Architecting Automated Infrastructure Pipelines with Terragrunt and GitLab CI

Published by TechMarmot Editorail Staff on | Category GitLab CI

The convergence of Infrastructure as Code (IaC) and continuous integration/continuous deployment (CI/CD) represents the pinnacle of modern DevOps engineering. When managing complex, multi-account, or multi-region cloud environments, standard Terraform workflows often encounter the "DRY" (Don't Repeat Yourself) problem, leading to bloated configurations and fragmented state management. Terragrunt emerges as the critical orchestration layer that addresses these deficiencies by providing a thin wrapper around Terraform, enabling sophisticated dependency management and hierarchical configuration. However, the true power of Terragrunt is only unlocked when it is seamlessly integrated into a robust CI/CD ecosystem. GitLab CI provides a natural and highly compatible environment for these Terragrunt workflows, offering a sophisticated suite of features—including built-in environments, manual approval gates, and an advanced artifact system—that map directly to the requirements of scalable infrastructure deployment pipelines.

Orchestrating Terragrunt within the GitLab Ecosystem

Integrating Terragrunt into GitLab CI requires more than a simple script execution; it demands a holistic approach to environment isolation, security, and efficiency. GitLab CI is an ideal candidate for this integration because its architecture allows for granular control over the execution lifecycle of infrastructure changes. By utilizing GitLab's native capabilities, engineers can transform raw Terraform modules into highly regulated, automated, and repeatable deployment processes.

The integration provides several key advantages:
- Built-in environment support allows for clear separation between development, staging, and production deployments.
- Manual approval gates ensure that high-impact changes, such as production applies, require human intervention, mitigating the risk of catastrophic misconfiguration.
- The artifact system enables the preservation of execution outputs, such as plan files, which are essential for auditing and reviewing proposed changes before they are applied.
- GitLab's runner architecture can be scaled to handle the intensive computational requirements of large-scale infrastructure plans.

Structural Requirements for Terragrunt Repositories

A successful Terragrunt implementation begins with a disciplined directory structure. The hierarchy of the repository dictates how Terragrunt parses configurations and applies variables across different environments. A well-organized repository allows for the centralized management of provider versions, backend configurations, and remote state, while still permitting environment-specific overrides.

A standard, enterprise-ready repository structure should follow a pattern similar to the one outlined below:

Directory/File Purpose
infrastructure/ The root directory containing all IaC components.
infrastructure/terragrunt.hcl The root configuration file for defining global settings and remote state.
infrastructure/dev/ The development environment directory.
infrastructure/staging/ The staging/pre-production environment directory.
infrastructure/prod/ The production environment directory.
infrastructure/[env]/env.hcl Environment-specific variables.
infrastructure/[env]/us-east-1/ Regional specific configurations.
infrastructure/[env]/us-east-1/region.hcl Regional variable definitions.
infrastructure/[env]/us-east-1/vpc/ Specific component modules (e.g., VPC).
infrastructure/[env]/us-east-1/vpc/terragrunt.hcl The module-specific Terragrunt configuration.
.gitlab-ci.yml The GitLab CI pipeline definition file.

In this hierarchy, the terragrunt.hcl located in the root of the infrastructure/ directory acts as the source of truth for common configurations, such as the S3 backend for state storage or provider versions. Subdirectories like dev/, staging/, and prod/ then inherit these settings while injecting their own unique parameters via env.hcl and regional files.

Customizing the Execution Environment via Docker

Because Terragrunt is a wrapper that executes Terraform commands, the CI/CD runner must possess both binaries installed and correctly configured. Relying on community images is an option, but for maximum security and consistency, creating a custom Docker image is the professional standard. This image ensures that every pipeline run occurs in an identical environment, eliminating the "it works on my machine" phenomenon.

The following Dockerfile.ci provides a blueprint for building a specialized infrastructure tool image. This image starts with a stable Terraform base and layers the Terragrunt binary and essential CLI utilities.

```dockerfile
FROM hashicorp/terraform:1.15.4

Install Terragrunt

ARG TERRAGRUNTVERSION=1.0.4
RUN wget -q "https://github.com/gruntwork-io/terragrunt/releases/download/v${TERRAGRUNTVERSION}/terragruntlinuxamd64" \
-O /usr/local/bin/terragrunt && \
chmod +x /usr/local/bin/terragrunt

Install additional tools for orchestration and scripting

RUN apk add --no-cache bash curl jq git aws-cli

ENTRYPOINT ["/bin/bash"]
```

After crafting the Dockerfile, the image must be built and pushed to the GitLab Container Registry to be accessible by the CI runners:

bash docker build -f Dockerfile.ci -t registry.gitlab.com/your-group/infra-tools:latest . docker push registry.gitlab.com/your-group/infra-tools:latest

This custom image contains bash for complex scripting, jq for parsing JSON (crucial for interacting with the GitLab API), git for version control operations, and aws-cli for interacting with cloud providers. By centralizing these tools in a single image, the .gitlab-ci.yml remains clean and focused on logic rather than environment setup.

Advanced GitLab CI Pipeline Configuration

A production-grade Terragrunt pipeline must be divided into logical stages: validate, plan, and apply. Each stage serves a specific purpose in the lifecycle of an infrastructure change, moving from syntax verification to impact assessment and finally to execution.

Core Pipeline Variables and Caching Strategies

To ensure the pipeline is efficient and non-interactive, specific environment variables must be defined. Furthermore, caching the Terragrunt provider cache is critical to reducing pipeline duration by avoiding the repetitive download of massive provider binaries (like the AWS provider) during every single job.

The following configuration snippet demonstrates the foundational setup for a Terragrunt GitLab CI pipeline:

```yaml
image: registry.gitlab.com/your-group/infra-tools:latest

Cache Terragrunt's provider cache across pipeline runs

cache:
key: terragrunt-provider-cache
paths:
- .terragrunt-provider-cache/

variables:
TFINAUTOMATION: "true"
TFINPUT: "false"
TGNONINTERACTIVE: "true"
TGPROVIDERCACHE: "true"
TGPROVIDERCACHEDIR: "$CIPROJECTDIR/.terragrunt-provider-cache"

stages:
- validate
- plan
- apply

beforescript:
- mkdir -p "$TGPROVIDERCACHEDIR"
- terraform --version
- terragrunt --version
```

The cache configuration uses a specific key to identify the provider cache. While some might be tempted to cache the entire .terragrunt-cache directory, this is a dangerous practice as it can grow uncontrollably, leading to massive runner storage consumption and slow cache uploads/downloads. A safer, more surgical approach is to cache the TG_PROVIDER_CACHE_DIR, which specifically targets the provider plugins.

The Validation Stage

The validate stage is the first line of defense. It should run on every merge request to ensure that the proposed changes do not violate any structural or syntactic rules. This stage is optimized to run only when changes are detected in the infrastructure/ directory, preventing unnecessary execution when documentation or other files are updated.

yaml validate: stage: validate rules: - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' changes: - infrastructure/**/* script: - cd infrastructure - terragrunt run --all -- validate

The Plan Stage and Automated Merge Request Feedback

The plan stage is where the actual impact of the infrastructure changes is calculated. For a professional workflow, the output of this plan should not just be buried in the runner logs; it should be posted directly as a comment on the Merge Request (MR). This allows reviewers to see exactly what resources will be created, modified, or destroyed without leaving the GitLab interface.

The following implementation for the dev environment demonstrates how to capture the plan output, store it as an artifact, and use a curl command with jq to post it to the GitLab API.

yaml plan:dev: stage: plan rules: - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' changes: - infrastructure/**/* script: - cd infrastructure/dev - terragrunt run --all -- plan -no-color 2>&1 | tee plan-output.txt artifacts: paths: - infrastructure/dev/plan-output.txt expire_in: 7 days after_script: - | PLAN=$(cat infrastructure/dev/plan-output.txt | head -c 60000) BODY=$(cat <<HEREDOC ## Dev Environment Plan
$PLAN
HEREDOC ) curl --request POST \ --header "PRIVATE-TOKEN: ${GITLAB_API_TOKEN}" \ --header "Content-Type: application/json" \ --data "$(jq -n --arg body "$BODY" '{body: $body}')" \ "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/merge_requests/${CI_MERGE_REQUEST_IID}/notes"

This workflow utilizes tee to simultaneously display the plan in the logs and write it to a file. The after_script uses a heredoc to construct a Markdown-formatted body for the GitLab note, ensuring the plan is readable. The use of head -c 60000 is a necessary safeguard to prevent exceeding GitLab's API character limits for comments.

The Apply and Destroy Stages

The apply stage is the most sensitive part of the pipeline. It should only trigger when changes are merged into the main branch. For environments like dev, this can be fully automated. For prod, it is common practice to keep the apply step manual or highly controlled.

```yaml
apply:dev:
stage: apply
rules:
- if: '$CICOMMITBRANCH == "main"'
changes:
- infrastructure/*/
environment:
name: dev
script:
- cd infrastructure/dev
- terragrunt run --all -- apply

destroy:dev:
stage: apply
rules:
- if: '$CICOMMITBRANCH == "main"'
when: manual
environment:
name: dev
action: stop
script:
- cd infrastructure/dev
- terragrunt run --all -- destroy
allow_failure: true
```

The destroy:dev job is configured with when: manual, providing a "kill switch" for the environment. Setting action: stop within the environment block allows GitLab to track the lifecycle of the environment, properly marking it as "stopped" when the destroy job is executed.

Optimized Pipeline Generation via Scripting

In massive monorepos, defining a separate job for every single Terragrunt module in .gitlab-ci.yml is unmaintainable. A sophisticated approach involves using a helper script (often written in Python) to scan the directory structure and dynamically generate the GitLab CI YAML.

The logic for such a generator involves:
1. Identifying all directories containing a terragrunt.hcl file.
2. Mapping these directories to GitLab CI jobs.
3. Sanitizing the directory names to create valid YAML keys.

The following Python snippet illustrates the core logic of such a dynamic generator:

```python
import os
import yaml

Find affected Terragrunt modules

modules = set()
for f in changed_files:
d = os.path.dirname(f)
while d:
if os.path.exists(os.path.join(d, "terragrunt.hcl")):
modules.add(d)
break
d = os.path.dirname(d)

Generate pipeline YAML

pipeline = {"stages": ["plan"], "image": "registry.gitlab.com/your-group/infra-tools:latest"}
for mod in modules:
safename = mod.replace("/", "-")
pipeline[f"plan-{safename}"] = {
"stage": "plan",
"script": [f"cd {mod}", "terragrunt plan"],
}

print(yaml.dump(pipeline, defaultflowstyle=False))
```

This programmatic approach ensures that as the infrastructure grows, the pipeline evolves automatically without manual intervention in the CI configuration.

Strategic Analysis of Implementation

Implementing Terragrunt within GitLab CI is a transition from "running scripts" to "managing a platform." The complexity of the setup is directly proportional to the reliability and safety of the resulting infrastructure. A successful implementation relies on three pillars:

The first pillar is isolation. By utilizing custom Docker images and strict directory hierarchies, an organization ensures that the execution environment is deterministic and that environmental variables do not leak across stages.

The second pillar is visibility. The ability to post plan outputs directly to Merge Requests transforms the CI/CD pipeline from a black box into a transparent collaborative tool. This allows for rigorous peer review of infrastructure changes, which is the most effective way to prevent configuration drift and accidental resource deletion.

The third pillar is optimization. The heavy use of caching—specifically targeting the provider cache rather than the entire working directory—is the difference between a pipeline that takes 5 minutes and one that takes 20 minutes. As infrastructure scale increases, these optimizations become the deciding factor in developer productivity.

In conclusion, the synergy between Terragrunt's modularity and GitLab CI's orchestration capabilities provides a foundation for scalable, secure, and highly automated cloud infrastructure. While the initial setup requires significant investment in Docker customization and pipeline logic, the long-term dividends in terms of deployment velocity and operational stability are immense.

Sources

  1. OneUptime - Terragrunt with GitLab CI
  2. GitLab Forum - Initial configuration of the requested backend

Related Posts