terragrunt

Last changed

Request a free trial

Contact our team to test out this image for free. Please also indicate any other images you would like to evaluate.

Chainguard Container for terragrunt

A cloud infrastructure orchestration tool that supports OpenTofu/Terraform.

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:


docker pull cgr.dev/ORGANIZATION/terragrunt:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

Note on Terraform/OpenTofu Support: The Terragrunt maintainers do not maintain the Docker images and actively recommend OpenTofu over Terraform. We provide both options as separate image tags, to meet different organizational requirements: OpenTofu variants for open-source licensing needs (MPL-2.0) and Terraform variants for teams accepting BUSL-1.1 terms.

Image Variants and Tags

Terragrunt requires either Terraform (BUSL-1.1 licensed) or OpenTofu (MPL-2.0 licensed) as a runtime dependency to operate. The Chainguard image provides these as separate image tags, documented below:

Available Variants

Base Terragrunt
- Tag: latest
- Contains only Terragrunt without Terraform or OpenTofu
- For building custom images or adding your own IaC tool version
- Example: cgr.dev/ORGANIZATION/terragrunt:latest
Terragrunt with Terraform
- Tags: X.Y.Z (version number) or tfX.Y.Z (explicit prefix)
- Includes Terragrunt + Terraform X.Y.Z pre-installed
- Important: Terraform is BUSL-1.1 licensed with commercial use restrictions
- Example: cgr.dev/ORGANIZATION/terragrunt:X.Y.Z or cgr.dev/ORGANIZATION/terragrunt:tfX.Y.Z
Terragrunt with OpenTofu
- Tags: otfX.Y.Z
- Includes Terragrunt + OpenTofu X.Y.Z pre-installed
- OpenTofu is MPL-2.0 licensed with no commercial restrictions
- Example: cgr.dev/ORGANIZATION/terragrunt:otfX.Y.Z

Tag Format

latest - Base Terragrunt only
X.Y.Z - Terragrunt with Terraform X.Y.Z
tfX.Y.Z - Terragrunt with Terraform X.Y.Z, explicit prefix
otfX.Y.Z - Terragrunt with OpenTofu X.Y.Z

Choosing the Right Variant

Choose latest if you're building a custom image with specific tool versions or using Terragrunt standalone
Choose Terraform tags (X.Y.Z or tfX.Y.Z) if you need Terraform, accept BUSL-1.1 licensing terms and are okay with the Terraform version rolling forward with image updates
Choose OpenTofu tags (otfX.Y.Z) if you need open-source licensing (MPL-2.0) and are okay with the OpenTofu version rolling forward with image updates

Getting Started

Terragrunt is a thin wrapper for Terraform/OpenTofu that provides extra tools for keeping configurations DRY, working with multiple modules, and managing remote state.

Basic Usage

Mount the local volume containing your Terragrunt project and terragrunt.hcl:


# Using base variant (Terragrunt only)
docker run --rm -v $(pwd):/apps -w /apps cgr.dev/ORGANIZATION/terragrunt:latest --version

# Using Terraform variant
# Preview changes
docker run --rm -v $(pwd):/apps -w /apps cgr.dev/ORGANIZATION/terragrunt:X.Y.Z plan
# Apply changes
docker run --rm -v $(pwd):/apps -w /apps cgr.dev/ORGANIZATION/terragrunt:X.Y.Z apply

# Or with explicit prefix
docker run --rm -v $(pwd):/apps -w /apps cgr.dev/ORGANIZATION/terragrunt:tfX.Y.Z plan

# Using OpenTofu variant (recommended for open-source)
# Preview changes
docker run --rm -v $(pwd):/apps -w /apps cgr.dev/ORGANIZATION/terragrunt:otfX.Y.Z plan
# Apply changes
docker run --rm -v $(pwd):/apps -w /apps cgr.dev/ORGANIZATION/terragrunt:otfX.Y.Z apply

Using in Kubernetes

Terragrunt does not provide a Helm Chart or Kubernetes Operator. Their documentation suggests running a batch Job for scheduling:


apiVersion: batch/v1
kind: Job
metadata:
  name: infrastructure-deploy
spec:
  template:
    spec:
      restartPolicy: Never
      containers:
      - name: terragrunt
        # Examples: :latest (base), :X.Y.Z (Terraform), :otfX.Y.Z (OpenTofu)
        image: cgr.dev/ORGANIZATION/terragrunt:otfX.Y.Z
        command: ["terragrunt"]
        args: ["apply", "-auto-approve"]
        workingDir: /apps
        volumeMounts:
        - name: terraform-code
          mountPath: /apps
      volumes:
      - name: terraform-code
        configMap:
          name: terraform-code

Documentation and Resources

For more information about Terragrunt, refer to:

For OpenTofu migration and documentation:

What are Chainguard Containers?

Chainguard's free tier of Starter container images are built with Wolfi, our minimal Linux undistro.

All other Chainguard Containers are built with Chainguard OS, Chainguard's minimal Linux operating system designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

Minimal design, without unnecessary software bloat
Daily builds to ensure container images are up-to-date with available security patches
High quality build-time SBOMs attesting to the provenance of all artifacts within the image
Verifiable signatures provided by Sigstore
Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a development, or -dev, variant.

In all other cases, including Chainguard Containers tagged as :latest or with a specific version number, the container images include only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager.

Although the -dev container image variants have similar security features as their more minimal versions, they include additional software that is typically not necessary in production environments. We recommend using multi-stage builds to copy artifacts from the -dev variant into a more minimal production image.

Need additional packages?

To improve security, Chainguard Containers include only essential dependencies. Need more packages? Chainguard customers can use Custom Assembly to add packages, either through the Console, chainctl, or API.

To use Custom Assembly in the Chainguard Console: navigate to the image you'd like to customize in your Organization's list of images, and click on the Customize image button at the top of the page.

Learn More

Refer to our Chainguard Containers documentation on Chainguard Academy. Chainguard also offers VMs and Libraries — contact us for access.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.

Licenses

Chainguard's container images contain software packages that are direct or transitive dependencies. The following licenses were found in the "latest" tag of this image:

Apache-2.0
BSD-3-Clause
GCC-exception-3.1
GPL-2.0-only
GPL-2.0-or-later
GPL-3.0-or-later
LGPL-2.0-or-later

For a complete list of licenses, please refer to this Image's SBOM.

Software license agreement

Compliance

Chainguard Containers are SLSA Level 3 compliant with detailed metadata and documentation about how it was built. We generate build provenance and a Software Bill of Materials (SBOM) for each release, with complete visibility into the software supply chain.

SLSA compliance at Chainguard

This image helps reduce time and effort in establishing PCI DSS 4.0 compliance with low-to-no CVEs.

PCI DSS at Chainguard

A FIPS validated version of this image is available for FedRAMP compliance. STIG is included with FIPS image.

Related images

terragrunt-fips