allow overriding of boilerplate hooks and shell flags in catalog config

[pseudomorph]

Description

Allow overriding the default behavior of disabled shell and hooks for boilerplate in scaffold/catalog.

Fixes #3659.

TODOs

Read the Gruntwork contribution guidelines.

• I authored this code entirely myself
• I am submitting code based on open source software (e.g. MIT, MPL-2.0, Apache)]
• I am adding or upgrading a dependency or adapted code and confirm it has a compatible open source license
• Update the docs.
• Run the relevant tests successfully, including pre-commit checks.
• Include release notes. If this PR is backward incompatible, include a migration guide.

Release Notes (draft)

Added --enable-shell and --enable-hooks CLI flags and catalog configuration support for scaffold templates.

Migration Guide

Summary by CodeRabbit

• New Features

  • Added two new CLI flags, --no-shell and --no-hooks, to the scaffold and catalog commands, allowing users to disable shell command execution and hooks in scaffold templates for enhanced security.
  • Catalog and scaffold configuration now supports no_shell and no_hooks boolean settings.
  • CLI flags take precedence over configuration file settings.
  • Scaffold behavior dynamically respects these flags during template processing.

• Documentation

  • Updated documentation to describe the new flags and configuration options, including usage examples, security notes, and configuration precedence.
  • Added dedicated documentation files for each new flag.
  • Expanded command references and examples to include disabling shell functions and hooks.

• Tests

  • Introduced new and expanded tests to validate the correct behavior and configuration parsing of the new security features.
  • Added tests covering scaffold template processing with shell and hooks enabled or disabled.
  • Added tests verifying precedence of CLI flags over catalog configuration.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
terragrunt-docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 24, 2025 5:56pm

[coderabbitai]

📝 Walkthrough

Walkthrough

This change introduces two new security-related flags, no-shell and no-hooks, to both the scaffold and catalog commands, allowing users to disable shell execution and hooks during scaffolding. Corresponding optional boolean fields (NoShell, NoHooks) are added to the catalog configuration struct. The CLI flags take precedence over config settings. Documentation and tests are updated accordingly.

Changes

Files / Areas	Change Summary
cli/commands/scaffold/cli.go, cli/commands/catalog/cli.go	Added no-shell and no-hooks CLI flags/constants; updated flag filtering logic.
cli/commands/scaffold/scaffold.go	Changed scaffold execution to use dynamic flags from options for disabling shell and hooks.
options/options.go	Added ScaffoldNoShell and ScaffoldNoHooks fields to options struct; initialized in constructor.
config/catalog.go	Added NoShell and NoHooks fields (optional bool pointers) to CatalogConfig; updated String() method.
internal/services/catalog/catalog.go	Applied catalog config's shell/hooks enablement to options, respecting CLI flag precedence.
cli/commands/scaffold/scaffold_test.go, internal/services/catalog/catalog_test.go	Added/expanded tests for shell/hooks enablement logic and config precedence.
config/catalog_test.go	Added/expanded tests for parsing new catalog config fields.
docs-starlight/src/content/docs/02-features/06-catalog.md, 07-scaffold.md	Updated documentation to describe new flags and config options, usage, security notes, and precedence.
docs-starlight/src/data/commands/catalog.mdx, scaffold.mdx	Updated CLI command documentation and examples to include new flags.
docs-starlight/src/data/flags/catalog-no-shell.mdx, catalog-no-hooks.mdx	Added new documentation files for the new flags, describing usage and precedence.
docs-starlight/src/data/flags/scaffold-no-shell.mdx, scaffold-no-hooks.mdx	Added new documentation files for the new flags, describing usage and precedence.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant CLI
    participant Config
    participant ScaffoldEngine

    User->>CLI: Run 'terragrunt scaffold' or 'terragrunt catalog'
    CLI->>Config: Load config (catalog, scaffold)
    Config-->>CLI: Return NoShell, NoHooks values
    CLI->>CLI: Parse CLI flags (--no-shell, --no-hooks)
    CLI->>CLI: Determine final shell/hooks enablement (CLI flags > config > defaults)
    CLI->>ScaffoldEngine: Run scaffold with NoShell/NoHooks flags
    ScaffoldEngine-->>User: Generate output (with/without shell/hooks)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~45 minutes

Suggested reviewers

• denis256
• yhakbar

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7b92e2f and e3bbfe7.

📒 Files selected for processing (17)

• cli/commands/catalog/cli.go (1 hunks)
• cli/commands/scaffold/cli.go (2 hunks)
• cli/commands/scaffold/scaffold.go (1 hunks)
• cli/commands/scaffold/scaffold_test.go (1 hunks)
• config/catalog.go (1 hunks)
• config/catalog_test.go (2 hunks)
• docs-starlight/src/content/docs/02-features/06-catalog.md (4 hunks)
• docs-starlight/src/content/docs/02-features/07-scaffold.md (4 hunks)
• docs-starlight/src/data/commands/catalog.mdx (1 hunks)
• docs-starlight/src/data/commands/scaffold.mdx (2 hunks)
• docs-starlight/src/data/flags/catalog-no-hooks.mdx (1 hunks)
• docs-starlight/src/data/flags/catalog-no-shell.mdx (1 hunks)
• docs-starlight/src/data/flags/scaffold-no-hooks.mdx (1 hunks)
• docs-starlight/src/data/flags/scaffold-no-shell.mdx (1 hunks)
• internal/services/catalog/catalog.go (1 hunks)
• internal/services/catalog/catalog_test.go (1 hunks)
• options/options.go (2 hunks)

✅ Files skipped from review due to trivial changes (2)

• docs-starlight/src/data/flags/scaffold-no-shell.mdx
• docs-starlight/src/data/flags/catalog-no-hooks.mdx

🚧 Files skipped from review as they are similar to previous changes (15)

• cli/commands/catalog/cli.go
• docs-starlight/src/data/flags/catalog-no-shell.mdx
• cli/commands/scaffold/scaffold.go
• internal/services/catalog/catalog.go
• docs-starlight/src/data/commands/scaffold.mdx
• docs-starlight/src/content/docs/02-features/07-scaffold.md
• cli/commands/scaffold/cli.go
• docs-starlight/src/data/commands/catalog.mdx
• docs-starlight/src/data/flags/scaffold-no-hooks.mdx
• config/catalog.go
• docs-starlight/src/content/docs/02-features/06-catalog.md
• config/catalog_test.go
• options/options.go
• internal/services/catalog/catalog_test.go
• cli/commands/scaffold/scaffold_test.go

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

config/catalog_test.go (1)

126-168: Well-structured tests with a minor readability improvement suggestion.

The test cases comprehensively cover the new scaffold configuration options with clear, descriptive names and inline HCL configurations.

Consider using a cleaner pointer creation syntax for better readability:

-EnableShell: &[]bool{true}[0],
+EnableShell: boolPtr(true),

You could add a helper function at the top of the test file:

func boolPtr(b bool) *bool {
    return &b
}

This would make the test expectations more readable while maintaining the same functionality.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 497e2b2 and 5d39dc2.

📒 Files selected for processing (17)

• cli/commands/catalog/cli.go (1 hunks)
• cli/commands/scaffold/cli.go (2 hunks)
• cli/commands/scaffold/scaffold.go (1 hunks)
• cli/commands/scaffold/scaffold_test.go (1 hunks)
• config/catalog.go (1 hunks)
• config/catalog_test.go (2 hunks)
• docs-starlight/src/content/docs/02-features/06-catalog.md (4 hunks)
• docs-starlight/src/content/docs/02-features/07-scaffold.md (4 hunks)
• docs-starlight/src/data/commands/catalog.mdx (1 hunks)
• docs-starlight/src/data/commands/scaffold.mdx (2 hunks)
• docs-starlight/src/data/flags/catalog-enable-hooks.mdx (1 hunks)
• docs-starlight/src/data/flags/catalog-enable-shell.mdx (1 hunks)
• docs-starlight/src/data/flags/scaffold-enable-hooks.mdx (1 hunks)
• docs-starlight/src/data/flags/scaffold-enable-shell.mdx (1 hunks)
• internal/services/catalog/catalog.go (1 hunks)
• internal/services/catalog/catalog_test.go (1 hunks)
• options/options.go (2 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

docs-starlight/**/*.md*

Instructions used from:

Sources:
⚙️ CodeRabbit Configuration File

**/*.go

Instructions used from:

Sources:
⚙️ CodeRabbit Configuration File

🧠 Learnings (7)

docs-starlight/src/data/commands/scaffold.mdx (1)

Learnt from: yhakbar
PR: gruntwork-io/terragrunt#4169
File: cli/commands/hcl/validate/cli.go:29-60
Timestamp: 2025-04-17T13:02:28.098Z
Learning: Avoid shadowing imported packages with local variables in Go code, such as using a variable named `flags` when the `github.com/gruntwork-io/terragrunt/cli/flags` package is imported. Use more specific variable names like `flagSet` instead.

options/options.go (3)

Learnt from: levkohimins
PR: gruntwork-io/terragrunt#3723
File: cli/commands/stack/action.go:160-160
Timestamp: 2025-02-10T13:36:19.542Z
Learning: The project uses a custom error package `github.com/gruntwork-io/terragrunt/internal/errors` which provides similar functionality to `fmt.Errorf` but includes stack traces. Prefer using this package's error functions (e.g., `errors.Errorf`, `errors.New`) over the standard library's error handling.

Learnt from: yhakbar
PR: gruntwork-io/terragrunt#4169
File: cli/commands/hcl/validate/cli.go:29-60
Timestamp: 2025-04-17T13:02:28.098Z
Learning: Avoid shadowing imported packages with local variables in Go code, such as using a variable named `flags` when the `github.com/gruntwork-io/terragrunt/cli/flags` package is imported. Use more specific variable names like `flagSet` instead.

Learnt from: yhakbar
PR: gruntwork-io/terragrunt#3868
File: docs-starlight/patches/@astrojs%2Fstarlight@0.31.1.patch:33-33
Timestamp: 2025-02-10T23:20:04.295Z
Learning: In Terragrunt projects, all `.hcl` files can be assumed to be Terragrunt configurations by default, with specific exceptions like `.terraform.lock.hcl` that need explicit handling.

cli/commands/catalog/cli.go (1)

Learnt from: yhakbar
PR: gruntwork-io/terragrunt#4169
File: cli/commands/hcl/validate/cli.go:29-60
Timestamp: 2025-04-17T13:02:28.098Z
Learning: Avoid shadowing imported packages with local variables in Go code, such as using a variable named `flags` when the `github.com/gruntwork-io/terragrunt/cli/flags` package is imported. Use more specific variable names like `flagSet` instead.

cli/commands/scaffold/cli.go (1)

Learnt from: yhakbar
PR: gruntwork-io/terragrunt#4169
File: cli/commands/hcl/validate/cli.go:29-60
Timestamp: 2025-04-17T13:02:28.098Z
Learning: Avoid shadowing imported packages with local variables in Go code, such as using a variable named `flags` when the `github.com/gruntwork-io/terragrunt/cli/flags` package is imported. Use more specific variable names like `flagSet` instead.

docs-starlight/src/data/commands/catalog.mdx (2)

Learnt from: yhakbar
PR: gruntwork-io/terragrunt#3868
File: docs-starlight/patches/@astrojs%2Fstarlight@0.31.1.patch:33-33
Timestamp: 2025-02-10T23:20:04.295Z
Learning: In Terragrunt projects, all `.hcl` files can be assumed to be Terragrunt configurations by default, with specific exceptions like `.terraform.lock.hcl` that need explicit handling.

Learnt from: yhakbar
PR: gruntwork-io/terragrunt#4169
File: cli/commands/hcl/validate/cli.go:29-60
Timestamp: 2025-04-17T13:02:28.098Z
Learning: Avoid shadowing imported packages with local variables in Go code, such as using a variable named `flags` when the `github.com/gruntwork-io/terragrunt/cli/flags` package is imported. Use more specific variable names like `flagSet` instead.

config/catalog.go (1)

Learnt from: partcyborg
PR: gruntwork-io/terragrunt#3974
File: config/config_partial.go:448-456
Timestamp: 2025-03-06T23:44:09.413Z
Learning: The TerragruntConfig struct in config/config.go does contain an Engine field that's used to store engine configuration data.

docs-starlight/src/content/docs/02-features/07-scaffold.md (2)

Learnt from: yhakbar
PR: gruntwork-io/terragrunt#4169
File: cli/commands/hcl/validate/cli.go:29-60
Timestamp: 2025-04-17T13:02:28.098Z
Learning: Avoid shadowing imported packages with local variables in Go code, such as using a variable named `flags` when the `github.com/gruntwork-io/terragrunt/cli/flags` package is imported. Use more specific variable names like `flagSet` instead.

Learnt from: yhakbar
PR: gruntwork-io/terragrunt#3868
File: docs-starlight/patches/@astrojs%2Fstarlight@0.31.1.patch:33-33
Timestamp: 2025-02-10T23:20:04.295Z
Learning: In Terragrunt projects, all `.hcl` files can be assumed to be Terragrunt configurations by default, with specific exceptions like `.terraform.lock.hcl` that need explicit handling.

🧬 Code Graph Analysis (2)

cli/commands/catalog/cli.go (1)

cli/commands/scaffold/cli.go (2)

• EnableShellFlagName (21-21)
• EnableHooksFlagName (22-22)

cli/commands/scaffold/cli.go (2)

cli/flags/flag.go (1)

• NewFlag (28-41)

internal/cli/bool_flag.go (1)

• BoolFlag (13-49)

🔇 Additional comments (29)

cli/commands/catalog/cli.go (1)

21-22: LGTM - Flag filtering logic is correct.

The addition of EnableShellFlagName and EnableHooksFlagName to the filter list correctly excludes these scaffold-specific flags from the catalog command, preventing duplication since the catalog has its own versions of these flags.

docs-starlight/src/data/commands/scaffold.mdx (3)

11-12: LGTM - Flag documentation is accurate.

The addition of scaffold-enable-shell and scaffold-enable-hooks to the flags list correctly documents the new functionality.

---

21-26: LGTM - Examples clearly demonstrate the new functionality.

The new examples effectively show users how to enable shell functions and hooks during scaffolding, providing clear guidance on the practical usage of these flags.

---

30-30: LGTM - Usage line correctly includes new flags.

The command usage syntax properly includes the new optional flags in the appropriate position.

docs-starlight/src/data/commands/catalog.mdx (2)

17-22: LGTM - Examples clearly demonstrate catalog-specific flag usage.

The new examples effectively show how to enable shell functions and hooks when scaffolding from the catalog, providing users with clear guidance on these security-sensitive options.

---

24-25: LGTM - Flag documentation is complete and accurate.

The addition of catalog-enable-shell and catalog-enable-hooks to the flags list properly documents the catalog-specific versions of these flags.

options/options.go (2)

200-203: LGTM - New scaffold fields are properly defined.

The addition of ScaffoldEnableShell and ScaffoldEnableHooks fields with clear comments follows the established patterns in the codebase. The placement near other scaffold-related options maintains good code organization.

---

442-443: LGTM - Secure defaults are properly initialized.

Initializing both ScaffoldEnableShell and ScaffoldEnableHooks to false ensures secure defaults where shell execution and hooks are disabled unless explicitly enabled by the user.

internal/services/catalog/catalog.go (1)

108-114: LGTM - Precedence logic correctly implemented.

The implementation properly applies catalog configuration for scaffold flags while respecting CLI flag precedence. The null-safety checks for pointer fields and the boolean logic are correct, ensuring that catalog config only takes effect when CLI flags haven't been explicitly set.

cli/commands/scaffold/cli.go (2)

21-22: LGTM: Flag name constants follow established patterns.

The new flag name constants are consistent with the existing codebase conventions.

---

85-97: LGTM: New boolean flags are well-implemented.

The new enable-shell and enable-hooks flags are properly configured with:

• Appropriate environment variable support (TG_ENABLE_SHELL, TG_ENABLE_HOOKS)
• Clear usage descriptions that indicate their purpose
• Proper destination field mapping to the options struct
• Consistent structure with existing flags in the codebase

The implementation follows Go best practices and the established patterns in this codebase.

docs-starlight/src/data/flags/catalog-enable-shell.mdx (1)

1-22: Excellent documentation with appropriate security warnings.

The documentation clearly explains:

• The purpose and functionality of the enable-shell flag
• Security implications with a prominent warning about arbitrary command execution
• Clear precedence order for flag resolution
• Practical example usage

The security warning is particularly important given the potential for arbitrary command execution, and it's appropriately emphasized.

docs-starlight/src/data/flags/scaffold-enable-hooks.mdx (1)

1-22: Well-structured documentation with proper security guidance.

The documentation effectively covers:

• Clear explanation of hooks functionality in boilerplate templates
• Prominent security warning about the risks of enabling hooks
• Proper precedence order documentation
• Relevant example using the scaffold command

The security considerations are appropriately highlighted, which is crucial for features that can execute arbitrary commands.

docs-starlight/src/data/flags/scaffold-enable-shell.mdx (1)

1-22: Consistent and clear documentation following established patterns.

This documentation maintains consistency with the other flag documentation files while providing:

• Clear explanation of shell function capabilities in templates
• Appropriate security warnings about command execution risks
• Well-documented precedence rules
• Practical usage example with the scaffold command

The consistent approach across all flag documentation files enhances the user experience.

cli/commands/scaffold/scaffold.go (1)

204-205: Clean implementation enabling dynamic control of shell and hooks.

The change from hardcoded true values to negated flag values (!opts.ScaffoldEnableShell and !opts.ScaffoldEnableHooks) properly implements the feature requirements. This allows users to control shell execution and hooks through CLI flags while maintaining the secure default of having these features disabled.

The negation logic is correct since the boilerplate options use "Disable" semantics while the user flags use "Enable" semantics.

docs-starlight/src/data/flags/catalog-enable-hooks.mdx (1)

1-22: Excellent documentation structure and content.

The documentation clearly explains the enable-hooks flag with appropriate security warnings and precedence rules. The structure is well-organized and provides users with the information they need to safely use this feature.

config/catalog.go (2)

47-50: Well-designed struct field additions.

The use of boolean pointers is appropriate for optional configuration fields, allowing the system to distinguish between unset values and explicitly set false values. The documentation comments clearly explain the precedence behavior with CLI flags.

---

54-61: Safe and correct String() method implementation.

The method properly handles nil pointer cases by using interface{} variables and nil checks before dereferencing. This prevents potential panics while providing meaningful string representation of the configuration.

internal/services/catalog/catalog_test.go (1)

204-302: Comprehensive and well-structured test coverage.

The test thoroughly validates the scaffold configuration application with excellent coverage of different scenarios:

• Catalog configuration enabling individual features
• CLI flag precedence over catalog configuration
• Default behavior without scaffold configuration

The table-driven approach with parallel execution and clear test case descriptions makes this maintainable and efficient. The mock setup and assertions are appropriate for validating the integration between catalog configuration and scaffold options.

cli/commands/scaffold/scaffold_test.go (1)

99-245: Excellent integration test for scaffold features.

This test provides comprehensive validation of the shell and hooks functionality using actual template processing. The table-driven approach covers all important scenarios:

• Positive and negative cases for both shell and hooks features
• Realistic template content that mimics real-world usage
• Proper validation of expected vs unexpected content in generated files
• Clear test descriptions and assertions

The test effectively validates that the CLI flags properly control the underlying boilerplate template processing behavior.

docs-starlight/src/content/docs/02-features/07-scaffold.md (4)

66-105: Excellent security-focused documentation.

The Security Features section effectively communicates the security implications of the new features while providing clear guidance on how to use them safely. The precedence order documentation is particularly valuable for users working with catalog integration.

Key strengths:

• Clear explanation of what each feature does
• Prominent security warnings about arbitrary command execution
• Multiple examples showing different ways to enable features
• Well-structured precedence rules

---

14-14: Command usage accurately reflects new flags.

The updated command usage properly includes the new --enable-shell and --enable-hooks flags in the expected position within the command syntax.

---

143-146: Well-documented convenience flags.

The new flags are clearly documented with accurate descriptions that emphasize their precedence over catalog configuration. The formatting is consistent with existing flag documentation.

---

188-198: Practical examples with appropriate security reminders.

The new examples clearly demonstrate how to use the security features while reinforcing the importance of caution through comments. This helps users understand both the syntax and the security implications.

docs-starlight/src/content/docs/02-features/06-catalog.md (4)

12-12: LGTM! Clear command syntax documentation.

The addition of the new CLI flags to the command syntax follows standard documentation conventions and clearly indicates the flags are optional.

---

34-38: Excellent configuration documentation with security context.

The HCL configuration example is well-structured with clear comments that explain:

• The purpose of each setting
• Default values and security implications
• Override behavior via CLI flags

This provides users with the context they need to make informed decisions about enabling these features.

---

48-64: Comprehensive and security-conscious documentation.

This new section excellently covers:

• Clear explanations of the scaffold configuration options
• Appropriate security warnings about command execution risks
• Well-defined precedence hierarchy
• Good organization with logical subsections

The security emphasis is particularly valuable given the potential risks of enabling shell and hook execution.

---

76-77: Clear and consistent flag documentation.

The flag descriptions are concise and consistent with the earlier documentation, appropriately mentioning the override behavior for catalog configuration.

config/catalog_test.go (1)

190-210: Excellent test implementation following Go best practices.

The test execution logic demonstrates good practices:

• Proper test isolation using temporary directories
• Consistent naming with descriptive prefixes
• Appropriate error handling and assertions
• Support for parallel execution
• Clean separation of concerns

The implementation ensures reliable and maintainable test coverage for the new scaffold configuration parsing functionality.

[denis256]

Hi,
Looks like code is failing on lint

config/locals_test.go:21:18: string `terragrunt.hcl` has 5 occurrences, make it a constant (goconst)
	mockFilename := "terragrunt.hcl"
	                ^
cli/commands/scaffold/scaffold_test.go:136:13: fieldalignment: struct with 104 pointer bytes could be 96 (govet)
	tests := []struct {
	           ^
config/catalog.go:42:20: fieldalignment: struct with 56 pointer bytes could be [40](https://github.com/gruntwork-io/terragrunt/actions/runs/16354418547/job/46209080937?pr=4540#step:8:41) (govet)
type CatalogConfig struct {
                   ^
config/catalog_test.go:127:21: fieldalignment: struct with 40 pointer bytes could be 32 (govet)
	scaffoldTests := []struct {
	                   ^
level=info msg="File cache stats: 6 entries of total size 64.4KiB"
level=info msg="Memory: 851 samples, avg is 110.4MB, max is 1043.2MB"
level=info msg="Execution took 1m25.69647162s"
options/options.go:100:24: fieldalignment: struct of size 1128 could be 1120 (govet)
type TerragruntOptions struct {
                       ^
config/catalog.go:58:2: if statements should only be cuddled with assignments (wsl)
	if cfg.EnableHooks != nil {
	^
config/catalog.go:61:2: return statements should not be cuddled if block has more than two lines (wsl)
	return fmt.Sprintf("Catalog{URLs = %v, DefaultTemplate = %v, EnableShell = %v, EnableHooks = %v}", cfg.URLs, cfg.DefaultTemplate, enableShell, enableHooks)
	^
internal/services/catalog/catalog.go:112:4: if statements should only be cuddled with assignments (wsl)
			if !s.opts.ScaffoldEnableHooks && catalogCfg.EnableHooks != nil && *catalogCfg.EnableHooks {
			^
8 issues:
* goconst: 1
* govet: 4
* wsl: 3
make: *** [Makefile:[42](https://github.com/gruntwork-io/terragrunt/actions/runs/16354418547/job/46209080937?pr=4540#step:8:43): run-lint] Error 1

You can run it locally through make run-lint

[denis256]

Hi,
Looks like fails TestCatalogParseConfigFile tests

2025-07-18T14:18:42.1935666Z --- FAIL: TestCatalogParseConfigFile (0.01s)
2025-07-18T14:18:42.1935956Z     --- FAIL: TestCatalogParseConfigFile/scaffold_both_enabled (0.00s)
2025-07-18T14:18:42.1976684Z     --- FAIL: TestCatalogParseConfigFile/scaffold_enable_hooks_false (0.00s)
2025-07-18T14:18:42.1977784Z     --- FAIL: TestCatalogParseConfigFile/scaffold_enable_shell_true (0.00s)

[yhakbar]

@pseudomorph

This functionality has been discussed internally before at Gruntwork, and we previously reached the conclusion that the right way to tackle this functionality in Terragrunt is to introduce a --no-shell-hook to disable shell hooks in Boilerplate.

The reason we'd like to bias towards enabling the hooks instead of disabling them is for two major reasons:

1. It aligns with how Boilerplate behaves by default, reducing the complexity that would be present if the two had different default behaviors.
2. It avoids giving users a false sense of security. Most of the time, what you are scaffolding is Terragrunt configurations, and Terragrunt configurations can execute arbitrary commands anyways (via run_cmd for example). Users shouldn't scaffold configurations they don't trust to begin with, even while disabling scaffold hooks.

Let me know if that makes sense, and if you agree. Sorry I didn't bring this up earlier when you asked about this.

[pseudomorph]

@yhakbar - No problem, shall I invert the logic/options here?

[yhakbar]

@yhakbar - No problem, shall I invert the logic/options here?

Yes please

[pseudomorph]

@yhakbar -- qq. do we want a singular flag for both (--no-shell-hooks), or break out for each (--no-shell, --no-hooks) or the exact same flags as boilerplate (--disable-hooks, --disable-shell)?

[yhakbar]

@yhakbar -- qq. do we want a singular flag for both (--no-shell-hooks), or break out for each (--no-shell, --no-hooks) or the exact same flags as boilerplate (--disable-hooks, --disable-shell)?

Great question. I think we should have two flags for parity, but break parity with the names. Terragrunt flags should always start with non or no when they disable default behavior per the CLI rules.

Do you agree?

[pseudomorph]

Makes sense! I'll update the PR.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

docs-starlight/src/content/docs/02-features/07-scaffold.md (4)

13-15: Clarify placeholder syntax for flags that take values

Readers will be unsure what --var, --var-file, and --root-file-name expect. Show the placeholder for the value so the usage string is self-explanatory.

-terragrunt scaffold <MODULE_URL> [TEMPLATE_URL] [--var] [--var-file] [--no-shell] [--no-hooks] [--no-include-root] [--root-file-name]
+terragrunt scaffold <MODULE_URL> [TEMPLATE_URL] \
+  [--var KEY=VALUE...] [--var-file FILE...] \
+  [--no-shell] [--no-hooks] [--no-include-root] \
+  [--root-file-name NAME]

---

66-97: Consolidate the security warning into a call-out for better visibility

The prose repeats the security caution and it can get lost in the middle of the section. Starlight supports admonitions – this draws the reader’s eye and avoids duplication.

-## Security Features
-
-...
-
-**Security Note**: Both shell functions and hooks can execute arbitrary commands on your system. Consider disabling these features for enhanced security. Do not scaffold templates you do not trust.
+## Security considerations
+
+:::caution Security note
+Shell functions (`{{shell ...}}`) and boilerplate hooks can execute arbitrary commands on your system.  
+Disable them with `--no-shell` / `--no-hooks` (or the corresponding catalog settings) when scaffolding templates you don’t fully trust.
+:::

---

100-105: Tighten wording & make precedence list unambiguous

Small phrasing tweaks improve readability and make the list easier to scan.

-1. **CLI flags** - `--no-shell` and `--no-hooks` override all other settings
-2. **Catalog configuration** - Settings in the `catalog` block (see [catalog documentation](/docs/features/catalog))
-3. **Default values** - Both features are enabled by default
+1. **CLI flags** (`terragrunt scaffold --no-shell / --no-hooks`) – highest priority  
+2. **Catalog configuration** (`no_shell`, `no_hooks` under the `catalog` block) – applied when the CLI flags are omitted  
+3. **Defaults** – both features are enabled when neither of the above provide an override

---

175-179: Keep convenience-flag list alphabetised for quick scanning

Swapping the two new flags keeps the list ordered and consistent with the existing style.

-- `--no-shell` - Disable shell functions in scaffold templates. Overrides catalog configuration.
-- `--no-hooks` - Disable hooks in scaffold templates. Overrides catalog configuration.
+- `--no-hooks` - Disable hooks in scaffold templates (overrides catalog configuration).
+- `--no-shell` - Disable shell functions in scaffold templates (overrides catalog configuration).

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between db5deb4 and 7b92e2f.

📒 Files selected for processing (11)

• cli/commands/scaffold/scaffold_test.go (1 hunks)
• config/catalog.go (1 hunks)
• config/catalog_test.go (2 hunks)
• docs-starlight/src/content/docs/02-features/06-catalog.md (4 hunks)
• docs-starlight/src/content/docs/02-features/07-scaffold.md (4 hunks)
• docs-starlight/src/data/flags/catalog-no-hooks.mdx (1 hunks)
• docs-starlight/src/data/flags/catalog-no-shell.mdx (1 hunks)
• docs-starlight/src/data/flags/scaffold-no-hooks.mdx (1 hunks)
• docs-starlight/src/data/flags/scaffold-no-shell.mdx (1 hunks)
• internal/services/catalog/catalog.go (1 hunks)
• internal/services/catalog/catalog_test.go (1 hunks)

📓 Path-based instructions (1)

docs-starlight/**/*.md*

⚙️ CodeRabbit Configuration File

Review the documentation for clarity, grammar, and spelling. Make sure that the documentation is easy to understand and follow. There is currently a migration underway from the Jekyll based documentation in docs to the Starlight + Astro based documentation in docs-starlight. Make sure that the docs-starlight documentation is accurate and up-to-date with the docs documentation, and that any difference between them results in an improvement in the docs-starlight documentation.

Files:

• docs-starlight/src/content/docs/02-features/07-scaffold.md

🧠 Learnings (1)

docs-starlight/src/content/docs/02-features/07-scaffold.md (2)

Learnt from: yhakbar
PR: #4169
File: cli/commands/hcl/validate/cli.go:29-60
Timestamp: 2025-04-17T13:02:28.098Z
Learning: Avoid shadowing imported packages with local variables in Go code, such as using a variable named flags when the github.com/gruntwork-io/terragrunt/cli/flags package is imported. Use more specific variable names like flagSet instead.

Learnt from: yhakbar
PR: #3868
File: docs-starlight/patches/@astrojs%2Fstarlight@0.31.1.patch:33-33
Timestamp: 2025-02-10T23:20:04.295Z
Learning: In Terragrunt projects, all .hcl files can be assumed to be Terragrunt configurations by default, with specific exceptions like .terraform.lock.hcl that need explicit handling.

✅ Files skipped from review due to trivial changes (1)

• docs-starlight/src/data/flags/scaffold-no-shell.mdx

🚧 Files skipped from review as they are similar to previous changes (9)

• internal/services/catalog/catalog.go
• docs-starlight/src/data/flags/scaffold-no-hooks.mdx
• docs-starlight/src/data/flags/catalog-no-shell.mdx
• cli/commands/scaffold/scaffold_test.go
• docs-starlight/src/data/flags/catalog-no-hooks.mdx
• docs-starlight/src/content/docs/02-features/06-catalog.md
• config/catalog.go
• config/catalog_test.go
• internal/services/catalog/catalog_test.go

🧰 Additional context used

📓 Path-based instructions (1)

docs-starlight/**/*.md*

⚙️ CodeRabbit Configuration File

Review the documentation for clarity, grammar, and spelling. Make sure that the documentation is easy to understand and follow. There is currently a migration underway from the Jekyll based documentation in docs to the Starlight + Astro based documentation in docs-starlight. Make sure that the docs-starlight documentation is accurate and up-to-date with the docs documentation, and that any difference between them results in an improvement in the docs-starlight documentation.

Files:

• docs-starlight/src/content/docs/02-features/07-scaffold.md

🧠 Learnings (1)

docs-starlight/src/content/docs/02-features/07-scaffold.md (2)

Learnt from: yhakbar
PR: #4169
File: cli/commands/hcl/validate/cli.go:29-60
Timestamp: 2025-04-17T13:02:28.098Z
Learning: Avoid shadowing imported packages with local variables in Go code, such as using a variable named flags when the github.com/gruntwork-io/terragrunt/cli/flags package is imported. Use more specific variable names like flagSet instead.

Learnt from: yhakbar
PR: #3868
File: docs-starlight/patches/@astrojs%2Fstarlight@0.31.1.patch:33-33
Timestamp: 2025-02-10T23:20:04.295Z
Learning: In Terragrunt projects, all .hcl files can be assumed to be Terragrunt configurations by default, with specific exceptions like .terraform.lock.hcl that need explicit handling.

🔇 Additional comments (1)

docs-starlight/src/content/docs/02-features/07-scaffold.md (1)

219-230: LGTM – explicit examples for the new flags are clear

The additional examples make it obvious how to disable each feature. Nice touch.

[yhakbar]

I bet the test failures are flakes, but the PR now has conflicts. Do you mind addressing them, @pseudomorph ?

[yhakbar]

This has sparked active discussion! We're taking a step back, and changing the way that Boilerplate works in order to try to get the best of both worlds here.

We're going to introduce a prompt in Boilerplate whenever a shell function or hook is detected in a template, requiring opt-in from users before running. We'll then cut a breaking change release in Boilerplate, and pull in the updated release to Terragrunt, where that same prompt will be presented to users before a hook/shell is run. That work is going to block merging this in.

The --non-interactive flag will ignore the prompt in both Boilerplate and Terragrunt.

[pseudomorph]

Roger! Sounds like this PR will be unnecessary then. Please lmk if anything is needed from me.

[yhakbar]

Roger! Sounds like this PR will be unnecessary then. Please lmk if anything is needed from me.

We can leave it open. Ideally, we can bump the boilerplate dependency, rebase, then merge it in.

[pseudomorph]

Oh, perhaps I misunderstood -- would there would be 2 paths to enable/disable shell/hooks?

1. --non-interactive flag to allow hooks/shell
2. --no-(hooks|shell) to disable hooks/shell

If so, would --no-(hooks|shell) take precedent over --non-interactive?

[yhakbar]

Oh, perhaps I misunderstood -- would there would be 2 paths to enable/disable shell/hooks?

1. `--non-interactive` flag to allow hooks/shell

2. `--no-(hooks|shell)` to disable hooks/shell

If so, would --no-(hooks|shell) take precedent over --non-interactive?

Yes. If a user supplied --no-hooks/shell, and --non-interactive, and they tried to scaffold a template that had one of those, they would get the same behavior that Boilerplate currently has when passing --disable-hooks/shell.

The difference would be that if a user doesn't supply --non-interactive, and they don't use --no-hooks/shell, they'll get a prompt to decide to (dis)allow it.