gruntwork-io · ThisGuyCodes · Nov 3, 2025 · Oct 30, 2025 · Oct 31, 2025 · Oct 31, 2025
@@ -6,7 +6,7 @@ env:
   - TG_INPUTS
 ---
 
-When enabled, Terragrunt will validate that all variables are set by the module a unit provisions.
+When enabled, Terragrunt will validate that all variables a module (provisioned by a unit) requires are set.
 
 Example:
 

@@ -0,0 +1,8 @@
+locals {
+  variable_source = "github.com/foo/bar"
+}
+
+module "module" {
+  source  = local.variable_source
+  version = "0.0.0"
+}
@@ -0,0 +1,8 @@
+locals {
+  variable_version = "0.0.0"
+}
+
+module "module" {
+  source  = "github.com/foo/bar"
+  version = local.variable_version
+}
@@ -614,6 +614,47 @@ func TestTerragruntExcludesFile(t *testing.T) {
 	}
 }
 
+func TestHclvalidateValidConfig(t *testing.T) {
+	t.Parallel()
+
+	t.Run("using --all", func(t *testing.T) {
+		t.Parallel()
+		helpers.CleanupTerraformFolder(t, testFixtureHclvalidate)
+		tmpEnvPath := helpers.CopyEnvironment(t, testFixtureHclvalidate)
+		rootPath := util.JoinPath(tmpEnvPath, testFixtureHclvalidate)
+
+		_, _, err := helpers.RunTerragruntCommandWithOutput(t, "terragrunt hcl validate --all --strict --inputs --working-dir "+path.Join(rootPath, "valid"))
+		require.NoError(t, err)
+	})
+
+	t.Run("each validate individually", func(t *testing.T) {
+		t.Parallel()
+
+		helpers.CleanupTerraformFolder(t, testFixtureHclvalidate)
+		tmpEnvPath := helpers.CopyEnvironment(t, testFixtureHclvalidate)
+		rootPath := util.JoinPath(tmpEnvPath, testFixtureHclvalidate, "valid")
+
+		// Test each subdirectory individually
+		entries, err := os.ReadDir(rootPath)
+		require.NoError(t, err)
+
+		for _, entry := range entries {
+			if !entry.IsDir() {
+				continue
+			}
+
+			subPath := filepath.Join(rootPath, entry.Name())
+
+			t.Run(entry.Name(), func(t *testing.T) {
+				t.Parallel()
+
+				_, _, err := helpers.RunTerragruntCommandWithOutput(t, "terragrunt hcl validate --strict --inputs --working-dir "+subPath)
+				require.NoError(t, err)
+			})
+		}
+	})
+}
+
 func TestHclvalidateDiagnostic(t *testing.T) {
 	t.Parallel()
 

@@ -1,6 +1,8 @@
 package tf
 
 import (
+	"slices"
+
 	"github.com/gruntwork-io/terragrunt/internal/errors"
 	"github.com/hashicorp/terraform-config-inspect/tfconfig"
 )
@@ -127,10 +129,35 @@ var (
 	}
 )
 
+// diagnosticDoesNotAffectModuleVariables tells you if a diagnostic can be ignored for the purpose of extracting
+// variables defined in a module.
+func diagnosticDoesNotAffectModuleVariables(d tfconfig.Diagnostic) bool {
+	ignorableErrors := []tfconfig.Diagnostic{
+		// These two occur when a module block uses a variable in the `version` or `source` fields.
+		// Terraform doesn't support this, but OpenTofu does. Either way our ability to extract variables is unaffected.
+		//
+		// What we really need is an OpenTofu version of terraform-config-inspect. This may work for now but as / if
+		// syntax continues to diverge we may run into other issues.
+		{Summary: "Variables not allowed", Detail: "Variables may not be used here."},
+		{Summary: "Unsuitable value type", Detail: "Unsuitable value: value must be known"},
+	}
+	if d.Severity != tfconfig.DiagError {
+		return true
+	}
+
+	i := slices.IndexFunc(ignorableErrors, func(ie tfconfig.Diagnostic) bool {
+		return ie.Summary == d.Summary && ie.Detail == d.Detail
+	})
+
+	return i != -1
+}
+
 // ModuleVariables will return all the variables defined in the downloaded terraform modules, taking into
 // account all the generated sources. This function will return the required and optional variables separately.
 func ModuleVariables(modulePath string) ([]string, []string, error) {
 	module, diags := tfconfig.LoadModule(modulePath)
+
+	diags = slices.DeleteFunc(diags, diagnosticDoesNotAffectModuleVariables)
 	if diags.HasErrors() {
 		return nil, nil, errors.New(diags)
 	}