Skip to content

Manual Test Runbook — F7: Terragrunt Live-Infra Reference

Owner: Sagar  |  Time: ~5 min (Parts A+B offline) · +30–60 min (optional Part C live)  |  Cloud: Part C only · ~$5–15

Promotes F7 (live/) from 🟦 Code Complete → 🟩 Shipped. Parts A + B are 100% offline (structural gate + terragrunt HCL validate). Part C is an optional live run-all plan/apply against the sandbox sub.

Prerequisites

  • Local tooling: bash, python3
  • (Part B) terragrunt ≥ 0.55 + terraform ≥ 1.6 installed
  • (Part C) az login to the sandbox subscription; Contributor + Storage Blob Data Owner
  • Working directory: repo root

Steps

Part A — structural gate (offline, ~3 min)

  1. bash live/validate.sh

Expected: ==> OK: all F7 structural assertions passed. It proves: root.hcl + all four _envcommon templates exist; every env has env.hcl; every region has region.hcl; every unit includes root + an _envcommon template; the bootstrap unit is standalone (no root.hcl include — chicken-and-egg); and generated/state files are gitignored.

Part B — terragrunt HCL validate (offline, ~2 min)

  1. With terragrunt installed, live/validate.sh Part B runs automatically. Or directly:
cd live
terragrunt hcl validate            # HCL syntax across the tree, no module download
terragrunt hclfmt --check          # formatting

Expected: validate clean; hclfmt reports no changes. (HCL validate is offline — it does not fetch the modules.)

Part C — live run-all against the sandbox (optional, ~30–60 min, ~$5–15)

Point sandbox/env.hcl at the real sandbox subscription/tenant first, and bootstrap the state account once.

  1. Bootstrap the state backend (once):
cd live/bootstrap/eastus/state-backend && terragrunt apply && cd -
  1. Plan the sandbox region (dependency-ordered, mocks let it run pre-apply):
terragrunt run-all plan --working-dir live/sandbox/eastus

Expected: baseline plans first; network-hub consumes its log_analytics_workspace_id (mocked until baseline applies). No cycle errors.

  1. (Optional, costs apply) terragrunt run-all apply --working-dir live/sandbox/eastus, confirm resources land with derived <client>-sandbox-eastus-* names, then terragrunt run-all destroy --working-dir live/sandbox/eastus to tear down.

Sign-Off

Field Value
Part A (structural gate) ☐ PASS
Part B (terragrunt hcl validate) ☐ PASS / ☐ skipped (no terragrunt)
Part C (live run-all) ☐ PASS / ☐ skipped
Tester
Date
Result ☐ PASS