units/stacks in hidden directories by default (this previously required usage of the --hidden flag), notably this now discovers .terragrunt-stack directories by default. The commands also now support an opt-in --no-hidden flag to avoid discovery in hidden directories. The --hidden flag has been deprecated, and will not be removed in 1.0. Using the flag no longer does anything. render --format=json no longer discovers dependents by default Prior to this release, the render --format=json command would automatically start to perform dependent discovery on other units related to the unit being rendered. Avoiding this required usage of the --disable-dependent-modules flag. That behavior has been removed. HCL and JSON rendering of unit configurations will now proceed without the additional overhead of dependent discovery by default. This functionality is better served by a combination of find and graph-based filters. e.g. If you want to detect all the dependents of a given unit foo, expecting to find the dependent unit bar you can run the following: $ terragrunt find --filter '...^foo' bar If you aren't familiar with filters, this reads as "find all dependents of foo, not foo itself" Windows compatibility in file paths improved All HCL functions now return operating system native file paths without forward slash normalization.

• get_terragrunt_dir()
• get_original_terragrunt_dir()
• get_parent_terragrunt_dir()
• get_path_from_repo_root()
• get_path_to_repo_root()
• find_in_parent_folders()
• path_relative_to_include()
• path_relative_from_include() If you and your team do not work in Windows environments, you are unlikely to see any change as a consequence of this. If you do use Terragrunt in a Windows environment, Terragrunt will now return appropriate Windows file paths, with backslashes as file path separators instead of Unix-like forward slashes. If you need to normalize paths, you can use the replace function to achieve this.

root.hcl

remote_state { backend = "s3" generate = { path = "backend.tf" if_exists = "overwrite_terragrunt" } config = { bucket = "my-tofu-state" key = "${replace(path_relative_to_include(), "\", "/")}/tofu.tfstate" region = "us-east-1" encrypt = true dynamodb_table = "my-lock-table" } } Ambiguous unit/stack components now throw errors Previously, Terragrunt would silently engage in undefined behavior when both a terragrunt.hcl and terragrunt.stack.hcl file existed in the same directory. With this release, Terragrunt will start to throw warnings and prevent such usage. Users will have to ensure that only one of a unit (terragrunt.hcl) or stack configuration (terragrunt.stack.hcl) exist in a unit or stack directory, respectively. ✨ New Features Tips added Terragrunt will now provide helpful tips when it detects usage patterns that might benefit from some additional guidance. You can disable the display of tips at any time using --no-tips or disable individual tips with --no-tip, (e.g. --no-tip=debugging-docs). --report-file support for single runs The --report-file will now generate reports even when runs are performed without the --all flag. Improved error messages for undefined flags Detection has been added for scenarios when a user is using a flag that might be meant to be passed to OpenTofu/Terraform in the run command, and suggests using the -- argument to pass it through. As an example: $ terragrunt run providers lock -platform linux_amd64 -platform darwin_arm64 14:52:19.496 ERROR flag -platform is not a Terragrunt flag. If this is an OpenTofu/Terraform flag, use -- to forward it (e.g., terragrunt run -- <command> -platform). 🏎️ Performance Improvements Discovery performance improved The way in which Terragrunt discovers and filters units and stacks for runs has improved significantly. Terragrunt is now better at avoiding parsing units/stacks unnecessarily, based on the filter you use. Previously, the logic used was more coarse, and could result in a requirement to parse some configurations (e.g. presence of a dependency graph expression) to result in parsing all configurations. Discovery has been refactored to allow for much more careful opt-in parsing based on the need to support the filter used by users (or lack thereof). This will also result in improvements to Terragrunt's ability to ignore broken parts of infrastructure estates when Terragrunt can predictably determine that it won't impact a run. EncodeSourceVersion execution sped up The performance of EncodeSourceVersion has been improved by utilizing SkipDir to optimize directory traversals. Special thanks to @healthy-pod for contributing this improvement! Provider Cache Server used for fetching outputs from dependencies The Provider Cache Server is now used when fetching outputs from dependencies, improving performance of output resolution for users using the provider cache server. 🐛 Bug Fixes Improved filter parsing errors Parsing errors returned when invalid filter queries are used with --filter have been improved to provide more detailed error messages and actionable recommendations. Retries added for registry timeouts in provider cache server The Provider Cache Server will now perform automatic retries on timeouts to OpenTofu/Terraform provider registries. Discoverability of init-from-module documentation improved The special internal init-from-module command referenced in hooks has had its documentation improved to make it easier to discover. It was difficult to find in the terraform HCL block documentation, and that resulted in confusion for users. Over-warning on strict controls prevented Using --strict-mode resulted in over-warning on completed controls. Those warnings will no longer appear when using strict mode. Stdout/stderr from run_cmd emitted when included A bug prevented the run_cmd HCL function from emitting to stdout/stderr when included by a unit. That bug has been fixed. Provider Cache Server integration with custom registries fixed The Provider Cache Server now properly integrates with custom registries. You will still need to use the --provider-cache-registry-names flag to ensure that the Provider Cache Server properly handles proxying requests to the custom provider registry. The no_run attribute of exclude is fixed A bug prevented the no_run attribute of the exclude block from being respected when being explicitly set to false (as opposed to not being defined at all). This bug has been fixed. The --report-file is now respected for single runs The --report-file will now generate reports even when runs are performed without the --all flag. Path manipulation removed from log messages Log messages no longer have paths updated automatically. This caused confusion for users when seeing OpenTofu/Terraform stdout and hook stdout emitted through logs, as paths were unconditionally updated to be relative to the unit path. This logic has been moved to logging call sites to ensure that external process stdout/stderr is not manipulated unexpectedly. Absolute URLs in registry self-discovery integration with Provider Cache Server Fixed When using the Provider Cache Server in conjunction with a remote registry using absolute URLs for modules, the Provider Cache Server will now properly resolve the module source. SOPS decryption race condition fixed A race condition in the concurrent access to SOPS decrypted secrets in different environments combined with usage of the --auth-provider-cmd flag resulted in authentication failures. Synchronization controls have been introduced to ensure authentication proceeds correctly for each environment independently. Version constraints in stack runs fixed When running against a stack, a bug prevented Terragrunt + OpenTofu/Terraform version constraints from being respected while using the terragrunt_version_constraint and terraform_version_constraint HCL attributes. That bug has been fixed. Interrupt signal propagation to OpenTofu/Terraform fixed