# Install > Install Terragrunt! ## Quick Install The quickest way to install Terragrunt on Linux or macOS: ```bash curl -sSfL --proto '=https' --tlsv1.2 https://terragrunt.com/install | bash ``` Script options and inspecting the script Run `curl -sSfL --proto '=https' --tlsv1.2 https://terragrunt.com/install | bash -s -- --help` to see all options, or [read the script on GitHub](https://github.com/gruntwork-io/terragrunt/blob/main/docs/public/install). Piping a remote script directly into `bash` means executing code you haven’t read. If you’d rather review the script before running it, download it to your local filesystem, read through it, and then run it: ```bash curl -sSfL --proto '=https' --tlsv1.2 -o install.sh https://terragrunt.com/install less install.sh bash install.sh ``` ## Download from releases page 1. Go to the [Releases Page](https://github.com/gruntwork-io/terragrunt/releases). 2. Download the archive for your operating system: e.g., if you’re on a Mac, download `terragrunt_darwin_amd64.tar.gz`; if you’re on Windows, download `terragrunt_windows_amd64.exe.zip`, etc. 3. Download `SHA256SUMS` and optionally `SHA256SUMS.gpgsig` for signature verification. 4. Verify the checksum and optionally the signature (see [Verifying the checksum](#verifying-the-checksum) below). 5. Extract the archive: e.g., `tar -xzf terragrunt_darwin_amd64.tar.gz` or unzip on Windows. 6. Add execute permissions to the binary (Linux/Mac): `chmod u+x terragrunt`. 7. Put the binary somewhere on your `PATH`: e.g., On Linux and Mac: `mv terragrunt /usr/local/bin/terragrunt`. ### Verifying the checksum When you download the binary from the releases page, you can also use the checksum file to verify the integrity of the binary. This can be useful for ensuring that you have an intact binary and that it has not been tampered with. To verify the integrity of the file, do the following: 1. Have the binary downloaded, and accessible. 2. Generate the SHA256 checksum of the binary. 3. Download the `SHA256SUMS` file from the releases page. 4. Find the expected checksum for the binary you downloaded. 5. If the checksums match, the binary is intact and has not been tampered with. 6. Optionally, verify the GPG signature: ```bash # Import Gruntwork's public key (first time only) curl -s https://gruntwork.io/.well-known/pgp-key.txt | gpg --import # Verify signature gpg --verify SHA256SUMS.gpgsig SHA256SUMS ``` Verify Key Fingerprint After importing the key, verify its fingerprint matches exactly: ```bash gpg --fingerprint 577774ACA847CC49 ``` Expected output: ```plaintext pub ed25519 2026-01-12 [SC] 68C8 0F86 DF98 E710 C0F2 2E2E 5777 74AC A847 CC49 uid [ unknown] Gruntwork (Code Signing Key) ``` 7. Alternatively, verify with Cosign: ```bash cosign verify-blob SHA256SUMS \ --bundle SHA256SUMS.sigstore.json \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ --certificate-identity-regexp "github.com/gruntwork-io/terragrunt" ``` ### Convenience Scripts * Linux (x86) ```bash set -euo pipefail OS="linux" ARCH="amd64" VERSION="v1.0.7" BINARY_NAME="terragrunt_${OS}_${ARCH}" BASE_URL="https://github.com/gruntwork-io/terragrunt/releases/download/$VERSION" # Download binary and verification files curl -sL "$BASE_URL/$BINARY_NAME" -o "$BINARY_NAME" curl -sL "$BASE_URL/SHA256SUMS" -o SHA256SUMS curl -sL "$BASE_URL/SHA256SUMS.gpgsig" -o SHA256SUMS.gpgsig # First: Import Gruntwork signing key and verify GPG signature of checksum file curl -s https://gruntwork.io/.well-known/pgp-key.txt | gpg --import 2>/dev/null if gpg --verify SHA256SUMS.gpgsig SHA256SUMS 2>/dev/null; then echo "GPG signature verified!" else echo "GPG signature verification failed!" exit 1 fi # Second: Verify checksum of binary against trusted SHA256SUMS CHECKSUM="$(sha256sum "$BINARY_NAME" | awk '{print $1}')" EXPECTED_CHECKSUM="$(awk -v binary="$BINARY_NAME" '$2 == binary {print $1; exit}' SHA256SUMS)" if [ "$CHECKSUM" != "$EXPECTED_CHECKSUM" ]; then echo "Checksum verification failed!" exit 1 fi echo "Checksum verified!" echo "Terragrunt $VERSION downloaded and verified successfully" ``` * macOS (ARM) ```bash set -euo pipefail OS="darwin" ARCH="arm64" VERSION="v1.0.7" BINARY_NAME="terragrunt_${OS}_${ARCH}" BASE_URL="https://github.com/gruntwork-io/terragrunt/releases/download/$VERSION" # Download binary and verification files curl -sL "$BASE_URL/$BINARY_NAME" -o "$BINARY_NAME" curl -sL "$BASE_URL/SHA256SUMS" -o SHA256SUMS curl -sL "$BASE_URL/SHA256SUMS.gpgsig" -o SHA256SUMS.gpgsig # First: Import Gruntwork signing key and verify GPG signature of checksum file curl -s https://gruntwork.io/.well-known/pgp-key.txt | gpg --import 2>/dev/null if gpg --verify SHA256SUMS.gpgsig SHA256SUMS 2>/dev/null; then echo "GPG signature verified!" else echo "GPG signature verification failed!" exit 1 fi # Second: Verify checksum of binary against trusted SHA256SUMS CHECKSUM="$(shasum -a 256 "$BINARY_NAME" | awk '{print $1}')" EXPECTED_CHECKSUM="$(awk -v binary="$BINARY_NAME" '$2 == binary {print $1; exit}' SHA256SUMS)" if [ "$CHECKSUM" != "$EXPECTED_CHECKSUM" ]; then echo "Checksum verification failed!" exit 1 fi echo "Checksum verified!" echo "Terragrunt $VERSION downloaded and verified successfully" ``` * Windows ```powershell $os = "windows" $arch = "amd64" $version = "v1.0.7" $binaryName = "terragrunt_${os}_${arch}.exe" try { $ProgressPreference = 'SilentlyContinue' $baseUrl = "https://github.com/gruntwork-io/terragrunt/releases/download/$version" Write-Host "Downloading Terragrunt $version..." Invoke-WebRequest -Uri "$baseUrl/$binaryName" -OutFile $binaryName -UseBasicParsing Invoke-WebRequest -Uri "$baseUrl/SHA256SUMS" -OutFile "SHA256SUMS" -UseBasicParsing Invoke-WebRequest -Uri "$baseUrl/SHA256SUMS.gpgsig" -OutFile "SHA256SUMS.gpgsig" -UseBasicParsing # First: Verify GPG signature of checksum file (requires gpg installed) Write-Host "Importing Gruntwork signing key..." Invoke-WebRequest -Uri "https://gruntwork.io/.well-known/pgp-key.txt" -OutFile "pgp-key.txt" -UseBasicParsing gpg --import pgp-key.txt 2>$null Write-Host "Verifying GPG signature of SHA256SUMS..." gpg --verify SHA256SUMS.gpgsig SHA256SUMS if ($LASTEXITCODE -ne 0) { Write-Error "GPG signature verification failed" exit 1 } Write-Host "GPG signature verified!" # Second: Verify checksum of binary against trusted SHA256SUMS $actualChecksum = (Get-FileHash -Algorithm SHA256 $binaryName).Hash.ToLower() $expectedChecksum = (Get-Content "SHA256SUMS" | ForEach-Object { $parts = $_ -split 's+'; if ($parts[1] -eq $binaryName) { return $parts[0].ToLower() } } | Select-Object -First 1) if ($actualChecksum -ne $expectedChecksum) { Write-Error "Checksum verification failed" exit 1 } Write-Host "Checksum verified!" Write-Host "Terragrunt $version downloaded and verified successfully" } catch { Write-Error "Failed: $_" exit 1 } finally { $ProgressPreference = 'Continue' } ``` * Linux (ARM) ```bash set -euo pipefail OS="linux" ARCH="arm64" VERSION="v1.0.7" BINARY_NAME="terragrunt_${OS}_${ARCH}" BASE_URL="https://github.com/gruntwork-io/terragrunt/releases/download/$VERSION" # Download binary and verification files curl -sL "$BASE_URL/$BINARY_NAME" -o "$BINARY_NAME" curl -sL "$BASE_URL/SHA256SUMS" -o SHA256SUMS curl -sL "$BASE_URL/SHA256SUMS.gpgsig" -o SHA256SUMS.gpgsig # First: Import Gruntwork signing key and verify GPG signature of checksum file curl -s https://gruntwork.io/.well-known/pgp-key.txt | gpg --import 2>/dev/null if gpg --verify SHA256SUMS.gpgsig SHA256SUMS 2>/dev/null; then echo "GPG signature verified!" else echo "GPG signature verification failed!" exit 1 fi # Second: Verify checksum of binary against trusted SHA256SUMS CHECKSUM="$(sha256sum "$BINARY_NAME" | awk '{print $1}')" EXPECTED_CHECKSUM="$(awk -v binary="$BINARY_NAME" '$2 == binary {print $1; exit}' SHA256SUMS)" if [ "$CHECKSUM" != "$EXPECTED_CHECKSUM" ]; then echo "Checksum verification failed!" exit 1 fi echo "Checksum verified!" echo "Terragrunt $VERSION downloaded and verified successfully" ``` * macOS (x86) ```bash set -euo pipefail OS="darwin" ARCH="x86" VERSION="v1.0.7" BINARY_NAME="terragrunt_${OS}_${ARCH}" BASE_URL="https://github.com/gruntwork-io/terragrunt/releases/download/$VERSION" # Download binary and verification files curl -sL "$BASE_URL/$BINARY_NAME" -o "$BINARY_NAME" curl -sL "$BASE_URL/SHA256SUMS" -o SHA256SUMS curl -sL "$BASE_URL/SHA256SUMS.gpgsig" -o SHA256SUMS.gpgsig # First: Import Gruntwork signing key and verify GPG signature of checksum file curl -s https://gruntwork.io/.well-known/pgp-key.txt | gpg --import 2>/dev/null if gpg --verify SHA256SUMS.gpgsig SHA256SUMS 2>/dev/null; then echo "GPG signature verified!" else echo "GPG signature verification failed!" exit 1 fi # Second: Verify checksum of binary against trusted SHA256SUMS CHECKSUM="$(shasum -a 256 "$BINARY_NAME" | awk '{print $1}')" EXPECTED_CHECKSUM="$(awk -v binary="$BINARY_NAME" '$2 == binary {print $1; exit}' SHA256SUMS)" if [ "$CHECKSUM" != "$EXPECTED_CHECKSUM" ]; then echo "Checksum verification failed!" exit 1 fi echo "Checksum verified!" echo "Terragrunt $VERSION downloaded and verified successfully" ``` Note These scripts automatically verify the SHA256 checksum and GPG signature before completing. ## Install via a package manager Note that all the different package managers are third party. The third party Terragrunt packages may not be updated with the latest version, but are often close. Please check your version against the latest available on the [Releases Page](https://github.com/gruntwork-io/terragrunt/releases). If you want the latest version, the recommended installation option is to [download from the releases page](https://github.com/gruntwork-io/terragrunt/releases). * **Windows**: You can install Terragrunt on Windows using [Chocolatey](https://chocolatey.org/) ```bash choco install terragrunt ``` * **macOS**: You can install Terragrunt on macOS using [Homebrew](https://brew.sh/): ```bash brew install terragrunt ``` * **Linux (Homebrew)**: Most Linux users can use [Homebrew](https://docs.brew.sh/Homebrew-on-Linux): ```bash brew install terragrunt ``` * **Linux (Pacman)**: Arch Linux users can use [pacman](https://archlinux.org/packages/extra/x86_64/terragrunt/): ```bash pacman -S terragrunt ``` * **Linux (Gentoo)**: Gentoo users can use [emerge](https://repology.org/project/terragrunt/versions): ```bash emerge -a app-admin/terragrunt-bin ``` * **FreeBSD**: You can install Terragrunt on FreeBSD using [Pkg](https://www.freebsd.org/cgi/man.cgi?pkg\(7\)): ```bash pkg install terragrunt ``` ## Install via tool manager A best practice when using Terragrunt is to pin the version you are using to ensure that you, your colleagues and your CI/CD pipelines are all using the same version. This also allows you to easily upgrade to new versions and rollback to previous versions if needed. You can use a tool manager to install and manage Terragrunt versions. * **mise**: You can install Terragrunt using [mise](https://mise.jdx.dev) ```bash mise install terragrunt v1.0.7 ``` * **asdf**: You can install Terragrunt using [asdf](https://asdf-vm.com) ```bash asdf plugin add terragrunt asdf install terragrunt v1.0.7 ``` Both of these tools allow you to pin the version of Terragrunt you are using in a `.tool-versions` (and `.mise.toml` for mise) file in your project directory. Colleagues and CI/CD pipelines can then install the associated tool manager, and run using the pinned version. Note that the tools Terragrunt integrates with, such as OpenTofu and Terraform, can also be managed by these tool managers, so you can also pin the versions of those tools in the same file. **Backend details:** * **mise** uses [aqua](https://aquaproj.github.io/) as its default backend to install Terragrunt. * **asdf** uses the asdf-terragrunt plugin, which is maintained by Gruntwork: ## Building from source If you’d like to build from source, you can use `go` to build Terragrunt yourself, and install it: ```shell git clone https://github.com/gruntwork-io/terragrunt.git cd terragrunt # Feel free to checkout a particular tag, etc if you want here. go install ``` ## Install tip or test builds Every successful CI run on the `main` branch produces a **tip build** of Terragrunt. Maintainers can also trigger **test builds** from any branch. Both are useful for testing unreleased changes or reproducing issues against the most recent code. Tip builds are served via the builds API at `https://builds.terragrunt.com` and are available for all platforms supported in official releases. While tip builds are always built on every push to `main`, test builds are only built when maintainers explicitly want to distribute a test build of Terragrunt from a branch other than `main` to get stakeholder feedback. Maintainers may ask that you try out a test build to see if a WIP solution solves an issue you are facing, and you are free to request a test build if you want to try the latest in some in-progress work. No retention guarantee Tip and test builds may be reclaimed at any time to reduce hosting costs. Do not rely on a specific build being available indefinitely. Use [official releases](https://github.com/gruntwork-io/terragrunt/releases) for production. ### Quick install for tip and test builds The same install script used for official releases supports tip and test builds via flags. To install the latest tip build: ```bash curl -sSfL --proto '=https' --tlsv1.2 https://terragrunt.com/install | bash -s -- --tip ``` To install a tip build at a specific commit: ```bash curl -sSfL --proto '=https' --tlsv1.2 https://terragrunt.com/install | bash -s -- --tip --commit ``` To install a test build at a specific commit: ```bash curl -sSfL --proto '=https' --tlsv1.2 https://terragrunt.com/install | bash -s -- --test --commit ``` If you prefer to run the install steps manually, the tabs below show the equivalent commands: * Latest tip ```bash set -euo pipefail # Set your platform (linux, darwin, windows) and architecture (amd64, arm64, 386) OS="linux" ARCH="amd64" ARCHIVE="terragrunt_${OS}_${ARCH}.tar.gz" # Download the archive and checksums curl -sL -o "$ARCHIVE" \ "https://builds.terragrunt.com/api/v1/tip/latest/download?os=${OS}&arch=${ARCH}" curl -sL -o SHA256SUMS \ "https://builds.terragrunt.com/api/v1/tip/latest/download?filename=SHA256SUMS" # Verify checksum EXPECTED=$(awk -v f="$ARCHIVE" '$2 == f {print $1; exit}' SHA256SUMS) ACTUAL=$(sha256sum "$ARCHIVE" | awk '{print $1}') # macOS: use "shasum -a 256" if [ "$EXPECTED" != "$ACTUAL" ]; then echo "Checksum verification failed!" exit 1 fi echo "Checksum verified!" # Extract and install tar -xzf "$ARCHIVE" chmod +x "terragrunt_${OS}_${ARCH}" sudo mv "terragrunt_${OS}_${ARCH}" /usr/local/bin/terragrunt ``` * Specific commit ```bash set -euo pipefail # Set the commit SHA, platform, and architecture COMMIT="abc123def456" OS="linux" ARCH="amd64" ARCHIVE="terragrunt_${OS}_${ARCH}.tar.gz" # Download the archive and checksums curl -sL -o "$ARCHIVE" \ "https://builds.terragrunt.com/api/v1/tip/${COMMIT}/download?os=${OS}&arch=${ARCH}" curl -sL -o SHA256SUMS \ "https://builds.terragrunt.com/api/v1/tip/${COMMIT}/download?filename=SHA256SUMS" # Verify checksum EXPECTED=$(awk -v f="$ARCHIVE" '$2 == f {print $1; exit}' SHA256SUMS) ACTUAL=$(sha256sum "$ARCHIVE" | awk '{print $1}') # macOS: use "shasum -a 256" if [ "$EXPECTED" != "$ACTUAL" ]; then echo "Checksum verification failed!" exit 1 fi echo "Checksum verified!" # Extract and install tar -xzf "$ARCHIVE" chmod +x "terragrunt_${OS}_${ARCH}" sudo mv "terragrunt_${OS}_${ARCH}" /usr/local/bin/terragrunt ``` * Test build ```bash set -euo pipefail # Set the commit SHA, platform, and architecture COMMIT="abc123def456" OS="linux" ARCH="amd64" ARCHIVE="terragrunt_${OS}_${ARCH}.tar.gz" BASE_URL="https://builds.terragrunt.com/test/${COMMIT}" # Download the archive and checksums curl -sL -o "$ARCHIVE" "${BASE_URL}/${ARCHIVE}" curl -sL -o SHA256SUMS "${BASE_URL}/SHA256SUMS" # Verify checksum EXPECTED=$(awk -v f="$ARCHIVE" '$2 == f {print $1; exit}' SHA256SUMS) ACTUAL=$(sha256sum "$ARCHIVE" | awk '{print $1}') # macOS: use "shasum -a 256" if [ "$EXPECTED" != "$ACTUAL" ]; then echo "Checksum verification failed!" exit 1 fi echo "Checksum verified!" # Extract and install tar -xzf "$ARCHIVE" chmod +x "terragrunt_${OS}_${ARCH}" sudo mv "terragrunt_${OS}_${ARCH}" /usr/local/bin/terragrunt ``` ### Verifying signatures Tip and test builds are signed using the same process as official releases. You can optionally verify the GPG or Cosign signature after downloading: ```bash # Download signature files (replace "latest" with a commit SHA if needed) curl -sL -o SHA256SUMS.gpgsig \ "https://builds.terragrunt.com/api/v1/tip/latest/download?filename=SHA256SUMS.gpgsig" # GPG verification curl -s https://gruntwork.io/.well-known/pgp-key.txt | gpg --import gpg --verify SHA256SUMS.gpgsig SHA256SUMS ``` Alternatively, verify with Cosign: ```bash curl -sL -o SHA256SUMS.sigstore.json \ "https://builds.terragrunt.com/api/v1/tip/latest/download?filename=SHA256SUMS.sigstore.json" cosign verify-blob SHA256SUMS \ --bundle SHA256SUMS.sigstore.json \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ --certificate-identity-regexp "github.com/gruntwork-io/terragrunt" ``` Note For full API documentation and more details about Terragrunt is distributed, see the [Releases documentation](/process/releases#tip-builds). ## Enable tab completion If you use either Bash or Zsh, you can enable tab completion for Terragrunt commands. To enable autocomplete, first ensure that a config file exists for your chosen shell. For Bash shell. ```shell touch ~/.bashrc ``` For Zsh shell. ```shell touch ~/.zshrc ``` Then install the autocomplete package. ```shell terragrunt --install-autocomplete ``` Once the autocomplete support is installed, you will need to restart your shell. ## Gruntwork Pipelines Gruntwork offers a commercial CI/CD solution for Terragrunt called [Pipelines](https://www.gruntwork.io/platform/pipelines). Pipelines is a fully managed CI/CD service that is designed to work seamlessly with Terragrunt. It provides an out of the box solution for running Terragrunt in CI/CD without the need to setup and maintain your own CI/CD infrastructure. ## Terragrunt GitHub Action Terragrunt is also available as a GitHub Action. Instructions on how to use it can be found at .