docs/src/content/docs/03-features/07-caching/04-cas.mdx
import FileTree from '@components/vendored/starlight/FileTree.astro'; import { Aside } from '@astrojs/starlight/components'; import Since from '@components/Since.astro'; import Before from '@components/Before.astro';
Terragrunt supports a Content Addressable Store (CAS) to deduplicate content across multiple Terragrunt configurations. This feature is still experimental and not recommended for general production usage.
The CAS is used to speed up catalog cloning, OpenTofu/Terraform source cloning, and stack generation by avoiding redundant downloads of Git repositories.
To use the CAS, you will need to enable the cas experiment.
<Since version="1.0.3"> You can disable the CAS at any time using the `--no-cas` flag, even when the experiment is enabled. This flag is available on the [`run`](/reference/cli/commands/run), [`stack generate`](/reference/cli/commands/stack/generate), and [`stack run`](/reference/cli/commands/stack/run) commands. </Since>When you enable the cas experiment, Terragrunt will automatically use the CAS when cloning any compatible source (Git repositories).
# root.hcl
catalog {
urls = [
"[email protected]:acme/modules.git"
]
}
# terragrunt.hcl
terraform {
source = "[email protected]:acme/infrastructure-modules.git//vpc?ref=v1.0.0"
}
ref= also accepts commit SHAs (full or abbreviated), not only branch and tag names.
terraform {
source = "[email protected]:acme/infrastructure-modules.git//vpc?ref=a1b2c3d4e5f67890abcdef1234567890deadbeef"
}
The first cold clone of a repository pinned to a commit SHA fetches the full history of every branch. Shallow fetches require a ref name, and fetching a commit SHA at limited depth depends on a server option (uploadpack.allowAnySHA1InWant) that is not universally enabled, so CAS fetches all branches at full depth and resolves the SHA locally. Subsequent clones reuse the cached repository and never touch the network for the same commit.
When authoring stacks in a catalog, you can use the update_source_with_cas attribute to allow relative paths in source attributes. This removes the need to plumb remote Git URLs through values expressions.
# stacks/my-stack/terragrunt.stack.hcl (in your catalog repository)
unit "service" {
source = "../..//units/my-service"
update_source_with_cas = true
path = "service"
}
The referenced unit can also use relative paths:
# units/my-service/terragrunt.hcl (in your catalog repository)
terraform {
source = "../..//modules/my-module"
update_source_with_cas = true
}
During stack generation, Terragrunt rewrites these relative sources to cas:: references that point to content stored in the CAS. The repository is cloned once, and subsequent stack generations resolve content from the local store without network access. Generated .terragrunt-stack files contain deterministic CAS references instead of version variables, so they do not produce diffs on regeneration.
The catalog source can be either a remote Git URL or a local filesystem path (absolute, or relative to the current working directory). Local sources are copied into a temporary directory before rewriting, so the original catalog directory is never modified. This makes the same catalog layout usable against a published Git ref or a local checkout, which is useful when iterating on a catalog before tagging a release.
For more details on using this with stacks, see Explicit Stacks: CAS Integration.
<Aside type="caution"> Setting `update_source_with_cas = true` requires that the `cas` experiment is enabled and that `--no-cas` is not set. Terragrunt errors out otherwise, since the relative source must be updated to a synthetic tree stored in the CAS. </Aside> </Since>When Terragrunt clones a repository while using the CAS, if the repository is not found in the CAS, Terragrunt fetches into the central bare repository for that remote URL and stores the resulting blobs and trees in the CAS for future use. If the central store is unavailable, Terragrunt falls back to cloning the repository from the original URL into a temporary directory.
When generating a repository from the CAS, Terragrunt will hard link entries from the CAS to the new repository. This allows Terragrunt to deduplicate content across multiple repositories.
In the event that hard linking fails due to some operating system / host incompatibility with hard links, Terragrunt will fall back to performing copies of the content from the CAS.
The CAS lives under the platform user cache directory:
| Platform | Path |
|---|---|
| Linux | $XDG_CACHE_HOME/terragrunt/cas, falling back to ~/.cache/terragrunt/cas |
| macOS | ~/Library/Caches/terragrunt/cas |
| Windows | %LocalAppData%\terragrunt\cas |
This directory can be deleted to reclaim disk space when no Terragrunt processes are running against it. Terragrunt will regenerate the CAS on the next run. Avoid deleting it while a Terragrunt operation is in progress, since that can race with in-flight reads, writes, and locks in the store.
Avoid partial deletions of the CAS directory without care, as that might result in partially cloned repositories and unexpected behavior.
Terragrunt's CAS uses a content-addressable storage model to deduplicate repository content from Git clones to save disk space and improve performance. Each Git object is identified by its hash, allowing identical content to be shared across multiple cloned repositories and repeated clones.
ab/abc123...)
</Before>
ab/abc123...)Each content object is stored at {hash[:2]}/{hash}, where the first two characters create a partition directory. This prevents having thousands of files in a single directory, which can degrade file system performance.
</Before>
The blobs/ directory stores all file content, identified by hash. Blobs are purely content-addressed, so the same file content always maps to the same hash regardless of origin. The trees/ directory stores Git-derived tree structures that describe the layout of files in a repository. The synth/trees/ directory stores synthetic tree structures created during CAS-backed stack generation when update_source_with_cas is used. These synthetic trees use a deterministic hash based on the Git reference and path within the repository. The git/ directory holds one bare Git repository per remote URL, keyed by a hash of the URL, so cache misses can fetch only the new objects instead of re-cloning the repository.
Each content object within a namespace is stored at {hash[:2]}/{hash}, where the first two characters create a partition directory to avoid degraded file system performance from large flat directories.
</Since>
When Terragrunt needs to clone a repository using the CAS it does the following, depending on whether the content is already in the CAS or not:
For cold clones, where the content is not already in the CAS:
git ls-remote. ls-remote lists named refs only and cannot fetch or resolve commit SHAs, so SHA refs are passed through to Step 3 for resolution against the central Git store.cas/store/git/ (initializing it on first use), takes a per-URL lock, and fetches the requested ref. Branch and tag refs use a shallow fetch. SHA refs use a full-history fetch covering every branch and tag so the SHA can be resolved against the local store. Subsequent misses against the same URL reuse the existing pack files and only transfer new objects.Concurrent units that target the same remote URL share one fetch instead of cloning in parallel, so the objects are typically transferred once and reused. If the shared fetch hangs or fails, Terragrunt logs a warning and falls back to a clone in a temporary directory.
For warm clones, where the content is already in the CAS:
direction: down
# Source
git_repo: "Git Repository\n\[email protected]:acme/modules.git?ref=v1.0.0" {
shape: cylinder
}
# Decision Point
check_cas: "In CAS?\n\nhash = 123abc..." {
shape: diamond
}
# First Clone Path (Content Not in CAS)
clone_store: "Clone & Store\n(git clone → extract → store)" {
shape: rectangle
}
# Subsequent Clone Path (Content Already in CAS)
read_cas: "Read from CAS\n\n123abc..." {
shape: rectangle
}
# Link Step
link_step: "Link to Targets\n\nblob abc123... main.tf\nblob cd7890... variables.tf" {
shape: rectangle
}
# Linked Targets
linked_target1: "Linked Target\n\n.terragrunt-cache/.../main.tf -->\n~/.cache/terragrunt/cas/store/ab/abc123..." {
shape: rectangle
}
linked_target2: "Linked Target\n\n.terragrunt-cache/.../variables.tf -->\n~/.cache/terragrunt/cas/store/cd/cd7890..." {
shape: rectangle
}
# Flow
git_repo -> check_cas
check_cas -> clone_store
check_cas -> read_cas
clone_store -> read_cas
read_cas -> link_step
link_step -> linked_target1
link_step -> linked_target2
CAS achieves deduplication through hard links, which allows multiple files to use the same physical space on disk, avoiding duplicated content in repositories cloned by Terragrunt.
CAS provides significant performance improvements: