Terragrunt v1.1.1: Dependency Resolution and Safety Fixes

   |   4 minute read   |   Using 806 words

Terragrunt had a busy v1.1.1 window, with 13 commits and 125 files changed around dependency resolution, safer source handling, and clearer crash reports. For teams that run Terragrunt in CI over many units, the headline is simple: fewer false failures around dependency outputs, plus tighter handling for refs, archives, and catalog clones.

Dependency output evaluation gets stricter where it should

The largest patch fixed dependency output resolution for hooks, extra arguments, and remote state. Terragrunt now handles a unit that references its own dependency inside before_hook, after_hook, error_hook, extra_arguments, or remote_state while another downstream unit resolves outputs from it. The practical result is no more There is no variable named "dependency" for configurations that were valid but passed through a partial parse path.

The same work added a guard in pkg/config/config_partial.go and pkg/config/config.go for a sharper case: terraform.source cannot depend on dependency.<name>.outputs.<key>. That source must be known during discovery and queue construction, before the dependency has run, so Terragrunt now returns a clear error instead of a decode failure. This is the kind of fix that saves time because it tells you the design is impossible, not merely that HCL parsing got sad.

Concrete areas touched:

  • before_hook, after_hook, and error_hook can read dependency outputs during output resolution
  • extra_arguments and remote_state got the same treatment
  • terraform.source gets an explicit rejection when it references dependency

Git refs, catalog clones, and engine archives get guarded

Source download paths got a security minded pass. The maintainers made Git ref values positional for fetch, clone, and ls-remote, so a ref value that begins with -- is treated as a ref, not as a Git option. Normal branches, tags, and SHAs continue to work.

The same theme shows up in catalog and engine behavior. The project hardened catalog temporary clone paths, creating a fresh temp clone root per catalog load, rejecting symlinked roots, and removing clones when the TUI exits. The engine path now limits archive extraction, stopping large or overly broad ZIP packages before they can eat a workstation or CI runner disk.

internal/vfs/vfs.go was one of the files touched in this area because extraction safety now depends on filesystem limits outside the engine package. That is a good shape for this kind of guard. Engine code should not be the only place that remembers how much data is safe to unpack.

CLI discovery and validation got closer to runtime behavior

Terragrunt discovery commands had two fixes that matter to monorepos. First, find and list now generate stacks in comparison worktrees when Git filters are used. A change inside terragrunt.stack.hcl, a generated unit, or a file read through read_terragrunt_config now shows up in those commands the same way run --all sees it.

Second, hcl validate now resolves original Terragrunt dirs per discovered unit. The touched HCL validate command code sets the original config path before parsing each unit, so get_original_terragrunt_dir() points at the unit, not the directory where the command started. That closes an annoying gap where plan, apply, and run validate could work while hcl validate from a parent directory failed.

For CI jobs, the practical check looks like this:

terragrunt find --filter '[HEAD^1...HEAD]'
terragrunt list --filter '[HEAD^1...HEAD]'
terragrunt hcl validate --inputs

Failure modes are becoming easier to report

The panic reporting commit is a visible user aid, not just internal cleanup. Terragrunt added friendly panic reports that write a terragrunt-crash-YYYYMMDDTHHMMSSZ-<pid>.log file when a crash happens. The report includes runtime data, command line, panic message, and stack trace.

That matters for operators because panic reports are often copied straight into issues or incident tickets. The changelog still tells users to review the file for sensitive data before sharing it, which is the correct default for IaC tools. Terragrunt command lines can contain paths, module sources, and environment context that should not be pasted blindly.

There is also a smaller but useful provider cache fix: Terragrunt now respects -lockfile=readonly during provider cache warmup. Before this patch, the cache step could write .terraform.lock.hcl first, which made the later Terraform or OpenTofu read only check meaningless. Now the underlying tool gets to enforce the flag.

How to prepare

If your repo uses dependency outputs inside hooks, remote state, or extra arguments, retest those paths on v1.1.1. The patched pkg/config/dependency.go behavior broadens what works, but it also makes terraform.source with dependency output usage fail clearly instead of limping through discovery.

If you use Git filters in CI, compare find, list, and run --all output after upgrading. Generated stacks should now be visible in comparison worktrees, and --filter-allow-destroy with dependent traversal filters also received a fix for deleted units with dependents.

Finally, check operational cleanup. Catalog users should expect temporary clones to disappear when the TUI exits, engine package users should treat extraction limits as intentional protection, and anyone reporting a panic should review the crash log before attaching it to an issue in gruntwork-io/terragrunt.



denis256 at denis256.dev