Skip to main content
Welcome to Lab 4. In this lesson, you’ll configure Terragrunt to deploy and manage an AWS VPC module. You have access to an AWS account—follow the steps below to set up credentials, initialize modules, enforce safeguards, and customize Terragrunt settings for a robust infrastructure workflow.
Keep your AWS credentials secure. You can retrieve them with:
show creds
Or log in via the provided link using your username and password. Consider opening a second terminal tab to streamline copy-and-paste.

1. Configure the VPC Module

In Terraform stack/VPC/terragrunt.hcl, reference the remote AWS VPC module (v5.8.1) from the Terraform Registry: 
terraform {
  source  = "registry.terraform.io/terraform-aws-modules/vpc/aws"
  version = "5.8.1"
}

inputs = {
  name = "KodeKloud VPC"
  cidr = "10.64.0.0/16"
}
Initialize and review the plan: 
cd "Terraform stack/VPC"
terragrunt init
terragrunt plan
You should see 4 to add. If everything checks out, continue to the next section.

2. Configure a Custom Terragrunt Cache

Terragrunt can cache downloaded modules locally to speed up repeated runs. Add a top-level download_dir in your root terragrunt.hcl: 
download_dir = "/full/path/to/Terraform stack/.terragrunt_config"

terraform {
  source  = "registry.terraform.io/terraform-aws-modules/vpc/aws"
  version = "5.8.1"
}

remote_state {
  backend = "local"
  config  = {}
}

inputs = {
  name = "KodeKloud VPC"
  cidr = "10.64.0.0/16"
}
Re-initialize and verify the cache directory: 
terragrunt init
ls "Terraform stack/.terragrunt_config"
Then plan and apply: 
terragrunt plan
terragrunt apply
After confirming the apply, check the AWS Console under VPC to see your new VPC.

3. Prevent Accidental Destruction

Protect critical resources by adding a prevent_destroy lifecycle rule: 
lifecycle {
  prevent_destroy = true
}
Re‐apply and test destruction: 
terragrunt apply
terragrunt destroy
Terragrunt will refuse to destroy due to the prevent_destroy setting.
If you need to remove the resource later, you must first remove or comment out the prevent_destroy block.

4. Use a Specific IAM Role

All Terragrunt operations should assume the KodeKloudTerragruntRole role. Retrieve your AWS account ID: 
aws sts get-caller-identity --output text --query Account
Then add the role ARN to terragrunt.hcl: 
iam_role = "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/KodeKloudTerragruntRole"
Verify the role is in use: 
terragrunt plan

5. Specify a Custom Terraform Binary & Version

Use the Terraform 1.82 binary packaged in this stack: 
terraform_binary             = "/full/path/to/Terraform stack/terraform_1.82/terraform"
terraform_version_constraint = "1.82"
Re‐run: 
terragrunt init
terragrunt plan

6. Enforce a Terragrunt Version Constraint

Require Terragrunt in the >= 0.34.0, < 0.40.0 range: 
terragrunt_version_constraint = ">= 0.34.0, < 0.40.0"
If you encounter a compatibility error (e.g., on version 0.58.8), update to include your version: 
terragrunt_version_constraint = ">= 0.34.0, <= 0.59"
Then re‐plan: 
terragrunt plan

7. Configure Retryable Errors

Handle transient network or locking issues by specifying retry patterns: 
retryable_errors = [
  "Error locking state:.*",
  "no such host",
  "request timed out"
]
Run: 
terragrunt plan
terragrunt apply
Terragrunt will retry on matching errors automatically.

Terragrunt Settings at a Glance

SettingPurposeExample
terraform.sourceModule source"registry.terraform.io/.../vpc/aws"
download_dirCache directory for modules"/path/to/.terragrunt_config"
lifecycle.prevent_destroyPrevent critical-resource deletionprevent_destroy = true
iam_roleSpecifies assumed IAM role"arn:aws:iam::123456789012:role/...TerragruntRole"
terraform_binaryCustom Terraform CLI path"/path/to/terraform_1.82/terraform"
terraform_version_constraintLock Terraform to a specific version"1.82"
terragrunt_version_constraintLock Terragrunt to a version range">= 0.34.0, <= 0.59"
retryable_errorsPatterns that trigger automatic retries["Error locking state:.*", "no such host"]
That completes Lab 4. Thank you for following along!

Watch Video

Practice Lab