Install

Quick Install

The quickest way to install Terragrunt on Linux or macOS:

curl -sL https://terragrunt.gruntwork.io/install | bash

Script Options

Run curl -sL https://terragrunt.gruntwork.io/install | bash -s -- --help to see all options, or view the script on GitHub.

Download from releases page

1. Go to the Releases Page.
2. Download the archive for your operating system: e.g., if you’re on a Mac, download terragrunt_darwin_amd64.tar.gz; if you’re on Windows, download terragrunt_windows_amd64.exe.zip, etc.
3. Download SHA256SUMS and optionally SHA256SUMS.gpgsig for signature verification.
4. Verify the checksum and optionally the signature (see Verifying the checksum below).
5. Extract the archive: e.g., tar -xzf terragrunt_darwin_amd64.tar.gz or unzip on Windows.
6. Add execute permissions to the binary (Linux/Mac): chmod u+x terragrunt.
7. Put the binary somewhere on your PATH: e.g., On Linux and Mac: mv terragrunt /usr/local/bin/terragrunt.

Verifying the checksum

When you download the binary from the releases page, you can also use the checksum file to verify the integrity of the binary. This can be useful for ensuring that you have an intact binary and that it has not been tampered with.

To verify the integrity of the file, do the following:

1. Have the binary downloaded, and accessible.
2. Generate the SHA256 checksum of the binary.
3. Download the SHA256SUMS file from the releases page.
4. Find the expected checksum for the binary you downloaded.
5. If the checksums match, the binary is intact and has not been tampered with.
6. Optionally, verify the GPG signature:

# Import Gruntwork's public key (first time only)
curl -s https://gruntwork.io/.well-known/pgp-key.txt | gpg --import

# Verify signature
gpg --verify SHA256SUMS.gpgsig SHA256SUMS

Verify Key Fingerprint

After importing the key, verify its fingerprint matches exactly:

gpg --fingerprint 577774ACA847CC49

Expected output:

pub   ed25519 2026-01-12 [SC]
      68C8 0F86 DF98 E710 C0F2  2E2E 5777 74AC A847 CC49
uid           [ unknown] Gruntwork (Code Signing Key) <security@gruntwork.io>

7. Alternatively, verify with Cosign:

cosign verify-blob SHA256SUMS \
  --signature SHA256SUMS.sig \
  --certificate SHA256SUMS.pem \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity-regexp "github.com/gruntwork-io/terragrunt"

Convenience Scripts

Linux (x86)

set -euo pipefail

OS="linux"
ARCH="amd64"
VERSION="v0.99.1"
BINARY_NAME="terragrunt_${OS}_${ARCH}"
BASE_URL="https://github.com/gruntwork-io/terragrunt/releases/download/$VERSION"

# Download binary and verification files
curl -sL "$BASE_URL/$BINARY_NAME" -o "$BINARY_NAME"
curl -sL "$BASE_URL/SHA256SUMS" -o SHA256SUMS
curl -sL "$BASE_URL/SHA256SUMS.gpgsig" -o SHA256SUMS.gpgsig

# First: Import Gruntwork signing key and verify GPG signature of checksum file
curl -s https://gruntwork.io/.well-known/pgp-key.txt | gpg --import 2>/dev/null
if gpg --verify SHA256SUMS.gpgsig SHA256SUMS 2>/dev/null; then
  echo "GPG signature verified!"
else
  echo "GPG signature verification failed!"
  exit 1
fi

# Second: Verify checksum of binary against trusted SHA256SUMS
CHECKSUM="$(sha256sum "$BINARY_NAME" | awk '{print $1}')"
EXPECTED_CHECKSUM="$(awk -v binary="$BINARY_NAME" '$2 == binary {print $1; exit}' SHA256SUMS)"

if [ "$CHECKSUM" != "$EXPECTED_CHECKSUM" ]; then
  echo "Checksum verification failed!"
  exit 1
fi
echo "Checksum verified!"

echo "Terragrunt $VERSION downloaded and verified successfully"

macOS (ARM)

set -euo pipefail

OS="darwin"
ARCH="arm64"
VERSION="v0.99.1"
BINARY_NAME="terragrunt_${OS}_${ARCH}"
BASE_URL="https://github.com/gruntwork-io/terragrunt/releases/download/$VERSION"

# Download binary and verification files
curl -sL "$BASE_URL/$BINARY_NAME" -o "$BINARY_NAME"
curl -sL "$BASE_URL/SHA256SUMS" -o SHA256SUMS
curl -sL "$BASE_URL/SHA256SUMS.gpgsig" -o SHA256SUMS.gpgsig

# First: Import Gruntwork signing key and verify GPG signature of checksum file
curl -s https://gruntwork.io/.well-known/pgp-key.txt | gpg --import 2>/dev/null
if gpg --verify SHA256SUMS.gpgsig SHA256SUMS 2>/dev/null; then
  echo "GPG signature verified!"
else
  echo "GPG signature verification failed!"
  exit 1
fi

# Second: Verify checksum of binary against trusted SHA256SUMS
CHECKSUM="$(shasum -a 256 "$BINARY_NAME" | awk '{print $1}')"
EXPECTED_CHECKSUM="$(awk -v binary="$BINARY_NAME" '$2 == binary {print $1; exit}' SHA256SUMS)"

if [ "$CHECKSUM" != "$EXPECTED_CHECKSUM" ]; then
  echo "Checksum verification failed!"
  exit 1
fi
echo "Checksum verified!"

echo "Terragrunt $VERSION downloaded and verified successfully"

Windows

$os = "windows"
$arch = "amd64"
$version = "v0.99.1"
$binaryName = "terragrunt_${os}_${arch}.exe"
try {
    $ProgressPreference = 'SilentlyContinue'
    $baseUrl = "https://github.com/gruntwork-io/terragrunt/releases/download/$version"
    Write-Host "Downloading Terragrunt $version..."
    Invoke-WebRequest -Uri "$baseUrl/$binaryName" -OutFile $binaryName -UseBasicParsing
    Invoke-WebRequest -Uri "$baseUrl/SHA256SUMS" -OutFile "SHA256SUMS" -UseBasicParsing
    Invoke-WebRequest -Uri "$baseUrl/SHA256SUMS.gpgsig" -OutFile "SHA256SUMS.gpgsig" -UseBasicParsing

    # First: Verify GPG signature of checksum file (requires gpg installed)
    Write-Host "Importing Gruntwork signing key..."
    Invoke-WebRequest -Uri "https://gruntwork.io/.well-known/pgp-key.txt" -OutFile "pgp-key.txt" -UseBasicParsing
    gpg --import pgp-key.txt 2>$null
    Write-Host "Verifying GPG signature of SHA256SUMS..."
    gpg --verify SHA256SUMS.gpgsig SHA256SUMS
    if ($LASTEXITCODE -ne 0) {
        Write-Error "GPG signature verification failed"
        exit 1
    }
    Write-Host "GPG signature verified!"

    # Second: Verify checksum of binary against trusted SHA256SUMS
    $actualChecksum = (Get-FileHash -Algorithm SHA256 $binaryName).Hash.ToLower()
    $expectedChecksum = (Get-Content "SHA256SUMS" | ForEach-Object { $parts = $_ -split 's+'; if ($parts[1] -eq $binaryName) { return $parts[0].ToLower() } } | Select-Object -First 1)
    if ($actualChecksum -ne $expectedChecksum) {
        Write-Error "Checksum verification failed"
        exit 1
    }
    Write-Host "Checksum verified!"
    Write-Host "Terragrunt $version downloaded and verified successfully"
}
catch {
    Write-Error "Failed: $_"
    exit 1
}
finally {
    $ProgressPreference = 'Continue'
}

Linux (ARM)

set -euo pipefail

OS="linux"
ARCH="arm64"
VERSION="v0.99.1"
BINARY_NAME="terragrunt_${OS}_${ARCH}"
BASE_URL="https://github.com/gruntwork-io/terragrunt/releases/download/$VERSION"

# Download binary and verification files
curl -sL "$BASE_URL/$BINARY_NAME" -o "$BINARY_NAME"
curl -sL "$BASE_URL/SHA256SUMS" -o SHA256SUMS
curl -sL "$BASE_URL/SHA256SUMS.gpgsig" -o SHA256SUMS.gpgsig

# First: Import Gruntwork signing key and verify GPG signature of checksum file
curl -s https://gruntwork.io/.well-known/pgp-key.txt | gpg --import 2>/dev/null
if gpg --verify SHA256SUMS.gpgsig SHA256SUMS 2>/dev/null; then
  echo "GPG signature verified!"
else
  echo "GPG signature verification failed!"
  exit 1
fi

# Second: Verify checksum of binary against trusted SHA256SUMS
CHECKSUM="$(sha256sum "$BINARY_NAME" | awk '{print $1}')"
EXPECTED_CHECKSUM="$(awk -v binary="$BINARY_NAME" '$2 == binary {print $1; exit}' SHA256SUMS)"

if [ "$CHECKSUM" != "$EXPECTED_CHECKSUM" ]; then
  echo "Checksum verification failed!"
  exit 1
fi
echo "Checksum verified!"

echo "Terragrunt $VERSION downloaded and verified successfully"

macOS (x86)

set -euo pipefail

OS="darwin"
ARCH="x86"
VERSION="v0.99.1"
BINARY_NAME="terragrunt_${OS}_${ARCH}"
BASE_URL="https://github.com/gruntwork-io/terragrunt/releases/download/$VERSION"

# Download binary and verification files
curl -sL "$BASE_URL/$BINARY_NAME" -o "$BINARY_NAME"
curl -sL "$BASE_URL/SHA256SUMS" -o SHA256SUMS
curl -sL "$BASE_URL/SHA256SUMS.gpgsig" -o SHA256SUMS.gpgsig

# First: Import Gruntwork signing key and verify GPG signature of checksum file
curl -s https://gruntwork.io/.well-known/pgp-key.txt | gpg --import 2>/dev/null
if gpg --verify SHA256SUMS.gpgsig SHA256SUMS 2>/dev/null; then
  echo "GPG signature verified!"
else
  echo "GPG signature verification failed!"
  exit 1
fi

# Second: Verify checksum of binary against trusted SHA256SUMS
CHECKSUM="$(shasum -a 256 "$BINARY_NAME" | awk '{print $1}')"
EXPECTED_CHECKSUM="$(awk -v binary="$BINARY_NAME" '$2 == binary {print $1; exit}' SHA256SUMS)"

if [ "$CHECKSUM" != "$EXPECTED_CHECKSUM" ]; then
  echo "Checksum verification failed!"
  exit 1
fi
echo "Checksum verified!"

echo "Terragrunt $VERSION downloaded and verified successfully"

Note

These scripts automatically verify the SHA256 checksum and GPG signature before completing.

Install via a package manager

Note that all the different package managers are third party. The third party Terragrunt packages may not be updated with the latest version, but are often close. Please check your version against the latest available on the Releases Page. If you want the latest version, the recommended installation option is to download from the releases page.

• Windows: You can install Terragrunt on Windows using Chocolatey

  choco install terragrunt

• macOS: You can install Terragrunt on macOS using Homebrew:

  brew install terragrunt

• Linux (Homebrew): Most Linux users can use Homebrew:

  brew install terragrunt

• Linux (Pacman): Arch Linux users can use pacman:

  pacman -S terragrunt

• Linux (Gentoo): Gentoo users can use emerge:

  emerge -a app-admin/terragrunt-bin

• FreeBSD: You can install Terragrunt on FreeBSD using Pkg:

  pkg install terragrunt

Install via tool manager

A best practice when using Terragrunt is to pin the version you are using to ensure that you, your colleagues and your CI/CD pipelines are all using the same version. This also allows you to easily upgrade to new versions and rollback to previous versions if needed.

You can use a tool manager to install and manage Terragrunt versions.

• mise: You can install Terragrunt using mise

  mise install terragrunt v0.99.1

• asdf: You can install Terragrunt using asdf

  asdf plugin add terragrunt
  asdf install terragrunt v0.99.1

Both of these tools allow you to pin the version of Terragrunt you are using in a .tool-versions (and .mise.toml for mise) file in your project directory.

Colleagues and CI/CD pipelines can then install the associated tool manager, and run using the pinned version.

Note that the tools Terragrunt integrates with, such as OpenTofu and Terraform, can also be managed by these tool managers, so you can also pin the versions of those tools in the same file.

Backend details:

• mise uses aqua as its default backend to install Terragrunt.
• asdf uses the asdf-terragrunt plugin, which is maintained by Gruntwork: https://github.com/gruntwork-io/asdf-terragrunt

Building from source

If you’d like to build from source, you can use go to build Terragrunt yourself, and install it:

git clone https://github.com/gruntwork-io/terragrunt.git
cd terragrunt
# Feel free to checkout a particular tag, etc if you want here.
go install

Enable tab completion

If you use either Bash or Zsh, you can enable tab completion for Terragrunt commands. To enable autocomplete, first ensure that a config file exists for your chosen shell.

For Bash shell.

touch ~/.bashrc

For Zsh shell.

touch ~/.zshrc

Then install the autocomplete package.

terragrunt --install-autocomplete

Once the autocomplete support is installed, you will need to restart your shell.

Gruntwork Pipelines

Gruntwork offers a commercial CI/CD solution for Terragrunt called Pipelines. Pipelines is a fully managed CI/CD service that is designed to work seamlessly with Terragrunt. It provides an out of the box solution for running Terragrunt in CI/CD without the need to setup and maintain your own CI/CD infrastructure.

Terragrunt GitHub Action

Terragrunt is also available as a GitHub Action.

Instructions on how to use it can be found at https://github.com/gruntwork-io/terragrunt-action.