Pipelines
Pipelines is the CI/CD component of Terragrunt Scale. It automates terragrunt plan and terragrunt apply in your pull request workflow, with features designed to leverage Terragrunt’s dependency graph.
How It Works
Section titled “How It Works”When you open a pull request with infrastructure changes:
- Pipelines detects which Terragrunt units were modified (or potentially impacted by other changes in your repository).
- It runs
terragrunt planfor only the affected units, minimizing blast radius. - Plan results are posted as PR comments for review.
- On merge,
terragrunt applyruns in dependency order, respecting your DAG.
All execution happens in your own CI/CD runners (GitHub Actions or GitLab CI). Pipelines never has direct access to your cloud accounts.
Key Capabilities
Section titled “Key Capabilities”- DAG-aware execution — Respects Terragrunt’s dependency graph for creates, updates, and destroys. Units are always run in the correct order.
- Blast radius minimization — Only plans and applies units that were actually changed, rather than running against your entire stack.
- Least-privilege OIDC authentication — Acquires temporary credentials via OIDC for each environment, scoped by read/write and segmented per environment. No long-lived secrets stored in CI.
- Concurrent runs with unified output — Runs multiple independent units in parallel and aggregates all results into a single, well-structured PR comment, giving reviewers a complete picture of every change in one place.
- Multi-environment support — Deploy changes across multiple environments in a single PR, with per-environment authentication and cross-environment dependencies supported.
- Configuration-as-code — Pipeline behavior is defined in HCL and can be customized at the repository, environment, or individual unit level. See the configuration reference for details.
Terragrunt Integration
Section titled “Terragrunt Integration”Pipelines has native support for the complete Terragrunt lifecycle: