v0.96.1

🧪 Experiments Updated

The --filter-affected flag has more robust determination of the default branch in a Git repository

The --filter-affected flag will now use Git plumbing to interrogate the default branch as considered by the remote repository before falling back to interrogating local configurations for determination of a default branch (remember that you must use the filter-flag experiment to try this out).

# This is checked first
$ git rev-parse --abbrev-ref origin/HEAD

# Followed by this
$ git ls-remote --symref origin HEAD

# Followed with this
$ git config init.defaultBranch

# If none of the above succeed, the default branch is assumed to be `main`.

Git-based filter expressions now warn users when using local state

Usage of --filter Git-based expressions in combination with local state will now emit a warning, recommending usage of remote states (remember that you must use the filter-flag experiment to try this out).

$ terragrunt run --all --filter '[HEAD~1...HEAD]' -- plan
09:30:38.017 WARN   One or more units discovered using Git-based filter expressions (e.g. [HEAD~1...HEAD]) do not have a remote_state configuration. This may result in unexpected outcomes, such as outputs for dependencies returning empty. It is strongly recommended to use remote state when working with Git-based filter expressions.

See the warning at the bottom of Git-based expressions documentation for more information.

OpenTelemetry traces added for filter evaluation

Filter evaluation now emits OpenTelemetry spans and metrics, including filter resolution details, evaluation duration, and filtering scope. This helps teams analyze performance and pinpoint bottlenecks in filtering with large Terragrunt repositories.

🐛 Bug Fixes

Path-based filters targeting external paths fixed

A bug in the parsing of path-based filter expressions in the --filter flag of the filter-flag experiment prevented parsing of path-based filters for external paths (e.g. --filter ../external-dir). This bug has been fixed.

HTTPS Git CAS URLs fixed

A bug in the parsing of source URLs with forced usage of the Git protocol (e.g. git::https://github.com/acme/catalog) prevented using the cas experiment with HTTPS Git URLs with forced usage of the Git protocol. This bug has been fixed.

Regression of support for root terragrunt.hcl fixed

A bug in the processing of --queue-exclude-dir resulted in prefix based matching of non-glob expressions in --queue-exclude-dir values. This broke backwards compatibility for users with a root terragrunt.hcl file instead of a differently named file for the root include (e.g. root.hcl). This bug has been fixed.

Note that you are still advised to migrate away from using a root terragrunt.hcl as soon as possible for your team. We will maintain backwards compatibility until at least 2.0, however.

What's Changed

• feat: add opentelemtry integration in filter flag by @denis256 in #5247
• feat: Adding warnings for local state usage with Git-based expressions by @yhakbar in #5245
• feat: Use more robust default branch detection in Git-based expressions by @yhakbar in #5243
• fix: Fixing parsing of external filters by @yhakbar in #5238
• fix: Fixing HTTPS CAS URLs by @yhakbar in #5240
• fix: Fixing warnings for how to reproduce tofu runs by @yhakbar in #5246
• fix: Fixing regression with support for include of root terragrunt.hcl by @yhakbar in #5249
• chore: Verify --queue-include-external isn't necessary when using the --filter flag by @yhakbar in #5216
• chore: Verify --filter results in minimal parsing by @yhakbar in #5229
• chore: Dropping util.JoinPath by @yhakbar in #5219
• docs: Cleaning up some docs by @yhakbar in #5239

Full Changelog: v0.96.0...v0.96.1

alpha2025121701

⚠️ Alpha Release

Alpha release of the changes in #5252

Do not use in production.

Full Changelog: v0.96.1...alpha2025121701

v0.96.0

🛠️ Breaking Changes

The --no-destroy-dependencies-check flag has been deprecated

The default behavior of Terragrunt with respect to checking dependents during destroys has been inverted. As a consequence the --no-destroy-dependencies-check has been deprecated, and a new --destroy-dependencies-check flag has been introduced.

Previously, Terragrunt would automatically parse all configurations that might depend on a unit being destroyed to warn users that the destroyed configuration might orphan other units that depend on it. This was frequently undesirable behavior due to the fact that it introduced additional unnecessary work (parsing all HCL configurations unnecessarily), and could introduce errors if users had unrelated invalid HCL configurations.

Terragrunt now requires that users opt-in to this behavior via the new --destroy-dependencies-check flag, which enables the destroy check, and will not perform the destroy check by default.

terragrunt run --destroy-dependencies-check -- destroy

To learn more, see the no-destroy-dependencies-check strict control.

The --disable-command-validation flag has been deprecated

Terragrunt no longer performs command name validation when passing commands to OpenTofu/Terraform from Terragrunt when using the run command. This makes the --disable-command-validation flag unnecessary, as the lack of validation is now the default behavior.

Previously, Terragrunt had no way to explicitly indicate that a command being used on the Terragrunt CLI was intended as a passthrough to the OpenTofu/Terraform CLI, so it was important that validation be done on the command being supplied on the Terragrunt CLI.

Since completion of the CLI Redesign, this has changed significantly. Users now have explicit shortcuts on the Terragrunt CLI for common OpenTofu/Terraform commands and an explicit interface for passing through OpenTofu/Terraform commands to the OpenTofu/Terraform CLIs using the run command. By removing this validation, Terragrunt will now automatically support new OpenTofu/Terraform commands in future versions of the tools and allow for greater flexibility in IaC Engines, as novel commands can be introduced.

To learn more, see the disable-command-validation strict control.

The --experimental-engine flag now enables the iac-engine experiment

The experimental IaC Engine feature was introduced in Terragrunt prior to the introduction of the experiment system. As such, it wasn’t enabled when users enabled experiment mode, and didn’t have a dedicated section in the experiments docs.

The --experimental-engine flag is now an alias for explicitly enabling the iac-engine experiment, and using IaC Engines will be allowed when using Terragrunt in experiment mode. This increases consistency with how experimental features are managed in Terragrunt, and reduces the surface area users have to be aware of in the Terragrunt CLI.

terragrunt run --experiment=iac-engine

Note that you can explicitly disable usage of engines now with the --no-engine flag, even when the experiment is active.

terragrunt run --experiment=iac-engine --no-engine

To learn more, see the iac-engine experiment.

The --dependency-fetch-output-from-state flag now enables the dependency-fetch-output-from-state experiment

The experimental —dependency-fetch-output-from-state flag was introduced in Terragrunt prior to the introduction of the experiment system. As such, it wasn’t enabled when users enabled experiment mode, and didn’t have a dedicated section in the experiments docs.

The --dependency-fetch-output-from-state flag is now an alias for explicitly enabling the dependency-fetch-output-from-state experiment, and Terragrunt will automatically attempt to fetch outputs from backend state when in experiment mode. This increases consistency with how experimental features are managed in Terragrunt, and reduces the surface area users have to be aware of in the Terragrunt CLI.

terragrunt run --experiment=dependency-fetch-output-from-state

Note that you can explicitly disable fetching output from state with the --no-dependency-fetch-output-from-state flag, even when the experiment is active.

terragrunt run --experiment=dependency-fetch-output-from-state --no-dependency-fetch-output-from-state

To learn more, see the dependency-fetch-output-from-state experiment.

🧪 Experiments Updated

The filter-flag experiment now supports the --filters-file flag

The --filters-file flag has been introduced to allow for the application of multiple filters as defined in a newline-delimited text file, similar to the existing --excludes-file flag (remember that you must use the filter-flag experiment to try this).

 # custom-filters.txt
 !./unstable/**

 $ terragrunt find --filters-file custom-filters.txt
 # No results in `./unstable` discovered.

When the filter-flag experiment is active, Terragrunt will automatically parse and apply filters found in a .terragrunt-filters file, similar to how it automatically parses and applies excludes found in a .terragrunt-excludes file.

 # .terragrunt-filters
 !./unstable/**

# Note that it only does this by default when the experiment is active.
terragrunt find
# Still no results in `./unstable` discovered.

To explicitly disable usage of filter files (including the automatic .terragrunt-filters file), use the --no-filters-file flag.

 # .terragrunt-filters
 !./unstable/**

# Note that it only does this by default when the experiment is active.
terragrunt find --no-filters-file
# This _will_ allow results in `./unstable` to be discovered.

Unlike the --excludes-file, usage of the --filters-file flag also allows for always filtering for particular configurations.

# .terragrunt-filters
./always-include/**

To learn more, see the filters file documentation.

🐛 Bug Fixes

Unnecessary .terragrunt-cache directory no longer generated in run --all runs

Fixed a regression where run --all would create empty .terragrunt-cache directories in the current working directory, even when not needed.

What's Changed

• feat: Adding --destroy-dependencies-check by @yhakbar in #5204
• feat: Adding --filters-file flag by @yhakbar in #5111
• feat: Removing support for --disable-command-validation by @yhakbar in #5189
• feat: Add iac-engine experiment by @yhakbar in #5203
• feat: Add dependency-fetch-output-from-state experiment by @yhakbar in #5201
• fix: Remove unnecessary .terragrunt-cache dir at the stack level by @yhakbar in #5231
• docs: Documenting --filters-file flag by @yhakbar in #5112
• docs: Update terminology from 'module' to 'unit' in scaffold.md by @josh-padnick in #5121
• docs: Fix Runner Pool description in terminology section by @maddawik in #5236
• build(deps): bump actions/upload-artifact from 5 to 6 by @dependabot[bot] in #5233
• build(deps): bump actions/download-artifact from 6 to 7 by @dependabot[bot] in #5235
• build(deps): bump actions/cache from 4 to 5 by @dependabot[bot] in #5234

New Contributors

• @maddawik made their first contribution in #5236

Full Changelog: v0.95.1...v0.96.0

v0.95.1

🧪 Experiments Updated

The filter-flag experiment now supports the --filter-affected flag

The --filter-affected flag has been introduced as an convenience alias for --filter [main...HEAD] (remember that you must use the filter-flag experiment to try this).

terragrunt find --filter-affected

Note that if you have local Git configurations that results in a different branch being your default branch, that branch will be used instead of main.

🐛 Bug Fixes

Integration of --queue-strict-include with --queue-include-units-reading fixed

A regression in --queue-strict-include resulted in empty run queues when using a combination of --queue-strict-include with --queue-include-units-reading. That bug has been resolved.

Integration of --source with run --all fixed

A regression in --source prevented it from working correctly in combination with run --all , resulting in empty run queues. That bug has been resolved.

Integration of Git-expressions with explicit stacks

A bug in the implementation of explicit stack generation for Git-expressions prevented stacks from being generated in Git worktrees when using Git-expressions in the filter-flag experiment. That bug has been resolved.

🧹 Chores

Dependencies updates

• cloud.google.com/go/storage —> v1.58.0
• github.com/aws/aws-sdk-go-v2 —> v1.41.0
• github.com/hashicorp/go-version —> v1.8.0
• github.com/aws/smithy-go —> v1.24.0

What's Changed

• feat: Adding --filter-affected flag by @yhakbar in #5109
• fix: Cleaning up TestExcludeDirs tests by @yhakbar in #5215
• fix: worktree tests simplification by @denis256 in #5217
• chore: Re-enabling TestAwsDocsTerralithToTerragruntGuide test by @yhakbar in #5220
• fix: Fixing integration of run --all with --source by @yhakbar in #5209
• fix: Fixing Git expressions with explicit stacks by @yhakbar in #5223
• fix: Fixing --queue-strict-include integration with --queue-include-units-reading by @yhakbar in #5222
• fix: improved dependency config path validation by @denis256 in #5212
• docs: Documenting --filter-affected by @yhakbar in #5110
• docs: Fixing Git-based docs by @yhakbar in #5218
• chore: go cloud dependencies update by @denis256 in #5183

Full Changelog: v0.95.0...v0.95.1

v0.95.0

🛠️ Breaking Changes

The --queue-exclude-external flag has been deprecated

Previously, Terragrunt would automatically pull in external dependencies (dependencies outside the current working directory when running terragrunt run --all) into the run queue.

To prevent this behavior, users had to manually supply the --queue-exclude-external flag. This has caused significant confusion and unexpected behavior for users over the duration of it’s existence in the Terragrunt CLI. To prevent this unexpected behavior for users and follow the principle of least surprise, this flag has been deprecated and its behavior is now the default in Terragrunt.

To explicitly request inclusion of external dependencies in the run queue, use the —queue-include-external flag.

⚙️ Process Updates

OpenTofu 1.11.x added to compatibility matrix

We are now continuously testing against OpenTofu 1.11.1 in our Continuous Integration testing, and have updated the compatibility matrix to reflect that.

🧪 Updated Experiments

The filter-flag experiment now supports Git-based expressions

The --filter flag can now be used to filter units based on changes in Git history (remember that you must use the filter-flag experiment to try this).

# Compare between two references
terragrunt find --filter '[main...HEAD]'

# Shorthand: compare reference to HEAD
terragrunt find --filter '[main]'

# Compare between specific commits
terragrunt find --filter '[abc123...def456]'

# Compare between tags
terragrunt find --filter '[v1.0.0...v2.0.0]'

# Compare using relative references
terragrunt find --filter '[HEAD~1...HEAD]'

# Compare between branches
terragrunt find --filter '[feature-branch...main]'

For more information, see the dedicated documentation on Git-Based Filtering.

🐛 Bug Fixes

Units now properly flush stdout in run --all

A regression in unit stdout flushing caused stdout for unit logs to hang pending resolution of run --all runs. This regression has been fixed to ensure that logs are streamed in real time again.

Queue entries now properly run, even if dependent units are excluded

A bug in run queue optimization made it so that excluding the dependent of a unit within a multi-unit run queue would incorrectly exclude the dependency unit from the run queue. This bug has been resolved, and units are now properly included, even if their dependents are excluded.

Provider cache server only contacts relevant registries

The provider cache server was incorrectly establishing a connection with multiple registries even though only one registry for a given IaC tool run by Terragrunt. For users with network-restricted environments, this could cause problems. Terragrunt will now only contact the relevant registry for a given IaC tool unless users explicitly request for usage of multiple registries.

📖 Documentation Updates

Provider cache server no longer documented as experimental

The Provider Cache Server has been used in production by a good portion of the Terragrunt community based on voluntary community reporting. The need for the feature is also mitigated by advances in OpenTofu that makes the Automatic Provider Cache Dir the default solution all Terragrunt users using OpenTofu ≥ v1.10.0.

As such, the Provider Cache Server has been promoted to a generally available feature that is exclusively opt-in for users that cannot benefit from the Automatic Provider Cache Dir feature, or are better served by the Provider Cache Server due to scale or platform limitations.

What's Changed

• feat: Adding --filter Git support by @denis256 in #5166
• feat: Adding --filter-allow-destroy flag by @yhakbar in #5210
• fix: filter git improvements by @denis256 in #5184
• fix: Remove outdated Bun/Node locking by @yhakbar in #5186
• fix: unit output flushing by @denis256 in #5193
• fix: Only call necessary registries based on OpenTofu/Terraform usage by @yhakbar in #5196
• fix: Ensure queue entries are still marked as ready if they have dependencies/dependents that are excluded by @yhakbar in #5194
• fix: Temporarily skipping TestAwsDocsTerralithToTerragruntGuide until we get a new release by @yhakbar in #5208
• fix: runner pool external dependencies inclusion fix by @denis256 in #5199
• docs: Nav revisions by @karlcarstensen in #5172
• docs: Updating documentation around the provider cache server by @yhakbar in #5190
• docs: Documenting stacks limitations by @yhakbar in #5188
• docs: Adding new ambassador by @karlcarstensen in #5211
• docs: Documenting --filter Git support by @yhakbar in #5108
• chore: Adding --queue-exclude-dir / --filter equivalence test by @yhakbar in #5078
• chore: Upgrade to Opentofu 1.11 by @denis256 in #5214
• build(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in #5141
• build(deps): bump DavidAnson/markdownlint-cli2-action from 20 to 21 by @dependabot[bot] in #5140
• build(deps): bump mikepenz/action-junit-report from 5 to 6 by @dependabot[bot] in #5046

Full Changelog: v0.94.0...v0.95.0

alpha-2025121101

⚠️ Alpha Release

• Alpha release of changes from #5199

What's Changed

• feat: Adding --filter Git support by @denis256 in #5166
• fix: Remove outdated Bun/Node locking by @yhakbar in #5186
• build(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in #5141
• build(deps): bump DavidAnson/markdownlint-cli2-action from 20 to 21 by @dependabot[bot] in #5140
• build(deps): bump mikepenz/action-junit-report from 5 to 6 by @dependabot[bot] in #5046
• Nav revisions by @karlcarstensen in #5172
• docs: Updating documentation around the provider cache server by @yhakbar in #5190
• bug: unit output flushing by @denis256 in #5193
• fix: Only call necessary registries based on OpenTofu/Terraform usage by @yhakbar in #5196
• chore: Adding --queue-exclude-dir / --filter equivalence test by @yhakbar in #5078
• feat: filter git improvements by @denis256 in #5184
• fix: Ensure queue entries are still marked as ready if they have dependencies/dependents that are excluded by @yhakbar in #5194

Full Changelog: v0.94.0...alpha-2025121101

v0.94.0

✨ Features

• Terraform 1.14: We are now testing Terragrunt against Terraform 1.14 and is confirmed to be working.

NOTE: Although this release is marked as backward incompatible, it is functionally compatible as nothing has been changed in Terragrunt internals. The minor version release is useful to mark the change in Terraform version that is being tested.

What's Changed

• chore: add support for Terraform 1.14 by @denis256 in #5180
• feat: use common logic for discovery and runner pool by @denis256 in #5100

Full Changelog: v0.93.13...v0.94.0

alpha-2025121001

⚠️ Alpha Release

• Alpha release of changes from #5176

Full Changelog: v0.93.12...alpha-2025121001

v0.93.13

🐛 Bug Fixes

Catalog module source URL construction

Fixed malformed version-pinned catalog module URLs where TerraformSourcePath() incorrectly placed //moduleDir after ?ref=, ensuring correct root and submodule URL formatting.

What's Changed

• fix(catalog): build valid module source URLs for version-pinned modules by @rvelichkov in #5174
• docs: add two additional ambassadors by @karlcarstensen in #5164

Full Changelog: v0.93.12...v0.93.13

v0.93.12

🐛 Bug Fixes

False positive errors during dependent units discovery

Reduced false-positive log messages emitted while discovering dependent units during destroy operations.

What's Changed

• Terragrunt Ambassadors by @karlcarstensen in #5138
• Adding Terragrunt Scale FAQ by @karlcarstensen in #5147
• chore: cloud dependencies update by @denis256 in #5150
• fix: false positive errors during dependent units discovery by @denis256 in #5137

Full Changelog: v0.93.11...v0.93.12