PIPELINES

Standardize the way you deploy IaC

Review, approve, and deploy your infrastructure changes directly from GitHub Pull Requests.
Built for:
Terragrunt
OpenTofu
Terraform
Read the Docs
Trusted by DevOps Teams at
Features
Built for
Terragrunt

From the makers of Terragrunt, Gruntwork Pipelines supports Terragrunt units, run-all, and more.

TERRAGRUNT
Use all your favorite Terragrunt features
Multi-unit changes

Easily make changes that affect many Terragrunt units at once.

Dependencies

Intelligent run-all support keeps your pipeline moving smoothly.

New features

Take advantage of new features like Terragrunt Stacks as they launch.

How it works
See the docs
Terragrunt
How it works
Run, plan, apply, or destroy on multiple Terragrunt units in parallel.
Pipelines will automatically group Terragrunt units into "dependency groups" to execute them in the right order.
GITOPS
Pull-request-driven GitOps workflows
Automatic plan/apply

Plan runs automatically when you open a pull request, while apply runs on merge.

Informative comments

View elegant log summaries of plan and apply output, or link to full logs in GitHub Actions.

Centralized discussion

Discuss changes and apply guardrails with all the info in one place.

Benefits
See the docs
Gitops
Benefits
Adopt a GitOps workflow
Get a complete audit trail of who changed what, when, and why.
Use GitHub branch protection rules to enforce your desired requirements for review and approval.
Easily roll back by reverting a git commit.
Extensible
Create custom steps and workflows
Fully extensible

Add arbitrary steps at any stage in the pipeline to suit your team’s specific needs, such as:

Security checks.
Keep your security team happy by adding checks to ensure compliance and security standards.
Costs estimates.
Add cost estimation steps such as Infracost to estimate the financial impact of an infrastructure change.
Best practice checks.
Verify that your code adheres to best practices using your favorite linter.
How it works
Learn More
CUSTOM WORKFLOWS
How it works
Add custom steps using GitHub Actions workflows.
Run your custom steps before or after any Gruntwork Pipelines phase.
Access the `terragrunt plan` output and dozens of context properties to optimize your custom workflow steps.
Scalable
Use with one team, or scale to hundreds
Config as code

Systematically track all changes to pipeline configurations across your DevOps estate.

Automated setup

Stand up new teams or repos with Pipelines by generating the desired config code.

Centralized access control

Users request AWS permissions in a dedicated “access control” git repo.

How it works
Learn More
Scale
How it works

Work with multiple repos

  • Users deploy infrastructure changes in a single repo, or across a "fleet" of repos that contain Terragrunt code.
  • When a user needs more AWS (or other cloud) permissions to deploy their latest infrastructure change, they submit a pull request to a dedicated "permissions" repo (e.g. infra-live-access-control) that edits a Terragrunt unit (terragrunt.hcl file) to specify the exact new AWS permissions they need to update their repo's AWS OIDC permissions grant.
  • For highly permissive infrastructure changes such as creating new AWS accounts, the platform team maintains a "root" repo (e.g. infra-live-root) that has effectively global permissions across all cloud accounts. You should limit access to this repo to just a few team members.

Automating Pipelines configuration

  • Use HCL to define each team's Pipelines configuration
  • It's just code, so you can programmatically generate new Pipelines configurations, declare environments and pass configuration to them automatically, and version-control all configuration changes.
Stacks
Streamline IaC with Terragrunt Stacks
Minimize your IaC Footprint

Pipelines uses terragrunt stack generate to identify impacted units, so you don't need to check in the generated units—only the terragrunt.stack.hcl files.

Minimize your blast radius

Pipelines identifies the minimum set of infrastructure units affected by your changes, avoiding unnecessary operations and limiting risk.

Trigger your pipeline when stacks are changed

All relevant infrastructure actions triggered by your terragrunt.stack.hcl updates (create, read, update, destroy) are handled automatically.

Smart dependency management

Updates are applied while respecting the dependency graph (DAG) order so that adds, changes, and destroys all occur successfully.

Drift Detection
Automatically detect and resolve drift
Scheduled runs

Run drift detection as often as you like to ensure your live resources reflect your IaC.

Automatic pull requests

Get pull requests to automatically report and resolve drift.

Environment aware

Manage drift independently in each environment, so you have the control you need where you need it.

How it works
Learn More
Drift Detection
How it works
Configure GitHub Actions to schedule a drift detection run on a periodic basis (e.g. once a week) using a simple reference to a Gruntwork-defined GitHub Actions workflow.
When a run is scheduled, Pipelines will run terragrunt plan on every unit you've configured.
If any unit has a non-empty plan, or throws an error, it's flagged. All flagged Terragrunt units terragrunt.hcl files are then aggregated into a single pull request which guides maintainers on how to resolve the drift.
Secure from the ground up

Gruntwork Pipelines was designed from day one with a strong security posture in mind.

Enforce access limits
Apply the principle of least privilege by giving team members access to only the cloud permission they need.
Use temp credentials
Leverage Github OIDC to authenticate and apply changes without storing cloud credentials.
Keep audit Logs
Get insights into every action taken in your pipeline with detailed audit logs stored in AWS CloudTrail.
“Gruntwork's Terragrunt makes managing our infrastructure across providers and environments consistent, safe, and easy to understand. And now with Pipelines, things are even easier and have infinitely more visibility for everyone involved. We can literally copy and paste infrastructure and spin up new services, providers, and even full environments in minutes instead of hours or days.”
Dallas Slaughter
Founding Engineer
Get Started
Try a Proof of Concept
Take it for a spin with a month-to-month contract. Pay less on an annual plan once you’ve proven the value.
Book a demo

Explore Pricing

Platform

IaC Library
Account Factory
Pipelines
Patcher

Services

Accelerator
OpenTofu Services
Terragrunt Services
Pricing
Support

Open Source

Terragrunt
Terratest
Boilerplate
Cloudnuke
Git Xargs

Resources

Docs
Blog
Books
Community

Company

About
Careers
Merch
Legal
Security