Terragrunt v1.0.5 release notes and key changes

Published: Monday, May 25, 2026 | 4 minute read | Using 746 words

Tags:

Terragrunt v1.0.5 from gruntwork-io shipped on May 18, 2026. The headline change: when the provider cache server talks to the OpenTofu registry, a single terragrunt init now writes a .terraform.lock.hcl with h1: hashes for every platform the registry supports, so you no longer need to run tofu providers lock -platform=... for each target architecture.

The full release notes and downloads are on the GitHub release page.

Provider cache server writes full lock files

When the provider cache server is pointed at the OpenTofu provider registry, Terragrunt now generates a lock file that already contains hashes for every platform the registry supports. Example for hashicorp/null 3.2.2:

provider "registry.opentofu.org/hashicorp/null" {
  version     = "3.2.2"
  constraints = "3.2.2"
  hashes = [
    "h1:+1mRmfyz6oA00IhrrSkHK3h/Mdh032x2p0F6OMdMo5s=",
    "h1:FjLTqvaaYo+vHN8pHZB1cOwEGiNzOj+I9kQyHmr9/7o=",
    "zh:00e5877d19fb1c1d8c4b3536334a46a5c86f57146fd115c7b7b4b5d2bf2de86d",
  ]
}

The hashes come from the registry response itself. If a registry does not expose them, for example a third party registry that has not adopted the field, Terragrunt falls back to the older behavior: one h1: hash for the current platform plus zh: hashes from the shasums document.

The feature builds on work in OpenTofu. Starting with OpenTofu 1.12, plain tofu init already populates the lock file the same way without going through Terragrunt. Users on older OpenTofu versions still get the new behavior when they run through the Terragrunt provider cache server.

`stack output` runs in parallel

terragrunt stack output now fetches outputs from multiple units at the same time. Larger stacks should feel noticeably faster. The existing --parallelism flag (or TG_PARALLELISM env var) caps concurrency:

terragrunt stack output --parallelism 4

Bug fixes

The fix list is the bulk of this release.

--auth-provider-cmd returning null: Terragrunt crashed with a nil pointer dereference when the configured auth command printed the JSON value null. A null response is now treated as an empty response. The run continues with no extra credentials.
Auto init after a source change: terragrunt plan and apply could fail with Error: Required plugins are not installed after changing the source version of a unit with a module "" block. The .terragrunt-init-required marker was ignored when .terraform/modules/ already existed. The marker is now checked at the top of needsInitRunCfg regardless of cache state. Fix from @arnaud-dezandee.
--download-dir through dependency blocks: A custom download directory set via --download-dir or TG_DOWNLOAD_DIR was honored for the root unit but lost when parsing crossed into a dependency block or read_terragrunt_config(). A path set by the user is now carried through every dependency hop unchanged. Fix from @maonat.
DynamoDB lock table tags applied at creation: dynamodb_table_tags inside a remote_state block was applied after the CreateTable call. Environments that enforce required tags via AWS SCPs or tag policies rejected the bootstrap. Tags are now included in the initial CreateTable request. Fix from @Rahul-Kumar-prog.
Engine archive path traversal: When the engine experiment was active, an archive entry whose extracted path resolved outside the target directory could overwrite files the Terragrunt process had write access to. Such entries are now rejected before any bytes hit disk. Gruntwork engine archives were never affected. Reported by @jackiesre721.
--filter plus a negated filter: When a positive path filter was combined with a negated one, units that matched neither expression were parsed before being excluded. Now any positive filepath filter excludes such units from parsing during discovery, unless a more complex filter (for example reading=root.hcl) still requires parsing to evaluate inclusion.
macOS and Windows binaries reported the wrong version in v1.0.4: The v1.0.4 macOS and Windows binaries reported terragrunt version main and parsed as 0.0.0, which broke any terragrunt_version_constraint set against them. The cause traces to the macOS and Windows signing workflows seeing the original workflow_dispatch event during the release pipeline. Fixed in v1.0.5.

New CLI tip

run and stack generate now print a tip when a --filter path resolves to a directory that contains terragrunt.stack.hcl but the filter is not restricted to stacks. Without | type=stack, stack generate ignores the filter and run skips that stack entirely. The tip includes the offending filter, the suggested rewrite, and a link to the filter docs. Suppress it with --no-tip stack-target-missing-type-stack or --no-tips.

Upgrade notes

Nothing in the release notes is flagged as breaking. Two things still matter for operators:

If you depend on terragrunt_version_constraint and run on macOS or Windows, upgrading from v1.0.4 to v1.0.5 is the only way to make the version string parse correctly.
Teams with strict AWS tag policies should pick up the DynamoDB tagging fix to unblock new state bootstrap.

Where to get it

Release page: https://github.com/gruntwork-io/terragrunt/releases/tag/v1.0.5
Repository: https://github.com/gruntwork-io/terragrunt
Tag: v1.0.5

Page link: /posts/terragrunt-v1-0-5-release-notes-and-changes/

denis256 notes and projects