feat: exec, run commands implementation

[levkohimins]

Description

1. exec, run commands implementation.
2. Sorting and renaming CLI flags.
3. Automatic generation of environment variables.
4. Code refactoring.

Relates to #3445 .

TODOs

Read the Gruntwork contribution guidelines.

• Update the docs.
• Run the relevant tests successfully, including pre-commit checks.
• Ensure any 3rd party code adheres with our license policy or delete this line if its not applicable.
• Include release notes. If this PR is backward incompatible, include a migration guide.

Release Notes (draft)

Added / Removed / Updated [X].

Migration Guide

[yhakbar]

I'm getting pulled onto other things, but I thought I see enough that warrants changes before continuing with the review (I'm only like 37/206 through this review...). Will come back to this soon, but wanted to give you feedback early while I'm not looking at it.

[yhakbar]

Why are we disabling this check? Shouldn't we have all the receiver types be consistent? I don't know why we'd want to mix and match pointers and non-pointers.

[levkohimins]

At that time, the latest version of golangci-lint 1.62.2 did not have this fix. I just updated golangci-lint, now it has. I will enable recvcheck.

[levkohimins]

Ah, no, it is still not fixed in golangci-lint

pkg/log/level.go:83:6: the methods of "Level" use pointer receiver and non-pointer receiver. (recvcheck)

// UnmarshalText implements encoding.TextUnmarshaler.
func (level *Level) UnmarshalText(text []byte) error {

I will add a comment on why this check is disabled.

[yhakbar]

Can we also hide this command? Who cares about it now?

[levkohimins]

I only moved the code and I do not know the answer. Technically, of course, it can be hidden.

[yhakbar]

Feel free to ignore for now, but we should get rid of it or hide it before 1.0. it's a waste of space in the CLI API.

[yhakbar]

Could I get confirmation on why we're hiding the command? Are we looking to dark launch it?

[levkohimins]

I mentioned it in the slack:

The new exec and run commands are temporarily hidden from help until we thoroughly test and document them in order not to delay the merge into main.

[levkohimins]

Should I add a comment or make them visible?

[yhakbar]

What I would recommend is marking them as experiments.

The danger with just marking them as hidden is that we're updating a lot of documentation, etc and we have to in order for them to be used right.

By marking them as experiments and making them visible, we document both that they're not ready for production usage, and explain how they're supposed to be used.

[yhakbar]

Do we already have this shortcut supported?

[levkohimins]

Shortcut is what we have now terragrunt plan, it is still supported, but with a deprecation warning. Should I disable the warning?

[yhakbar]

Ya, see this:
#3723 (comment)

[yhakbar]

Suggested change

	Description: "Run a command, passing arguments to a wrapped tofu/terraform binary.\n\nThis is the explicit, and most flexible form of running an IaC update with Terragrunt. Shortcuts can be found in \"terragrunt --help\" for common use-cases.",
	Description: "Run a command, passing arguments to an orchestrated tofu/terraform binary.\n\nThis is the explicit, and most flexible form of running an IaC command with Terragrunt. Shortcuts can be found in \"terragrunt --help\" for common use-cases.",

[yhakbar]

Do we already support shortcuts?

[levkohimins]

Responded here.

[yhakbar]

Do we already have this shortcut supported?

[levkohimins]

Responded here.

[yhakbar]

What's this for?

[levkohimins]

This is moved code, not mine. I found the following

terragrunt/cli/commands/run-all/action.go

Lines 14 to 30 in 54a810f

	// Known terraform commands that are explicitly not supported in run-all due to the nature of the command. This is
	// tracked as a map that maps the terraform command to the reasoning behind disallowing the command in run-all.
	var runAllDisabledCommands = map[string]string{
	terraform.CommandNameImport: "terraform import should only be run against a single state representation to avoid injecting the wrong object in the wrong state representation.",
	terraform.CommandNameTaint: "terraform taint should only be run against a single state representation to avoid using the wrong state address.",
	terraform.CommandNameUntaint: "terraform untaint should only be run against a single state representation to avoid using the wrong state address.",
	terraform.CommandNameConsole: "terraform console requires stdin, which is shared across all instances of run-all when multiple modules run concurrently.",
	terraform.CommandNameForceUnlock: "lock IDs are unique per state representation and thus should not be run with run-all.",
	// MAINTAINER'S NOTE: There are a few other commands that might not make sense, but we deliberately allow it for
	// certain use cases that are documented here:
	// - state : Supporting `state` with run-all could be useful for a mass pull and push operation, which can
	// be done en masse with the use of relative pathing.
	// - login / logout : Supporting `login` with run-all could be useful when used in conjunction with mise and
	// multi-terraform version setups, where multiple terraform versions need to be configured.
	// - version : Supporting `version` with run-all could be useful for sanity checking a multi-version setup.
	}

[yhakbar]

Why is the file called deprecated_flag now? Not a big deal, just a little strange.

[levkohimins]

What would you like it to be called?

[yhakbar]

It used to be called deprecated_flags.go

[yhakbar]

Why not return cli.BoolFlag?

[levkohimins]

Because it returns *Flag struct.

cannot use &Flag{…} (value of type *Flag) as  *"github.com/gruntwork-io/terragrunt/internal/cli".BoolFlag value in return statement [IncompatibleAssign]

I will replace cli.Flag with *Flag

[yhakbar]

Suggested change

	// BoolWithDeprecatedFlag adds deprecated names with strict mode control for the given flag.
	// BoolWithDeprecatedFlag adds deprecated names when strict mode is disabled for the given flag.

[levkohimins]

Not sure, it adds deprecated names regardless of strict mode settings. Strict mode only affects behavior, prohibits or warns not to use these aliases(flags).

[yhakbar]

Suggested change

	Error: errors.New("The default command is no longer supported. Use `terragrunt run` instead."),
	Error: errors.New("Terragrunt no longer has a default command. Use `terragrunt run` to explicitly pass commands to OpenTofu/Terraform instead. e.g. `terragrunt run -- plan`"),

It might be too much, but I think it would be really nice if we could use the users incorrect command as a basis for this.

For example:

$ terragrunt foo
ERROR: The command `foo` is not a valid Terragrunt command. Use `terragrunt run` to explicitly pass commands to OpenTofu/Terraform instead. e.g. `terragrunt run -- foo`

[yhakbar]

• TODO: Populate this.

[levkohimins]

RenamedFlag is a strict control for multiple flags, meaning it returns a message with different names. The current implementation of the strict control can not allow to do it. Therefore the message builder is moved to here.

[yhakbar]

I was playing with this functionality locally, and noticed these two things:

$ terragrunt exec ls
08:53:02.755 ERROR  target command not specified
08:53:02.758 ERROR  Unable to determine underlying exit code, so Terragrunt will exit with error code 1

That should work, given that terragrunt run plan works.

At the very least, a better error message should be thrown if we can't make it so that a user doesn't need --.

$ terragrunt exec -- ls
08:44:45.451 WARN   Detected that init is needed, but Auto-Init is disabled. Continuing with further actions, but subsequent terraform commands may fail.
main.tf
terragrunt.hcl

I'm also seeing issues with the --all flag of run:

$ terragrunt run --all plan
08:57:59.202 ERROR  stat ./terragrunt.hcl: no such file or directory
08:57:59.202 ERROR  Unable to determine underlying exit code, so Terragrunt will exit with error code 1

$ terragrunt run-all plan
08:58:02.838 INFO   The stack at . will be processed in the following order for command plan:
Group 1
- Module ./live/storage/external/first-external
- Module ./live/storage/internal/first-internal


08:58:02.880 INFO   [live/storage/external/first-external] tofu: Initializing the backend...
08:58:02.880 INFO   [live/storage/external/first-external] tofu: Initializing provider plugins...
08:58:02.880 INFO   [live/storage/external/first-external] tofu: OpenTofu has been successfully initialized!
08:58:02.880 INFO   [live/storage/external/first-external] tofu:
08:58:02.880 INFO   [live/storage/external/first-external] tofu: You may now begin working with OpenTofu. Try running "tofu plan" to see
08:58:02.880 INFO   [live/storage/external/first-external] tofu: any changes that are required for your infrastructure. All OpenTofu commands
08:58:02.880 INFO   [live/storage/external/first-external] tofu: should now work.
08:58:02.880 INFO   [live/storage/external/first-external] tofu: If you ever set or change modules or backend configuration for OpenTofu,
08:58:02.880 INFO   [live/storage/external/first-external] tofu: rerun this command to reinitialize your working directory. If you forget, other
08:58:02.880 INFO   [live/storage/external/first-external] tofu: commands will detect it and remind you to do so if necessary.
08:58:02.880 INFO   [live/storage/internal/first-internal] tofu: Initializing the backend...
08:58:02.880 INFO   [live/storage/internal/first-internal] tofu: Initializing provider plugins...
08:58:02.880 INFO   [live/storage/internal/first-internal] tofu: OpenTofu has been successfully initialized!
08:58:02.880 INFO   [live/storage/internal/first-internal] tofu:
08:58:02.880 INFO   [live/storage/internal/first-internal] tofu: You may now begin working with OpenTofu. Try running "tofu plan" to see
08:58:02.880 INFO   [live/storage/internal/first-internal] tofu: any changes that are required for your infrastructure. All OpenTofu commands
08:58:02.880 INFO   [live/storage/internal/first-internal] tofu: should now work.
08:58:02.880 INFO   [live/storage/internal/first-internal] tofu: If you ever set or change modules or backend configuration for OpenTofu,
08:58:02.880 INFO   [live/storage/internal/first-internal] tofu: rerun this command to reinitialize your working directory. If you forget, other
08:58:02.880 INFO   [live/storage/internal/first-internal] tofu: commands will detect it and remind you to do so if necessary.
08:58:02.901 STDOUT [live/storage/external/first-external] tofu: No changes. Your infrastructure matches the configuration.
08:58:02.901 STDOUT [live/storage/external/first-external] tofu: OpenTofu has compared your real infrastructure against your configuration and
08:58:02.901 STDOUT [live/storage/external/first-external] tofu: found no differences, so no changes are needed.
08:58:02.901 STDOUT [live/storage/internal/first-internal] tofu: No changes. Your infrastructure matches the configuration.
08:58:02.901 STDOUT [live/storage/internal/first-internal] tofu: OpenTofu has compared your real infrastructure against your configuration and
08:58:02.901 STDOUT [live/storage/internal/first-internal] tofu: found no differences, so no changes are needed.

[yhakbar]

Another thing I'm noticing is that the help for both exec and run aren't working right now:

$ terragrunt run --help
OpenTofu has no command named "run".

To see all of OpenTofu's top-level commands, run:
  tofu -help

12:09:13.675 ERROR  Failed to execute "tofu run -help" in
OpenTofu has no command named "run".

To see all of OpenTofu's top-level commands, run:
  tofu -help


exit status 1

$ terragrunt exec --help
OpenTofu has no command named "exec".

To see all of OpenTofu's top-level commands, run:
  tofu -help

12:09:44.576 ERROR  Failed to execute "tofu exec -help" in
OpenTofu has no command named "exec".

To see all of OpenTofu's top-level commands, run:
  tofu -help


exit status 1

[levkohimins]

Another thing I'm noticing is that the help for both exec and run aren't working right now:

it works:

go run . exec --help
Usage: terragrunt exec [options] -- <command>

   Execute a command using Terragrunt.

Examples:
   # Utilize the AWS CLI.
   terragrunt exec -- aws s3 ls

   # Inspect `main.tf` file of module for Unit
   terragrunt exec -- cat main.tf

Options:
   --auth-provider-cmd                   Run the provided command and arguments to authenticate Terragrunt dynamically when necessary. [$TG_AUTH_PROVIDER_CMD]
   --config                              The path to the Terragrunt config file. Default is terragrunt.hcl. [$TG_CONFIG]
   --debug-inputs                        Write debug.tfvars to working folder to help root-cause issues. [$TG_DEBUG_INPUTS]
   --download-dir                        The path to download OpenTofu/Terraform modules into. Default is .cache in the working directory. [$TG_DOWNLOAD_DIR]
   --iam-assume-role                     Assume the specified IAM role before executing OpenTofu/Terraform. [$TG_IAM_ASSUME_ROLE]
   --iam-assume-role-duration            Session duration for IAM Assume Role session. [$TG_IAM_ASSUME_ROLE_DURATION]
   --iam-assume-role-session-name        Name for the IAM Assumed Role session. [$TG_IAM_ASSUME_ROLE_SESSION_NAME]
   --iam-assume-role-web-identity-token  For AssumeRoleWithWebIdentity, the WebIdentity token. [$TG_IAM_ASSUME_ROLE_WEB_IDENTITY_TOKEN]
   --in-download-dir                     Run the provided command in the download directory. [$TG_IN_DOWNLOAD_DIR]

Global Options:
   --experiment value         Enables specific experiments. For a list of available experiments, see https://terragrunt.gruntwork.io/docs/reference/experiment-mode . [$TG_EXPERIMENT]
   --experiment-mode          Enables experiment mode for Terragrunt. For more information, see https://terragrunt.gruntwork.io/docs/reference/experiment-mode . [$TG_EXPERIMENT_MODE]
   --log-custom-format value  Set the custom log formatting. [$TG_LOG_CUSTOM_FORMAT]
   --log-disable              Disable logging. [$TG_LOG_DISABLE]
   --log-format value         Set the log format. [$TG_LOG_FORMAT]
   --log-level value          Sets the logging level for Terragrunt. Supported levels: stderr, stdout, error, warn, info, debug, trace. (default: info) [$TG_LOG_LEVEL]
   --log-show-abs-paths       Show absolute paths in logs. [$TG_LOG_SHOW_ABS_PATHS]
   --no-color                 Disable color output. [$TG_NO_COLOR]
   --non-interactive          Assume "yes" for all prompts. [$TG_NON_INTERACTIVE]
   --strict-control value     Enables specific strict controls. For a list of available controls, see https://terragrunt.gruntwork.io/docs/reference/strict-mode . [$TG_STRICT_CONTROL]
   --strict-mode              Enables strict mode for Terragrunt. For more information, see https://terragrunt.gruntwork.io/docs/reference/strict-mode . [$TG_STRICT_MODE]
   --working-dir value        The path to the directory of Terragrunt configurations. Default is current directory. [$TG_WORKING_DIR]
   --help, -h                 Show help.
   --version, -v              Show terragrunt version.

[levkohimins]

I was playing with this functionality locally, and noticed these two things:

$ terragrunt exec ls
08:53:02.755 ERROR  target command not specified
08:53:02.758 ERROR  Unable to determine underlying exit code, so Terragrunt will exit with error code 1

That should work, given that terragrunt run plan works.

Ok, it will work.

At the very least, a better error message should be thrown if we can't make it so that a user doesn't need --.

What text should be displayed for the terragrunt exec command without arguments?

I'm also seeing issues with the --all flag of run:

--all and --graph are not implemented yet.

[yhakbar]

What text should be displayed for the terragrunt exec command without arguments?

Something like the following:

The `exec` command requires arguments to be used.

e.g.

terragrunt exec -- echo "Hello from Terragrunt!"

In general, we should aim to always do the following with our errors in order of priority:

1. Explain exactly what a user did wrong to cause an error, and if possible where they did it.
2. Give them an example of proper usage.
3. If possible, correct their improper usage using the example of proper usage.