fix: Adding support for no-shell and no-hooks

Author: yhakbar

cli/commands/catalog/cli.go

@@ -18,6 +18,8 @@ func NewFlags(opts *options.TerragruntOptions, prefix flags.Prefix) cli.Flags {
 	return scaffold.NewFlags(opts, prefix).Filter(
 		scaffold.RootFileNameFlagName,
 		scaffold.NoIncludeRootFlagName,
+		scaffold.NoShellFlagName,
+		scaffold.NoHooksFlagName,
 	)
 }
 

cli/commands/scaffold/cli.go

@@ -24,6 +24,8 @@ const (
 	VarFlagName           = "var"
 	VarFileFlagName       = "var-file"
 	NoDependencyPrompt    = "no-dependency-prompt"
+	NoShellFlagName       = "no-shell"
+	NoHooksFlagName       = "no-hooks"
 )
 
 func NewFlags(opts *options.TerragruntOptions, prefix flags.Prefix) cli.Flags {
@@ -87,6 +89,20 @@ func NewFlags(opts *options.TerragruntOptions, prefix flags.Prefix) cli.Flags {
 			Destination: &opts.NoDependencyPrompt,
 			Usage:       "Do not prompt for confirmation to include dependencies.",
 		}),
+
+		flags.NewFlag(&cli.BoolFlag{
+			Name:        NoShellFlagName,
+			EnvVars:     tgPrefix.EnvVars(NoShellFlagName),
+			Destination: &opts.NoShell,
+			Usage:       "Disable shell commands when using boilerplate templates.",
+		}),
+
+		flags.NewFlag(&cli.BoolFlag{
+			Name:        NoHooksFlagName,
+			EnvVars:     tgPrefix.EnvVars(NoHooksFlagName),
+			Destination: &opts.NoHooks,
+			Usage:       "Disable hooks when using boilerplate templates.",
+		}),
 	}
 }
 

cli/commands/scaffold/scaffold.go

@@ -107,6 +107,9 @@ const (
 )
 
 func Run(ctx context.Context, l log.Logger, opts *options.TerragruntOptions, moduleURL, templateURL string) error {
+	// Apply catalog configuration settings, with CLI flags taking precedence
+	applyCatalogConfigToScaffold(ctx, l, opts)
+
 	// download remote repo to local
 	var dirsToClean []string
 	// clean all temp dirs
@@ -201,8 +204,8 @@ func Run(ctx context.Context, l log.Logger, opts *options.TerragruntOptions, mod
 		OnMissingKey:            boilerplate_options.DefaultMissingKeyAction,
 		OnMissingConfig:         boilerplate_options.DefaultMissingConfigAction,
 		Vars:                    vars,
-		NoShell:                 true,
-		NoHooks:                 true,
+		NoShell:                 opts.NoShell,
+		NoHooks:                 opts.NoHooks,
 		NonInteractive:          opts.NonInteractive,
 		DisableDependencyPrompt: opts.NoDependencyPrompt,
 		TemplateFolder:          boilerplateDir,
@@ -224,6 +227,36 @@ func Run(ctx context.Context, l log.Logger, opts *options.TerragruntOptions, mod
 	return nil
 }
 
+// applyCatalogConfigToScaffold applies catalog configuration settings to scaffold options.
+// CLI flags take precedence over config file settings.
+func applyCatalogConfigToScaffold(ctx context.Context, l log.Logger, opts *options.TerragruntOptions) {
+	catalogCfg, err := config.ReadCatalogConfig(ctx, l, opts)
+	if err != nil {
+		// Don't fail if catalog config can't be read - it's optional
+		l.Debugf("Could not read catalog config for scaffold: %v", err)
+		return
+	}
+
+	if catalogCfg == nil {
+		return
+	}
+
+	// Apply config settings only if CLI flags weren't explicitly set
+	// Since both NoShell and NoHooks default to false, we apply the config value
+	// only if it's true (enabling the restriction)
+	if catalogCfg.NoShell != nil && *catalogCfg.NoShell && !opts.NoShell {
+		l.Debugf("Applying catalog config: no_shell = true")
+
+		opts.NoShell = true
+	}
+
+	if catalogCfg.NoHooks != nil && *catalogCfg.NoHooks && !opts.NoHooks {
+		l.Debugf("Applying catalog config: no_hooks = true")
+
+		opts.NoHooks = true
+	}
+}
+
 // generateDefaultTemplate - write default template to provided dir
 func generateDefaultTemplate(boilerplateDir string) (string, error) {
 	const ownerWriteGlobalReadPerms = 0644

cli/commands/scaffold/scaffold_test.go

@@ -67,8 +67,8 @@ func TestDefaultTemplateVariables(t *testing.T) {
 		OnMissingKey:            boilerplateoptions.DefaultMissingKeyAction,
 		OnMissingConfig:         boilerplateoptions.DefaultMissingConfigAction,
 		Vars:                    vars,
-		DisableShell:            true,
-		DisableHooks:            true,
+		NoShell:                 true,
+		NoHooks:                 true,
 		NonInteractive:          true,
 		DisableDependencyPrompt: false,
 		TemplateFolder:          templateDir,

config/catalog.go

@@ -39,12 +39,14 @@ var (
 )
 
 type CatalogConfig struct {
+	NoShell         *bool    `hcl:"no_shell,optional" cty:"no_shell"`
+	NoHooks         *bool    `hcl:"no_hooks,optional" cty:"no_hooks"`
 	DefaultTemplate string   `hcl:"default_template,optional" cty:"default_template"`
 	URLs            []string `hcl:"urls,attr" cty:"urls"`
 }
 
 func (cfg *CatalogConfig) String() string {
-	return fmt.Sprintf("Catalog{URLs = %v, DefaultTemplate = %v}", cfg.URLs, cfg.DefaultTemplate)
+	return fmt.Sprintf("Catalog{URLs = %v, DefaultTemplate = %v, NoShell = %v, NoHooks = %v}", cfg.URLs, cfg.DefaultTemplate, cfg.NoShell, cfg.NoHooks)
 }
 
 func (cfg *CatalogConfig) normalize(configPath string) {

config/config.go

@@ -578,6 +578,14 @@ func (cfg *TerragruntConfig) WriteTo(w io.Writer) (int64, error) {
 			catalogBody.SetAttributeValue("urls", catalogAsCty.GetAttr("urls"))
 		}
 
+		if cfg.Catalog.NoShell != nil {
+			catalogBody.SetAttributeValue("no_shell", catalogAsCty.GetAttr("no_shell"))
+		}
+
+		if cfg.Catalog.NoHooks != nil {
+			catalogBody.SetAttributeValue("no_hooks", catalogAsCty.GetAttr("no_hooks"))
+		}
+
 		rootBody.AppendBlock(catalogBlock)
 	}
 

…c/content/docs/03-features/06-catalog.md …/content/docs/03-features/06-catalog.mdxdocs-starlight/src/content/docs/03-features/06-catalog.md renamed to docs-starlight/src/content/docs/03-features/06-catalog.mdx docs-starlight/src/content/docs/03-features/06-catalog.md renamed to docs-starlight/src/content/docs/03-features/06-catalog.mdx

@@ -6,6 +6,8 @@ sidebar:
   order: 6
 ---
 
+import { Aside } from '@astrojs/starlight/components';
+
 Launch the user interface for searching and managing your module catalog.
 
 ```bash
@@ -31,6 +33,8 @@ catalog {
     "github.com/gruntwork-io/terraform-aws-lambda", # url to remote repository
     "http://github.com/gruntwork-io/terraform-aws-lambda", # same as above
   ]
+  no_shell = true  # Optional: disable shell commands in boilerplate templates for security
+  no_hooks = true  # Optional: disable hooks in boilerplate templates for security
 }
 ```
 
@@ -41,6 +45,30 @@ This will recursively search for OpenTofu/Terraform modules in the root of the r
 1. See the docs for a selected module: `ENTER`.
 1. Use [`terragrunt scaffold`](/docs/features/scaffold/) to render a `terragrunt.hcl` for using the module: `S`.
 
+## Security Configuration
+
+The `catalog` block supports security-related configuration options:
+
+- `no_shell` (bool): When set to `true`, disables shell command execution in boilerplate templates during scaffolding. This is useful for organizations that want to prevent the use of shell commands in templates for security reasons.
+- `no_hooks` (bool): When set to `true`, disables hook execution in boilerplate templates during scaffolding. This is useful for organizations that want to prevent the use of hooks in templates for security reasons.
+
+<Aside type="caution">
+
+Do not use catalog/scaffold to scaffold untrusted templates. IaC configurations are inherently powerful, as they
+can run arbitrary code on your system, so make sure to only use trusted templates you have reviewed and approved.
+
+</Aside>
+
+These configuration values can be overridden by their corresponding CLI flags:
+
+```bash
+terragrunt catalog --no-shell --no-hooks
+
+terragrunt scaffold module-url --no-shell
+```
+
+**Priority order**: CLI flags > catalog configuration > defaults (both default to `false`, allowing `shell` and `hooks` to be used by default)
+
 ## Custom templates for scaffolding
 
 Terragrunt has a basic template built-in for rendering `terragrunt.hcl` files, but you can provide your own templates to customize how code is generated! Scaffolding is done via [boilerplate](https://github.com/gruntwork-io/boilerplate), and Terragrunt allows you to specify custom boilerplate templates via two mechanisms while using catalog:

docs-starlight/src/data/commands/catalog.mdx

@@ -17,6 +17,8 @@ examples:
 flags:
   - catalog-no-include-root
   - catalog-root-file-name
+  - catalog-no-shell
+  - catalog-no-hooks
 ---
 
 ```bash

docs-starlight/src/data/commands/scaffold.mdx

@@ -12,6 +12,8 @@ flags:
   - scaffold-root-file-name
   - scaffold-var
   - scaffold-var-file
+  - scaffold-no-shell
+  - scaffold-no-hooks
 examples:
   - description: Scaffold a standard MySQL database module as a new unit.
     code: |

docs-starlight/src/data/flags/catalog-no-hooks.mdx

@@ -0,0 +1,17 @@
+---
+name: no-hooks
+description: "Disable hooks when using boilerplate templates in the catalog."
+type: bool
+env:
+  - TG_NO_HOOKS
+---
+
+When enabled, Terragrunt will disable hooks when processing boilerplate templates during catalog operations.
+
+This is useful for security reasons when you want to prevent templates from executing arbitrary hooks on your system.
+
+Examples:
+
+```bash
+terragrunt catalog --no-hooks
+```