Install

Quick Install

The quickest way to install Terragrunt on Linux or macOS:

curl -sL https://docs.terragrunt.com/install | bash

Download from releases page

Go to the Releases Page.
Download the archive for your operating system: e.g., if you’re on a Mac, download terragrunt_darwin_amd64.tar.gz; if you’re on Windows, download terragrunt_windows_amd64.exe.zip, etc.
Download SHA256SUMS and optionally SHA256SUMS.gpgsig for signature verification.
Verify the checksum and optionally the signature (see Verifying the checksum below).
Extract the archive: e.g., tar -xzf terragrunt_darwin_amd64.tar.gz or unzip on Windows.
Add execute permissions to the binary (Linux/Mac): chmod u+x terragrunt.
Put the binary somewhere on your PATH: e.g., On Linux and Mac: mv terragrunt /usr/local/bin/terragrunt.

Verifying the checksum

When you download the binary from the releases page, you can also use the checksum file to verify the integrity of the binary. This can be useful for ensuring that you have an intact binary and that it has not been tampered with.

To verify the integrity of the file, do the following:

Have the binary downloaded, and accessible.
Generate the SHA256 checksum of the binary.
Download the SHA256SUMS file from the releases page.
Find the expected checksum for the binary you downloaded.
If the checksums match, the binary is intact and has not been tampered with.
Optionally, verify the GPG signature:

# Import Gruntwork's public key (first time only)
curl -s https://gruntwork.io/.well-known/pgp-key.txt | gpg --import

# Verify signature
gpg --verify SHA256SUMS.gpgsig SHA256SUMS

After importing the key, verify its fingerprint matches exactly:

gpg --fingerprint 577774ACA847CC49

Expected output:

pub   ed25519 2026-01-12 [SC]
      68C8 0F86 DF98 E710 C0F2  2E2E 5777 74AC A847 CC49
uid           [ unknown] Gruntwork (Code Signing Key) <security@gruntwork.io>

Alternatively, verify with Cosign:

cosign verify-blob SHA256SUMS \
  --bundle SHA256SUMS.sigstore.json \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity-regexp "github.com/gruntwork-io/terragrunt"

Convenience Scripts

set -euo pipefail

OS="linux"
ARCH="amd64"
VERSION="v1.0.1"
BINARY_NAME="terragrunt_${OS}_${ARCH}"
BASE_URL="https://github.com/gruntwork-io/terragrunt/releases/download/$VERSION"

# Download binary and verification files
curl -sL "$BASE_URL/$BINARY_NAME" -o "$BINARY_NAME"
curl -sL "$BASE_URL/SHA256SUMS" -o SHA256SUMS
curl -sL "$BASE_URL/SHA256SUMS.gpgsig" -o SHA256SUMS.gpgsig

# First: Import Gruntwork signing key and verify GPG signature of checksum file
curl -s https://gruntwork.io/.well-known/pgp-key.txt | gpg --import 2>/dev/null
if gpg --verify SHA256SUMS.gpgsig SHA256SUMS 2>/dev/null; then
  echo "GPG signature verified!"
else
  echo "GPG signature verification failed!"
  exit 1
fi

# Second: Verify checksum of binary against trusted SHA256SUMS
CHECKSUM="$(sha256sum "$BINARY_NAME" | awk '{print $1}')"
EXPECTED_CHECKSUM="$(awk -v binary="$BINARY_NAME" '$2 == binary {print $1; exit}' SHA256SUMS)"

if [ "$CHECKSUM" != "$EXPECTED_CHECKSUM" ]; then
  echo "Checksum verification failed!"
  exit 1
fi
echo "Checksum verified!"

echo "Terragrunt $VERSION downloaded and verified successfully"

set -euo pipefail

OS="darwin"
ARCH="arm64"
VERSION="v1.0.1"
BINARY_NAME="terragrunt_${OS}_${ARCH}"
BASE_URL="https://github.com/gruntwork-io/terragrunt/releases/download/$VERSION"

# Download binary and verification files
curl -sL "$BASE_URL/$BINARY_NAME" -o "$BINARY_NAME"
curl -sL "$BASE_URL/SHA256SUMS" -o SHA256SUMS
curl -sL "$BASE_URL/SHA256SUMS.gpgsig" -o SHA256SUMS.gpgsig

# First: Import Gruntwork signing key and verify GPG signature of checksum file
curl -s https://gruntwork.io/.well-known/pgp-key.txt | gpg --import 2>/dev/null
if gpg --verify SHA256SUMS.gpgsig SHA256SUMS 2>/dev/null; then
  echo "GPG signature verified!"
else
  echo "GPG signature verification failed!"
  exit 1
fi

# Second: Verify checksum of binary against trusted SHA256SUMS
CHECKSUM="$(shasum -a 256 "$BINARY_NAME" | awk '{print $1}')"
EXPECTED_CHECKSUM="$(awk -v binary="$BINARY_NAME" '$2 == binary {print $1; exit}' SHA256SUMS)"

if [ "$CHECKSUM" != "$EXPECTED_CHECKSUM" ]; then
  echo "Checksum verification failed!"
  exit 1
fi
echo "Checksum verified!"

echo "Terragrunt $VERSION downloaded and verified successfully"

$os = "windows"
$arch = "amd64"
$version = "v1.0.1"
$binaryName = "terragrunt_${os}_${arch}.exe"
try {
    $ProgressPreference = 'SilentlyContinue'
    $baseUrl = "https://github.com/gruntwork-io/terragrunt/releases/download/$version"
    Write-Host "Downloading Terragrunt $version..."
    Invoke-WebRequest -Uri "$baseUrl/$binaryName" -OutFile $binaryName -UseBasicParsing
    Invoke-WebRequest -Uri "$baseUrl/SHA256SUMS" -OutFile "SHA256SUMS" -UseBasicParsing
    Invoke-WebRequest -Uri "$baseUrl/SHA256SUMS.gpgsig" -OutFile "SHA256SUMS.gpgsig" -UseBasicParsing

    # First: Verify GPG signature of checksum file (requires gpg installed)
    Write-Host "Importing Gruntwork signing key..."
    Invoke-WebRequest -Uri "https://gruntwork.io/.well-known/pgp-key.txt" -OutFile "pgp-key.txt" -UseBasicParsing
    gpg --import pgp-key.txt 2>$null
    Write-Host "Verifying GPG signature of SHA256SUMS..."
    gpg --verify SHA256SUMS.gpgsig SHA256SUMS
    if ($LASTEXITCODE -ne 0) {
        Write-Error "GPG signature verification failed"
        exit 1
    }
    Write-Host "GPG signature verified!"

    # Second: Verify checksum of binary against trusted SHA256SUMS
    $actualChecksum = (Get-FileHash -Algorithm SHA256 $binaryName).Hash.ToLower()
    $expectedChecksum = (Get-Content "SHA256SUMS" | ForEach-Object { $parts = $_ -split 's+'; if ($parts[1] -eq $binaryName) { return $parts[0].ToLower() } } | Select-Object -First 1)
    if ($actualChecksum -ne $expectedChecksum) {
        Write-Error "Checksum verification failed"
        exit 1
    }
    Write-Host "Checksum verified!"
    Write-Host "Terragrunt $version downloaded and verified successfully"
}
catch {
    Write-Error "Failed: $_"
    exit 1
}
finally {
    $ProgressPreference = 'Continue'
}

set -euo pipefail

OS="linux"
ARCH="arm64"
VERSION="v1.0.1"
BINARY_NAME="terragrunt_${OS}_${ARCH}"
BASE_URL="https://github.com/gruntwork-io/terragrunt/releases/download/$VERSION"

# Download binary and verification files
curl -sL "$BASE_URL/$BINARY_NAME" -o "$BINARY_NAME"
curl -sL "$BASE_URL/SHA256SUMS" -o SHA256SUMS
curl -sL "$BASE_URL/SHA256SUMS.gpgsig" -o SHA256SUMS.gpgsig

# First: Import Gruntwork signing key and verify GPG signature of checksum file
curl -s https://gruntwork.io/.well-known/pgp-key.txt | gpg --import 2>/dev/null
if gpg --verify SHA256SUMS.gpgsig SHA256SUMS 2>/dev/null; then
  echo "GPG signature verified!"
else
  echo "GPG signature verification failed!"
  exit 1
fi

# Second: Verify checksum of binary against trusted SHA256SUMS
CHECKSUM="$(sha256sum "$BINARY_NAME" | awk '{print $1}')"
EXPECTED_CHECKSUM="$(awk -v binary="$BINARY_NAME" '$2 == binary {print $1; exit}' SHA256SUMS)"

if [ "$CHECKSUM" != "$EXPECTED_CHECKSUM" ]; then
  echo "Checksum verification failed!"
  exit 1
fi
echo "Checksum verified!"

echo "Terragrunt $VERSION downloaded and verified successfully"

set -euo pipefail

OS="darwin"
ARCH="x86"
VERSION="v1.0.1"
BINARY_NAME="terragrunt_${OS}_${ARCH}"
BASE_URL="https://github.com/gruntwork-io/terragrunt/releases/download/$VERSION"

# Download binary and verification files
curl -sL "$BASE_URL/$BINARY_NAME" -o "$BINARY_NAME"
curl -sL "$BASE_URL/SHA256SUMS" -o SHA256SUMS
curl -sL "$BASE_URL/SHA256SUMS.gpgsig" -o SHA256SUMS.gpgsig

# First: Import Gruntwork signing key and verify GPG signature of checksum file
curl -s https://gruntwork.io/.well-known/pgp-key.txt | gpg --import 2>/dev/null
if gpg --verify SHA256SUMS.gpgsig SHA256SUMS 2>/dev/null; then
  echo "GPG signature verified!"
else
  echo "GPG signature verification failed!"
  exit 1
fi

# Second: Verify checksum of binary against trusted SHA256SUMS
CHECKSUM="$(shasum -a 256 "$BINARY_NAME" | awk '{print $1}')"
EXPECTED_CHECKSUM="$(awk -v binary="$BINARY_NAME" '$2 == binary {print $1; exit}' SHA256SUMS)"

if [ "$CHECKSUM" != "$EXPECTED_CHECKSUM" ]; then
  echo "Checksum verification failed!"
  exit 1
fi
echo "Checksum verified!"

echo "Terragrunt $VERSION downloaded and verified successfully"

Install via a package manager

Note that all the different package managers are third party. The third party Terragrunt packages may not be updated with the latest version, but are often close. Please check your version against the latest available on the Releases Page. If you want the latest version, the recommended installation option is to download from the releases page.

Windows: You can install Terragrunt on Windows using Chocolatey
Terminal window
```
choco install terragrunt
```
macOS: You can install Terragrunt on macOS using Homebrew:
Terminal window
```
brew install terragrunt
```
Linux (Homebrew): Most Linux users can use Homebrew:
Terminal window
```
brew install terragrunt
```
Linux (Pacman): Arch Linux users can use pacman:
Terminal window
```
pacman -S terragrunt
```
Linux (Gentoo): Gentoo users can use emerge:
Terminal window
```
emerge -a app-admin/terragrunt-bin
```
FreeBSD: You can install Terragrunt on FreeBSD using Pkg:
Terminal window
```
pkg install terragrunt
```

Install via tool manager

A best practice when using Terragrunt is to pin the version you are using to ensure that you, your colleagues and your CI/CD pipelines are all using the same version. This also allows you to easily upgrade to new versions and rollback to previous versions if needed.

You can use a tool manager to install and manage Terragrunt versions.

mise: You can install Terragrunt using mise
Terminal window
```
mise install terragrunt v1.0.1
```

asdf: You can install Terragrunt using asdf

asdf plugin add terragrunt
asdf install terragrunt v1.0.1

Both of these tools allow you to pin the version of Terragrunt you are using in a .tool-versions (and .mise.toml for mise) file in your project directory.

Colleagues and CI/CD pipelines can then install the associated tool manager, and run using the pinned version.

Note that the tools Terragrunt integrates with, such as OpenTofu and Terraform, can also be managed by these tool managers, so you can also pin the versions of those tools in the same file.

Backend details:

mise uses aqua as its default backend to install Terragrunt.
asdf uses the asdf-terragrunt plugin, which is maintained by Gruntwork: https://github.com/gruntwork-io/asdf-terragrunt

Building from source

If you’d like to build from source, you can use go to build Terragrunt yourself, and install it:

git clone https://github.com/gruntwork-io/terragrunt.git
cd terragrunt
# Feel free to checkout a particular tag, etc if you want here.
go install

Install tip or test builds

Every successful CI run on the main branch produces a tip build of Terragrunt. Maintainers can also trigger test builds from any branch. Both are useful for testing unreleased changes or reproducing issues against the most recent code.

Tip builds are served via the builds API at https://builds.terragrunt.com and are available for all platforms supported in official releases. While tip builds are always built on every push to main, test builds are only built when maintainers explicitly want to distribute a test build of Terragrunt from a branch other than main to get stakeholder feedback. Maintainers may ask that you try out a test build to see if a WIP solution solves an issue you are facing, and you are free to request a test build if you want to try the latest in some in-progress work.

set -euo pipefail

# Set your platform (linux, darwin, windows) and architecture (amd64, arm64, 386)
OS="linux"
ARCH="amd64"

ARCHIVE="terragrunt_${OS}_${ARCH}.tar.gz"

# Download the archive and checksums
curl -sL -o "$ARCHIVE" \
  "https://builds.terragrunt.com/api/v1/tip/latest/download?os=${OS}&arch=${ARCH}"
curl -sL -o SHA256SUMS \
  "https://builds.terragrunt.com/api/v1/tip/latest/download?filename=SHA256SUMS"

# Verify checksum
EXPECTED=$(awk -v f="$ARCHIVE" '$2 == f {print $1; exit}' SHA256SUMS)
ACTUAL=$(sha256sum "$ARCHIVE" | awk '{print $1}')  # macOS: use "shasum -a 256"
if [ "$EXPECTED" != "$ACTUAL" ]; then
  echo "Checksum verification failed!"
  exit 1
fi
echo "Checksum verified!"

# Extract and install
tar -xzf "$ARCHIVE"
chmod +x "terragrunt_${OS}_${ARCH}"
sudo mv "terragrunt_${OS}_${ARCH}" /usr/local/bin/terragrunt

set -euo pipefail

# Set the commit SHA, platform, and architecture
COMMIT="abc123def456"
OS="linux"
ARCH="amd64"

ARCHIVE="terragrunt_${OS}_${ARCH}.tar.gz"

# Download the archive and checksums
curl -sL -o "$ARCHIVE" \
  "https://builds.terragrunt.com/api/v1/tip/${COMMIT}/download?os=${OS}&arch=${ARCH}"
curl -sL -o SHA256SUMS \
  "https://builds.terragrunt.com/api/v1/tip/${COMMIT}/download?filename=SHA256SUMS"

# Verify checksum
EXPECTED=$(awk -v f="$ARCHIVE" '$2 == f {print $1; exit}' SHA256SUMS)
ACTUAL=$(sha256sum "$ARCHIVE" | awk '{print $1}')  # macOS: use "shasum -a 256"
if [ "$EXPECTED" != "$ACTUAL" ]; then
  echo "Checksum verification failed!"
  exit 1
fi
echo "Checksum verified!"

# Extract and install
tar -xzf "$ARCHIVE"
chmod +x "terragrunt_${OS}_${ARCH}"
sudo mv "terragrunt_${OS}_${ARCH}" /usr/local/bin/terragrunt

set -euo pipefail

# Set the commit SHA, platform, and architecture
COMMIT="abc123def456"
OS="linux"
ARCH="amd64"

ARCHIVE="terragrunt_${OS}_${ARCH}.tar.gz"
BASE_URL="https://builds.terragrunt.com/test/${COMMIT}"

# Download the archive and checksums
curl -sL -o "$ARCHIVE" "${BASE_URL}/${ARCHIVE}"
curl -sL -o SHA256SUMS "${BASE_URL}/SHA256SUMS"

# Verify checksum
EXPECTED=$(awk -v f="$ARCHIVE" '$2 == f {print $1; exit}' SHA256SUMS)
ACTUAL=$(sha256sum "$ARCHIVE" | awk '{print $1}')  # macOS: use "shasum -a 256"
if [ "$EXPECTED" != "$ACTUAL" ]; then
  echo "Checksum verification failed!"
  exit 1
fi
echo "Checksum verified!"

# Extract and install
tar -xzf "$ARCHIVE"
chmod +x "terragrunt_${OS}_${ARCH}"
sudo mv "terragrunt_${OS}_${ARCH}" /usr/local/bin/terragrunt

Verifying signatures

Tip and test builds are signed using the same process as official releases. You can optionally verify the GPG or Cosign signature after downloading:

# Download signature files (replace "latest" with a commit SHA if needed)
curl -sL -o SHA256SUMS.gpgsig \
  "https://builds.terragrunt.com/api/v1/tip/latest/download?filename=SHA256SUMS.gpgsig"

# GPG verification
curl -s https://gruntwork.io/.well-known/pgp-key.txt | gpg --import
gpg --verify SHA256SUMS.gpgsig SHA256SUMS

Alternatively, verify with Cosign:

curl -sL -o SHA256SUMS.sigstore.json \
  "https://builds.terragrunt.com/api/v1/tip/latest/download?filename=SHA256SUMS.sigstore.json"

cosign verify-blob SHA256SUMS \
  --bundle SHA256SUMS.sigstore.json \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity-regexp "github.com/gruntwork-io/terragrunt"

Enable tab completion

If you use either Bash or Zsh, you can enable tab completion for Terragrunt commands. To enable autocomplete, first ensure that a config file exists for your chosen shell.

For Bash shell.

touch ~/.bashrc

For Zsh shell.

touch ~/.zshrc

Then install the autocomplete package.

terragrunt --install-autocomplete

Once the autocomplete support is installed, you will need to restart your shell.

Gruntwork Pipelines

Gruntwork offers a commercial CI/CD solution for Terragrunt called Pipelines. Pipelines is a fully managed CI/CD service that is designed to work seamlessly with Terragrunt. It provides an out of the box solution for running Terragrunt in CI/CD without the need to setup and maintain your own CI/CD infrastructure.

Terragrunt GitHub Action

Terragrunt is also available as a GitHub Action.

Instructions on how to use it can be found at https://github.com/gruntwork-io/terragrunt-action.