allow overriding of boilerplate hooks and shell flags in catalog config

[tgeijg]

Describe the enhancement

It would seem that when running terragrunt scaffold (through terragrunt catalog ) boilerplate hooks and shell scripts are disabled. That is, it seems the following flags are added to the boilerplate call:

--disable-hooks
--disable-shell

This doesn't seem to be documented anywhere, which would be the first suggestion for enhancement. The second suggestion would be to let the user override these in the catalog config.

catalog {
  disable_hooks: false,  # defaults to true
  disable_shell: false, # defaults to true
  urls = [
    "https://github.com/gruntwork-io/terragrunt-infrastructure-modules-example",
    "https://github.com/gruntwork-io/terraform-aws-utilities",
    "https://github.com/gruntwork-io/terraform-kubernetes-namespace"
  ]
}

Additional context

I understand the reasoning for disabling both hooks and shells, as they can introduce security concerns when run against third party terraform modules. If the end user has control over the catalog config however, and if they also have control over all the configured terraform module repos in the catalog config, it would seem to me that the user should be able to make the call on whether or not to allow boilerplate to execute scripts.

Scripts can significantly extend the possibilities of what can be achieved with boilerplate. As long as safe defaults are set, the trade off of security versus functionality should lie with the end user.

[denis256]

Hi,
for reference, hooks and shell execution are explicitly disabled in:
https://github.com/gruntwork-io/terragrunt/blob/main/cli/commands/scaffold/action.go#L175

most probably we need to add CLI flags to enable it when doing scaffold too

[yhakbar]

We'll commit to addressing this in the new year.