Terragrunt in CI/CD
Plan/apply many units safely.
Terragrunt in CI follows the plan-on-PR, apply-on-merge pattern, scaled to many units. On a pull request, run run-all plan (or plan just the changed units) and surface the aggregate diff for review; on merge, run-all apply the reviewed changes with approval for production. The challenge is scale — dozens of units — so teams often detect which units changed and plan only those, and use Terragrunt’s output-module-groups to parallelize safely.
plan:script:- cd live/prod- terragrunt run-all plan --terragrunt-non-interactive 2>&1 | tee plan.txt# (optionally: only changed units via --terragrunt-include-dir)apply:script: [cd live/prod && terragrunt run-all apply --terragrunt-non-interactive]rules: [{ if: '$CI_COMMIT_BRANCH == "main"' }]when: manual # human approval for prodenvironment: production
Guardrails at scale
The same guardrails as any IaC pipeline, but the blast radius is larger: authenticate to the cloud with OIDC and scoped roles per account, run policy/scan hooks before apply (Conftest/Checkov on the generated plan), gate prod behind approval, and never run-all destroy from automation without heavy protection. Because one pipeline can change an entire multi-account estate, its own hardening — least privilege, protected environments, reviewed config — is proportionally critical.