DEV-1338 Add Updating Terragrunt Scale Plan and Apply Roles

[Resonance1584]

Summary by CodeRabbit

• Documentation
  • Added a comprehensive guide for managing Plan and Apply roles with AWS and Azure step-by-step examples
  • Improved deployment tutorial shell examples to ensure correct path handling
  • Updated site navigation to include the new guide
• Bug Fixes
  • Prevented incorrect private-repo warnings for the catalog repository when following documentation links

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Apr 8, 2026 2:39pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 764d4a7d-69b9-47ee-9583-2b87d51eec94

📥 Commits

Reviewing files that changed from the base of the PR and between 87985ed and 73e63f3.

📒 Files selected for processing (1)

• docs/2.0/docs/pipelines/guides/updating-plan-apply-roles.md

---

Walkthrough

Added a new guide for updating Terragrunt Scale Plan and Apply roles (AWS/Azure), quoted generated paths in a deployment tutorial's shell commands, registered the guide in the docs sidebar, and marked terragrunt-scale-catalog as a public repo in site root logic.

Changes

Cohort / File(s)	Summary
Role Management Guide docs/2.0/docs/pipelines/guides/updating-plan-apply-roles.md	New long-form guide describing Plan vs Apply roles, OIDC-based trust restrictions (Apply limited to Deploy Branch), locating bootstrap-managed roles/resources, where default permissions come from in the catalog, how to customize permissions (AWS IAM JSON/policies and Azure custom role action lists), deploy flow, and console verification steps.
Tutorials & Sidebar docs/2.0/docs/pipelines/tutorials/deploying-your-first-infrastructure-change.mdx, sidebars/docs.js	Shell command arguments updated to quote generated paths in mkdir -p/touch for AWS and Azure examples; added the new "Updating Plan and Apply Roles" doc to the Guides sidebar after “Running Plan/Apply.”
Site repo classification src/theme/Root.js	Added terragrunt-scale-catalog to publicGruntworkRepoNames so links to that repository are treated as public (prevents private-repo warning modal).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🛠️ New roles penned, permissions arranged,
Steps for AWS and Azure exchanged,
Paths now quoted, sidebar aligned,
Repo links clarified and signed,
Docs deployed — infra well-orchestrated.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main addition: a new guide for updating Terragrunt Scale plan and apply roles, which aligns with the new documentation file added.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 2026-04-01_permissions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

docs/2.0/docs/pipelines/guides/updating-plan-apply-roles.md (1)

25-27: Consider adding language specifiers to code blocks.

The code blocks showing directory paths don't have language specifiers. While they render correctly, adding text or another appropriate identifier improves consistency and helps documentation linters.

Example for line 25-27:

-```
+```text
 $$ACCOUNT_NAME$$/_global/bootstrap/terragrunt.stack.hcl

Apply similar changes to the other path examples at lines 49, 80, and 104.




Also applies to: 49-51, 80-82, 104-106

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @docs/2.0/docs/pipelines/guides/updating-plan-apply-roles.md around lines 25

• 27, The documentation contains several fenced code blocks that show directory
  paths (e.g., the block with
  $$ACCOUNT_NAME$$/_global/bootstrap/terragrunt.stack.hcl and the other path
  examples referenced at the same sections) but lack language specifiers; update
  each of those code fences (the examples around the occurrences noted) to use a
  plain text specifier by changing totext so linters and renderers
  consistently treat them as text (apply this to the blocks at the three
  additional occurrences mentioned as well).

</details>

</blockquote></details>

</blockquote></details>

<details>
<summary>🤖 Prompt for all review comments with AI agents</summary>

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @docs/2.0/docs/pipelines/guides/updating-plan-apply-roles.md:

• Around line 25-27: The documentation contains several fenced code blocks that
  show directory paths (e.g., the block with
  $$ACCOUNT_NAME$$/_global/bootstrap/terragrunt.stack.hcl and the other path
  examples referenced at the same sections) but lack language specifiers; update
  each of those code fences (the examples around the occurrences noted) to use a
  plain text specifier by changing totext so linters and renderers
  consistently treat them as text (apply this to the blocks at the three
  additional occurrences mentioned as well).

</details>

---

<details>
<summary>ℹ️ Review info</summary>

<details>
<summary>⚙️ Run configuration</summary>

**Configuration used**: Repository UI

**Review profile**: CHILL

**Plan**: Pro

**Run ID**: `aecad60e-5a80-411e-a2db-cb1a76e8137f`

</details>

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between 1fe5f4ddb239aaef9a69229c7c5db8ad03f150e8 and 238e058d0386a3a530757adaecfa50b8ee048717.

</details>

<details>
<summary>⛔ Files ignored due to path filters (1)</summary>

* `static/img/pipelines/guides/aws-iam-roles.png` is excluded by `!**/*.png`

</details>

<details>
<summary>📒 Files selected for processing (4)</summary>

* `docs/2.0/docs/pipelines/guides/updating-plan-apply-roles.md`
* `docs/2.0/docs/pipelines/tutorials/deploying-your-first-infrastructure-change.mdx`
* `sidebars/docs.js`
* `src/theme/Root.js`

</details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

[ebeneliason]

Will give this a complete read later today. A few quick impressions:

1. I don't think we should include "Terragrunt Scale" in the document title. The callout at the beginning of the doc is good, but we want this to be a pipelines doc, not a Terragrunt Scale doc. The fact that Gruntwork customers also wind up using the terragrunt-scale-catalog is more an implementation detail.
2. The GitHub/GitLab tabs don't seem to change anything on the page. Are they meant to? I propose excluding until they are functional.
3. The ToC is very confusing and mostly unusable. Is there anything we can do about that? My base suggestion would be to ensure that we set the depth level of the ToC to be one higher than the level of header we include inside a tabbed section, so only the outer headings are listed.

[Resonance1584]

The GitHub/GitLab tabs don't seem to change anything on the page. Are they meant to? I propose excluding until they are functional.

@ebeneliason they switch the urls for the links to the stack

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/2.0/docs/pipelines/guides/updating-plan-apply-roles.md`:
- Around line 29-31: The markdown code fences showing paths like
"$$ACCOUNT_NAME$$/_global/bootstrap/terragrunt.stack.hcl" and
"$$SUBSCRIPTION_NAME$$/bootstrap/terragrunt.stack.hcl" are missing language
identifiers and trigger MD040; update each of those fenced blocks (the four
occurrences at ~29-31 and the other occurrences at 53-55, 84-86, 108-110) by
changing the opening fence from ``` to ```text so the path-only blocks are
explicitly tagged as text.
- Line 308: The duplicate numbered section headings like "### 1. Copy the
default policy files" inside the tabbed variants trigger MD024; fix by either
restructuring the tab content so each tab uses unique subheadings (e.g.,
"GitHub: Copy the default policy files" / "GitLab: Copy the default policy
files") or locally suppress MD024 around the entire tabbed block (wrap the tab
block with markdownlint disable/enable for MD024) so the parallel tab headings
are allowed; apply the same change for the other repeated headings in this file
(the other tabbed "### 1/2/3/4..." blocks referenced in the review).
- Around line 162-179: Update the fenced code blocks that contain commented JSON
examples to use jsonc instead of json so readers know comments are allowed;
specifically change the code fence languages for the snippets titled
"$$ACCOUNT_NAME$$/_global/bootstrap/custom_plan_iam_policy.json" and
"$$ACCOUNT_NAME$$/_global/bootstrap/custom_apply_iam_policy.json" (and the other
occurrences called out in the review at the later ranges) from ```json to
```jsonc so the inline comments like "// ... existing statements ..." are valid
and the examples are not mistaken for strict JSON.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: b5a60a9e-ff3e-4f84-a42d-e902d7c95c7e

📥 Commits

Reviewing files that changed from the base of the PR and between 238e058 and 87985ed.

📒 Files selected for processing (2)

• docs/2.0/docs/pipelines/guides/updating-plan-apply-roles.md
• sidebars/docs.js

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add explicit language identifiers to the path-only code fences.

These four fenced blocks are missing language tags and trigger MD040 warnings.

Suggested patch

-```
+```text
 $$ACCOUNT_NAME$$/_global/bootstrap/terragrunt.stack.hcl

@@
- +text
$$SUBSCRIPTION_NAME$$/bootstrap/terragrunt.stack.hcl

@@
-```
+```text
$$ACCOUNT_NAME$$/_global/bootstrap/terragrunt.stack.hcl

@@
- +text
$$SUBSCRIPTION_NAME$$/bootstrap/terragrunt.stack.hcl

Also applies to: 53-55, 84-86, 108-110

🧰 Tools

🪛 markdownlint-cli2 (0.22.0)

[warning] 29-29: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/2.0/docs/pipelines/guides/updating-plan-apply-roles.md` around lines 29
- 31, The markdown code fences showing paths like
"$$ACCOUNT_NAME$$/_global/bootstrap/terragrunt.stack.hcl" and
"$$SUBSCRIPTION_NAME$$/bootstrap/terragrunt.stack.hcl" are missing language
identifiers and trigger MD040; update each of those fenced blocks (the four
occurrences at ~29-31 and the other occurrences at 53-55, 84-86, 108-110) by
changing the opening fence from ``` to ```text so the path-only blocks are
explicitly tagged as text.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify that JSON fences contain line comments in this doc.
rg -n '```json title=' docs/2.0/docs/pipelines/guides/updating-plan-apply-roles.md -A25 \
  | rg -n '// \.\.\. existing statements \.\.\.'

Repository: gruntwork-io/docs

Length of output: 227

---

Use jsonc fences for commented JSON snippets.

These examples include // ... existing statements ...; with json fences, readers may assume the content is copy-pastable strict JSON. Using jsonc (JSON with Comments) clarifies that comments are permitted in these examples.

Suggested patch

-```json title="$$ACCOUNT_NAME$$/_global/bootstrap/custom_plan_iam_policy.json"
+```jsonc title="$$ACCOUNT_NAME$$/_global/bootstrap/custom_plan_iam_policy.json"
@@
-```json title="$$ACCOUNT_NAME$$/_global/bootstrap/custom_apply_iam_policy.json"
+```jsonc title="$$ACCOUNT_NAME$$/_global/bootstrap/custom_apply_iam_policy.json"
@@
-```json title="$$ACCOUNT_NAME$$/_global/bootstrap/custom_plan_iam_policy.json"
+```jsonc title="$$ACCOUNT_NAME$$/_global/bootstrap/custom_plan_iam_policy.json"
@@
-```json title="$$ACCOUNT_NAME$$/_global/bootstrap/custom_apply_iam_policy.json"
+```jsonc title="$$ACCOUNT_NAME$$/_global/bootstrap/custom_apply_iam_policy.json"

Also applies to: lines 183-198, 324-341, 345-360

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/2.0/docs/pipelines/guides/updating-plan-apply-roles.md` around lines 162
- 179, Update the fenced code blocks that contain commented JSON examples to use
jsonc instead of json so readers know comments are allowed; specifically change
the code fence languages for the snippets titled
"$$ACCOUNT_NAME$$/_global/bootstrap/custom_plan_iam_policy.json" and
"$$ACCOUNT_NAME$$/_global/bootstrap/custom_apply_iam_policy.json" (and the other
occurrences called out in the review at the later ranges) from ```json to
```jsonc so the inline comments like "// ... existing statements ..." are valid
and the examples are not mistaken for strict JSON.

[ebeneliason]

• GitHub/GitLab: I find it confusing that the change is invisible. Usually you'd expect a whole different set of instructions when swapping tabs. Or, more specifically, the tabs should ideally reflect the scope of the change. If those tabs only impact the area where we link out, then we should just wrap the tab block around those links. Or, in this specific case, it might be more clear to omit the tabs entirely and just supply both links, appropriately scoped by platform.
  • Upon further reading, I see some other details that adjust, such as "pull request" vs. "merge request. Perhaps we should ship this as is and just think about opportunities for improvement.
• Terragrunt Scale specificity:
  • "When Terragrunt Scale is installed" -> "When Pipelines is installed"
  • "Your plan and apply roles are managed by the bootstrap stack in your Terragrunt Scale repository." Perhaps just drop "Terragrunt Scale" here?
• Aside: A few participants were surprised by and/or objected to the very general purpose name of the plan and apply roles. We should consider using a more precise name e.g. "gruntwork-pipelines-plan"

Looks great apart from these nits. Very happy to have this documented.