Terragrunt Guides: Continuous Integration with Terragrunt Guide

Continuous Integration is the practice of merging code changes frequently and running checks against the integrated result. The same practice applies whether you're working with application code or infrastructure code, but the complexities of CI are amplified once Infrastructure as Code (IaC) is in the loop. A bad app deploy can be rolled back. A bad apply can delete a database, tear down a network, or take down production, and rolling back isn't always straightforward when resources are stateful.

Plans have to be reviewed before they run, and the dependency graph between units has to be respected during apply. The credentials used to run IaC CI are typically far more powerful than the ones used for application CI, so they should be short-lived and tightly-scoped.

Most teams that try to wire all of this up from scratch end up with a fragile collection of scripts and tribal knowledge on how their bespoke, internally-developed system works.

The Continuous Integration with Terragrunt guide shows you how to skip all that. You'll sign up for Terragrunt Scale Free Tier, walk through on-boarding, and finish with a working GitHub Actions pipeline deploying real AWS infrastructure in minutes: plan on every pull request, apply on every merge to main.

What makes IaC CI different

A good IaC pipeline has four properties:

• Plan on every pull request, so reviewers can see the computed diff alongside the code change before merging.
• Apply on merge to main, so the deploy branch is always the source of truth for what's running.
• DAG-aware orchestration, so unit B never gets applied before unit A when B depends on A's outputs (and vice versa for destroys).
• OIDC-based authentication, so CI jobs assume short-lived IAM roles instead of carrying long-lived AWS access keys in repository secrets.

Building all this from scratch is tedious work and results in a system you'll have to babysit to keep working. Our guide shows you how to achieve the same result with Terragrunt Scale's Free Tier in minutes.

What you'll actually do

After onboarding, you'll have a repository with GitHub Actions workflows, an OIDC provider, plan and apply IAM roles, and a sample Terragrunt setup ready to deploy. Deploy up to 25 units completely free. No credit card required.

Then you open a pull request to provision real AWS resources that you can interact with over the internet. Pipelines plans them in dependency order and posts the plan as a comment on the PR.

Merge the PR and the same DAG drives the applies. You can interact with the live infrastructure you just deployed, within minutes of getting started.

When you're done, revert the PR. Pipelines reads the revert as a destroy and plans it in reverse dependency order. On merge, the stack comes back down, and you’re fully cleaned up.

Next steps

Try out the guide yourself. If you’d prefer to jump right in without a guide, you can sign up here. For Drift Detection, Patcher, and other features beyond the Free Tier, see the full Terragrunt Scale offering.

It won’t take you more than an hour, and you don’t need to use a credit card or anything. All your infrastructure state is stored in your AWS account, and you’ll walk away from the guide with convenient, flexible, reliable and free CI/CD for IaC.

If you get stuck, the Terragrunt Discord is active and happy to help.