chore: disable of default backend provisioning (#4703)

* Backend bootstrap only by explicit flag

* Cleanup

* lint issues

* Updated error explainer error

* Documentation update

* Improved errors detection

* GCP bootstrap flags

* Tests update

* Bootstrap flags update

* Updated --backend-bootstrap to OIDC

* GCP cleanup

* Backend update

* GCP tests cleanup

* AWS tests update

* AWS docs update

* Docs bootstrap fix

* Tests simplification

* docs: Add Terralith to Terragrunt guide (#4709)

* feat: Adding fixture for Terralith to Terragrunt guide

* feat: Adding Terralith to Terragrunt walkthrough

* fix: Use Asides where possible

* fix: Moving import up to avoid breaking list formatting

* fi:x Removing incorrect tip

* fix: Fixing asset links

* fix: The `gitignore` syntax highlight doesn't exist

* fix: Moving fixtures to the `docs-starlight` directory

* fix: Adjusting path

* fix: Removing `package-lock.json` entry in `.vercelignore`

* Revert "fix: Adjusting path"

This reverts commit 62e6d2d.

* fix: Removing duplicate fixtures

* Update docs-starlight/src/content/docs/02-guides/01-terralith-to-terragrunt/05-step-2-refactoring.mdx

Co-authored-by: Zach Goldberg <zach@gruntwork.io>

* fix: Fixing link for fixture code

---------

Co-authored-by: Zach Goldberg <zach@gruntwork.io>

* Updated form link (#4771)

* Polish to contact form (#4769)

* Pricing Page Launch (#4772)

* New supercharge module

* Updates to links etc

* Update copy

* Update docs-starlight/src/components/dv-PetAdvertise.astro

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update docs-starlight/src/components/dv-PetAdvertise.astro

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update docs-starlight/src/components/dv-PetAdvertise.astro

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Polish (#4773)

* fix: ensure custom API endpoints are set correctly (#4756)

* fix: ensure custom API endpoints are set correctly
* refactor: ensure consistent use of awshelper.CreateS3Client

* chore: fix runner-pool experiment tests (#4770)

* Group tests update

* Added checking for group tests

* chore: lint fixes

* runner-pool handling of TestOutputModuleGroups

* Bypass partytown (#4783)

* Bypass partytown

* GTM in header

* fix: Only override ref when not set (#4781)

* A collection of website polishing (#4784)

* Tighten up sidebar.

* Standardize CSS ordering between dev and prod.

Previously, the site would render one way in prod and another in dev! The issue was that vite was tree-shaking CSS and wound up re-ordering things in a way it thought was permissible, whereas in dev, without that optimization, the CSS was actuallys sequenced differently.

This led to a noticable huge margin in dev, but not in prod.

This commit asserts the official ordering the CSS layers, and then adds a fix for the left-margin issue. This should now standard dev and prod.

* Reduce code font-size from 16px to 14px.

* Improve main paragraph text rendering.

Use more readable line height and paragraph separation.

* Improve spacing after file tree.

* Fix sidebar inconsistencies on 3rd level of nav.

* feat: Generate stacks in topological order (#4786)

* feat: Finalizing topological generation of stacks

* feat: Adding tests for topological stack generation

* fix: Address race condition in warning suppression

* feat: Set name of test to `TestStackGenerationWithNestedTopologyWithRacing` to ensure it's caught by race test

* feat: Adding extra generate at the end for confirmation

* fix: Updating expected log messages in tests

* fix: Fixing AWS Account ID w/ Provider CMD (#4779)

* test: Attempting to reproduce issue with OIDC

* fix: Fixing `get_aws_account_id()` when using AuthProviderCmd

* fix: Addressing lint findings

* fix: Adding fixture for backend with OIDC

* fix: Adding integration test for OIDC with backend

* fix: Consolidating logic for AWS credential acquisition

* fix: Addressing lint findings

* test: Removing cleanup to fix this

* fix: Fixing delete bucket cleanup

* fix: Fixing role assumption when env creds aren't fetched from auth provider

* fix: Removing unnecessary debug

* fix: Skipping failing test for now

* Fixed failing OIDC tests

* Tests cleanup

* chore: aws helper complexity reduction

* Updated cleanup order

* enabled build tags

---------

Co-authored-by: Denis O <denis.o@linux.com>

* chore: experiments tests improvements (#4782)

* Group tests update

* Added checking for group tests

* chore: lint fixes

* runner-pool handling of TestOutputModuleGroups

* Updated plan path save file

* Improved FAIL errors

* IsExperimentMode() simplification

* Discovery include flags

* Added passing of discovery include/exclude directories

* Fixed discovery flags passing

* Improved parsing of tests

* docs: Updating migration docs (#4711)

* Added --non-interactive

* Market strict control as completed

* fix: Fixing failing OIDC test (#4791)

---------

Co-authored-by: Yousif Akbar <11247449+yhakbar@users.noreply.github.com>
Co-authored-by: Zach Goldberg <zach@gruntwork.io>
Co-authored-by: Karl Carstensen <karl.carstensen@gmail.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: AJ (.jASM) <aj@48k.io>
Co-authored-by: Rodin Velichkov <148242776+rvelichkov@users.noreply.github.com>
Co-authored-by: Josh Padnick <josh@gruntwork.io>

Author: 8 people

cli/commands/run/run.go

@@ -35,7 +35,6 @@ import (
 	"github.com/gruntwork-io/terragrunt/internal/experiment"
 	"github.com/gruntwork-io/terragrunt/internal/remotestate"
 	"github.com/gruntwork-io/terragrunt/internal/report"
-	"github.com/gruntwork-io/terragrunt/internal/strict/controls"
 	"github.com/gruntwork-io/terragrunt/options"
 	"github.com/gruntwork-io/terragrunt/shell"
 	"github.com/gruntwork-io/terragrunt/util"
@@ -793,9 +792,17 @@ func modulesNeedInit(terragruntOptions *options.TerragruntOptions) (bool, error)
 	return util.Grep(ModuleRegex, fmt.Sprintf("%s/%s", terragruntOptions.WorkingDir, TerraformExtensionGlob))
 }
 
-// If the user entered a Terraform command that uses state (e.g. plan, apply), make sure remote state is configured
-// before running the command.
+// remoteStateNeedsInit determines whether remote state initialization is required before running a Terraform command.
+// It returns true if:
+//   - BackendBootstrap is enabled in options
+//   - Remote state configuration is provided
+//   - The Terraform command uses state (e.g., plan, apply, destroy, output, etc.)
+//   - The remote state backend needs bootstrapping
 func remoteStateNeedsInit(ctx context.Context, l log.Logger, remoteState *remotestate.RemoteState, opts *options.TerragruntOptions) (bool, error) {
+	// If backend bootstrap is disabled, we don't need to initialize remote state
+	if !opts.BackendBootstrap {
+		return false, nil
+	}
 	// We only configure remote state for the commands that use the tfstate files. We do not configure it for
 	// commands such as "get" or "version".
 	if remoteState == nil || !util.ListContainsElement(TerraformCommandsThatUseState, opts.TerraformCliArgs.First()) {
@@ -806,15 +813,6 @@ func remoteStateNeedsInit(ctx context.Context, l log.Logger, remoteState *remote
 		return false, err
 	}
 
-	if !opts.BackendBootstrap {
-		ctx = log.ContextWithLogger(ctx, l)
-
-		strictControl := opts.StrictControls.Find(controls.RequireExplicitBootstrap)
-		if err := strictControl.Evaluate(ctx); err != nil {
-			return false, nil //nolint: nilerr
-		}
-	}
-
 	return true, nil
 }
 

docs-starlight/src/content/docs/01-getting-started/04-terminology.md

@@ -92,7 +92,7 @@ Terragrunt stores the current state of infrastructure in one or more OpenTofu/Te
 
 State is an extremely important concept in the context of OpenTofu/Terraform, and it's helpful to read the relevant documentation there to understand what Terragrunt does to it.
 
-Terragrunt has myriad capabilities that are designed to make working with state easier, including automatically provisioning state backend resources, managing unit interaction with external state, and segmenting state.
+Terragrunt has myriad capabilities that are designed to make working with state easier, including tooling to bootstrap state backend resources on demand, managing unit interaction with external state, and segmenting state.
 
 The most common way in which state is segmented in Terragrunt projects is to take advantage of filesystem directory structures. Most Terragrunt projects are configured to store state in remote backends like S3 with keys that correspond to the relative path to the unit directory within a project, relative to the root `terragrunt.hcl` file.
 

docs-starlight/src/content/docs/04-reference/03-strict-controls.mdx

@@ -114,10 +114,6 @@ Skipping dependency inputs is a performance optimization. For more details on pe
 
 **Reason**: Enabling the `skip-dependencies-inputs` option prevents the recursive parsing of Terragrunt inputs, leading to optimized performance during dependency resolution.
 
-### require-explicit-bootstrap
-
-Require explicit usage of `--backend-bootstrap` to automatically bootstrap backend resources.
-
 ### root-terragrunt-hcl
 
 Throw an error when users try to reference a root `terragrunt.hcl` file using `find_in_parent_folders`.
@@ -251,6 +247,14 @@ The following strict controls have been completed and are no longer needed:
 - [output-all](#output-all)
 - [validate-all](#validate-all)
 
+### require-explicit-bootstrap
+
+**Status**: Completed - Backend provisioning is no longer performed automatically by default.
+
+Terragrunt now requires explicit opt-in to bootstrap backend infrastructure. Use `terragrunt backend bootstrap` or pass `--backend-bootstrap` to a `run` command (e.g., `terragrunt run apply --backend-bootstrap`) to provision or update backend resources referenced by the [`remote_state`](/docs/reference/hcl/blocks/#remote_state) block.
+
+This strict control is no longer necessary because the default behavior already requires explicit bootstrapping.
+
 ### legacy-all
 
 **Status**: Completed - The legacy `*-all` commands have been removed from Terragrunt.

docs-starlight/src/content/docs/07-migrate/03-cli-redesign.md

@@ -65,63 +65,64 @@ You can find the new flag names in the [CLI reference](/docs/reference/cli/) (in
 
 Below is a comprehensive mapping of old CLI flag names to their modern counterparts:
 
-| Old Flag                                          | New Flag                               |
-| ------------------------------------------------- | -------------------------------------- |
-| `--terragrunt-check`                              | `--check`                              |
-| `--terragrunt-config`                             | `--config`                             |
-| `--terragrunt-debug`                              | `--inputs-debug`                       |
-| `--terragrunt-diff`                               | `--diff`                               |
-| `--terragrunt-disable-bucket-update`              | `--disable-bucket-update`              |
-| `--terragrunt-disable-command-validation`         | `--disable-command-validation`         |
-| `--terragrunt-download-dir`                       | `--download-dir`                       |
-| `--terragrunt-exclude-dir`                        | `--queue-exclude-dir`                  |
-| `--terragrunt-excludes-file`                      | `--queue-excludes-file`                |
-| `--terragrunt-fail-on-state-bucket-creation`      | `--backend-require-bootstrap`          |
-| `--terragrunt-fetch-dependency-output-from-state` | `--dependency-fetch-output-from-state` |
-| `--terragrunt-forward-tf-stdout`                  | `--tf-forward-stdout`                  |
-| `--terragrunt-hclfmt-exclude-dir`                 | `--exclude-dir`                        |
-| `--terragrunt-hclfmt-file`                        | `--file`                               |
-| `--terragrunt-hclfmt-stdin`                       | `--stdin`                              |
-| `--terragrunt-hclvalidate-json`                   | `--json`                               |
-| `--terragrunt-hclvalidate-show-config-path`       | `--show-config-path`                   |
-| `--terragrunt-iam-assume-role-duration`           | `--iam-assume-role-duration`           |
-| `--terragrunt-iam-role`                           | `--iam-assume-role`                    |
-| `--terragrunt-iam-web-identity-token`             | `--iam-assume-role-web-identity-token` |
-| `--terragrunt-ignore-dependency-errors`           | `--queue-ignore-errors`                |
-| `--terragrunt-ignore-dependency-order`            | `--queue-ignore-dag-order`             |
-| `--terragrunt-ignore-external-dependencies`       | `--queue-exclude-external`             |
-| `--terragrunt-include-dir`                        | `--queue-include-dir`                  |
-| `--terragrunt-include-external-dependencies`      | `--queue-include-external`             |
-| `--terragrunt-json-disable-dependent-modules`     | `--disable-dependent-modules`          |
-| `--terragrunt-json-out-dir`                       | `--json-out-dir`                       |
-| `--terragrunt-json-out`                           | `--out`                                |
-| `--terragrunt-log-custom-format`                  | `--log-custom-format`                  |
-| `--terragrunt-log-disable`                        | `--log-disable`                        |
-| `--terragrunt-log-format`                         | `--log-format`                         |
-| `--terragrunt-log-level`                          | `--log-level`                          |
-| `--terragrunt-log-show-abs-paths`                 | `--log-show-abs-paths`                 |
-| `--terragrunt-modules-that-include`               | `--units-that-include`                 |
-| `--terragrunt-no-auto-approve`                    | `--no-auto-approve`                    |
-| `--terragrunt-no-auto-init`                       | `--no-auto-init`                       |
-| `--terragrunt-no-auto-retry`                      | `--no-auto-retry`                      |
-| `--terragrunt-no-color`                           | `--no-color`                           |
-| `--terragrunt-no-destroy-dependencies-check`      | `--no-destroy-dependencies-check`      |
-| `--terragrunt-out-dir`                            | `--out-dir`                            |
-| `--terragrunt-parallelism`                        | `--parallelism`                        |
-| `--terragrunt-provider-cache-dir`                 | `--provider-cache-dir`                 |
-| `--terragrunt-provider-cache-hostname`            | `--provider-cache-hostname`            |
-| `--terragrunt-provider-cache-port`                | `--provider-cache-port`                |
-| `--terragrunt-provider-cache-registry-names`      | `--provider-cache-registry-names`      |
-| `--terragrunt-provider-cache-token`               | `--provider-cache-token`               |
-| `--terragrunt-provider-cache`                     | `--provider-cache`                     |
-| `--terragrunt-queue-include-units-reading`        | `--queue-include-units-reading`        |
-| `--terragrunt-source-map`                         | `--source-map`                         |
-| `--terragrunt-source-update`                      | `--source-update`                      |
-| `--terragrunt-source`                             | `--source`                             |
-| `--terragrunt-strict-include`                     | `--queue-strict-include`               |
-| `--terragrunt-strict-validate`                    | `--strict-validate`                    |
-| `--terragrunt-use-partial-parse-config-cache`     | `--use-partial-parse-config-cache`     |
-| `--terragrunt-working-dir`                        | `--working-dir`                        |
+| Old Flag                                          | New Flag                                                  |
+|---------------------------------------------------|-----------------------------------------------------------|
+| `--terragrunt-check`                              | `--check`                                                 |
+| `--terragrunt-config`                             | `--config`                                                |
+| `--terragrunt-debug`                              | `--inputs-debug`                                          |
+| `--terragrunt-diff`                               | `--diff`                                                  |
+| `--terragrunt-disable-bucket-update`              | `--disable-bucket-update`                                 |
+| `--terragrunt-disable-command-validation`         | `--disable-command-validation`                            |
+| `--terragrunt-download-dir`                       | `--download-dir`                                          |
+| `--terragrunt-exclude-dir`                        | `--queue-exclude-dir`                                     |
+| `--terragrunt-excludes-file`                      | `--queue-excludes-file`                                   |
+| `--terragrunt-fail-on-state-bucket-creation`      | removed (no equivalent; backend provisioning is explicit) |
+| `--terragrunt-fetch-dependency-output-from-state` | `--dependency-fetch-output-from-state`                    |
+| `--terragrunt-forward-tf-stdout`                  | `--tf-forward-stdout`                                     |
+| `--terragrunt-hclfmt-exclude-dir`                 | `--exclude-dir`                                           |
+| `--terragrunt-hclfmt-file`                        | `--file`                                                  |
+| `--terragrunt-hclfmt-stdin`                       | `--stdin`                                                 |
+| `--terragrunt-hclvalidate-json`                   | `--json`                                                  |
+| `--terragrunt-hclvalidate-show-config-path`       | `--show-config-path`                                      |
+| `--terragrunt-iam-assume-role-duration`           | `--iam-assume-role-duration`                              |
+| `--terragrunt-iam-role`                           | `--iam-assume-role`                                       |
+| `--terragrunt-iam-web-identity-token`             | `--iam-assume-role-web-identity-token`                    |
+| `--terragrunt-ignore-dependency-errors`           | `--queue-ignore-errors`                                   |
+| `--terragrunt-ignore-dependency-order`            | `--queue-ignore-dag-order`                                |
+| `--terragrunt-ignore-external-dependencies`       | `--queue-exclude-external`                                |
+| `--terragrunt-include-dir`                        | `--queue-include-dir`                                     |
+| `--terragrunt-include-external-dependencies`      | `--queue-include-external`                                |
+| `--terragrunt-json-disable-dependent-modules`     | `--disable-dependent-modules`                             |
+| `--terragrunt-json-out-dir`                       | `--json-out-dir`                                          |
+| `--terragrunt-json-out`                           | `--out`                                                   |
+| `--terragrunt-log-custom-format`                  | `--log-custom-format`                                     |
+| `--terragrunt-log-disable`                        | `--log-disable`                                           |
+| `--terragrunt-log-format`                         | `--log-format`                                            |
+| `--terragrunt-log-level`                          | `--log-level`                                             |
+| `--terragrunt-log-show-abs-paths`                 | `--log-show-abs-paths`                                    |
+| `--terragrunt-modules-that-include`               | `--units-that-include`                                    |
+| `--terragrunt-no-auto-approve`                    | `--no-auto-approve`                                       |
+| `--terragrunt-no-auto-init`                       | `--no-auto-init`                                          |
+| `--terragrunt-no-auto-retry`                      | `--no-auto-retry`                                         |
+| `--terragrunt-no-color`                           | `--no-color`                                              |
+| `--terragrunt-no-destroy-dependencies-check`      | `--no-destroy-dependencies-check`                         |
+| `--terragrunt-out-dir`                            | `--out-dir`                                               |
+| `--terragrunt-parallelism`                        | `--parallelism`                                           |
+| `--terragrunt-provider-cache-dir`                 | `--provider-cache-dir`                                    |
+| `--terragrunt-provider-cache-hostname`            | `--provider-cache-hostname`                               |
+| `--terragrunt-provider-cache-port`                | `--provider-cache-port`                                   |
+| `--terragrunt-provider-cache-registry-names`      | `--provider-cache-registry-names`                         |
+| `--terragrunt-provider-cache-token`               | `--provider-cache-token`                                  |
+| `--terragrunt-provider-cache`                     | `--provider-cache`                                        |
+| `--terragrunt-queue-include-units-reading`        | `--queue-include-units-reading`                           |
+| `--terragrunt-source-map`                         | `--source-map`                                            |
+| `--terragrunt-source-update`                      | `--source-update`                                         |
+| `--terragrunt-source`                             | `--source`                                                |
+| `--terragrunt-strict-include`                     | `--queue-strict-include`                                  |
+| `--terragrunt-strict-validate`                    | `--strict-validate`                                       |
+| `--terragrunt-use-partial-parse-config-cache`     | `--use-partial-parse-config-cache`                        |
+| `--terragrunt-working-dir`                        | `--working-dir`                                           |
+| `--terragrunt-non-interactive`                    | `--non-interactive`                                       |
 
 ### Update environment variables
 

docs-starlight/src/data/commands/run.mdx

@@ -25,7 +25,6 @@ examples:
 flags:
   - all
   - auth-provider-cmd
-  - backend-require-bootstrap
   - config
   - dependency-fetch-output-from-state
   - disable-bucket-update

docs-starlight/src/data/flags/backend-require-bootstrap.mdx

@@ -80,6 +80,7 @@ func New() strict.Controls {
 		Error:       errors.Errorf("Bootstrap backend for remote state by default is no longer supported. Use `--backend-bootstrap` flag instead."),
 		Warning:     "Bootstrapping backend resources by default is deprecated functionality, and will not be the default behavior in a future version of Terragrunt. Use the explicit `--backend-bootstrap` flag to automatically provision backend resources before they're needed.",
 		Category:    stageCategory,
+		Status:      strict.CompletedStatus,
 	}
 
 	controls := strict.Controls{

internal/strict/controls/controls.go

@@ -27,6 +27,9 @@ var terraformErrorsMatcher = map[string]string{
 	"(?s).*NoCredentialProviders(?s).*":                                                   "Missing AWS credentials. Provide credentials to proceed.",
 	"(?s).*client: no valid credential sources(?s).*":                                     "Missing AWS credentials. Provide credentials to proceed.",
 	"(?s).*exec: \"(tofu|terraform)\": executable file not found(?s).*":                   "The executables 'terraform' and 'tofu' are missing from your $PATH. Please add at least one of these to your $PATH.",
+	"(?s).*bucket must have been previously created.*":                                    "Remote state bucket not found, create it manually or rerun with --backend-bootstrap to provision automatically.",
+	"(?s).*specified bucket does not exist.*":                                             "Remote state bucket not found, create it manually or rerun with --backend-bootstrap to provision automatically.",
+	"(?s).*S3 bucket does not exist.*":                                                    "Remote state bucket not found, create it manually or rerun with --backend-bootstrap to provision automatically.",
 }
 
 // ExplainError will try to explain the error to the user, if we know how to do so.