Skip to content


Terramate CLI has a number of safeguards when executing commands with terramate run, to ensure that the code you're running against is exactly what you intended.

Git checks

The first set of checks ensures that your git status is clean:

  • No files exist that are untracked (check_untracked)
  • No changes exist that are uncommitted (check_uncommited)
  • Local git is up to date with remote changes (check_remote)

Code generation check

By default, terramate run will check that all generated code is up to date and throw an error if not:

ERR outdated code found action=checkOutdatedGeneratedCode() filename=stg/ec2/
FTL please run: 'terramate generate' to update generated code error="outdated generated code detected" action=checkOutdatedGeneratedCode()

This check ensures that it's not possible to accidentally run against outdated code and we highly discourage disabling it.

We also recommend using git hooks (e.g. pre-commit) to ensure that terramate generate is run and the code is up to date before pushing your changes.

Disabling checks

Safeguards are enabled per default and help you to keep your environment safe, but if required they can be disabled via CLI flags, environment variables or using the project configuration. Environment variables and CLI flags always take precedence over project config.

The terramate.config.disable_safeguards (added in v0.4.5) supports a list of check keywords to be disabled. Below is a list of supported values:

Check nameDescription
allDisable all checks
gitDisable all git related checks
git-untrackedDisable the check for untracked files
git-uncommittedDisable the check for uncommitted files
git-out-of-syncDisable the check for git remote out of sync
outdated-codeDisable the check for outdated code

The keywords above can be used together in the environment variable TM_DISABLE_SAFEGUARDS, in the terramate.config.disable_safeguards or provided in the command line in the --disable-safeguards=<options>. Examples:

Using environment variable:

TM_DISABLE_SAFEGUARDS=git-untracked,git-uncommitted terramate run -- <cmd>

Using cli flag:

terramate run --disable-safeguards=git-untracked,git-uncommitted -- <cmd>

Using the configuration file:

terramate {
  config {
    disable_safeguards = ["git-untracked", "git-uncommitted"]

Deprecated config and environment variables

The list of attributes and correspondent environment variable listed below are deprecated (from v0.4.5 onwards) and will be removed in future versions of Terramate.

Project configuration settingEnvironment variable
terramate.config.git.check_remote = falseTM_DISABLE_CHECK_GIT_REMOTE=true
terramate.config.git.check_untracked = falseTM_DISABLE_CHECK_GIT_UNTRACKED=true
terramate.config.git.check_uncommitted = falseTM_DISABLE_CHECK_GIT_UNCOMMITTED=true = falseTM_DISABLE_CHECK_GEN_CODE=true

Example of a project config disabling all checks

terramate {
  config {
    run {
      check_gen_code = false
    git {
      check_remote      = false
      check_untracked   = false
      check_uncommitted = false