Menu
From my current knowledge, there is no reason .terraform.lock.hcl should be included in the .gitignore. Nothing about this file is private, or is there?
207
terraform. lock. hcl files should be committed in the same way as the one in the root of the project. In addition to this, we do regularly update the versions of the providers we want to use as we evaluate the changes.
lock. hcl , and this name is intended to signify that it is a lock file for various items that Terraform caches in the . terraform subdirectory of your working directory. Terraform automatically creates or updates the dependency lock file each time you run the terraform init command.
Yes, there is a way to lock it. if terraform module registry is being used as a source, then the 'version' attribute can be used in the module in a configuration file of Terraform.
- Stack Overflow Should .terraform.lock.hcl be included in the .gitignore file? From my current knowledge, there is no reason .terraform.lock.hcl should be included in the .gitignore. Nothing about this file is private, or is there? It should be committed: it's needed to keep versions of plugins in sync. Privacy seems like a strange criterion.
The lock file is always named .terraform.lock.hcl, and this name is intended to signify that it is a lock file for various items that Terraform caches in the .terraform subdirectory of your working directory. Terraform automatically creates or updates the dependency lock file each time you run the terraform init command.
If a particular provider already has a selection recorded in the lock file, Terraform will always re-select that version for installation, even if a newer version has become available.
Create the Git repository before you start writing your Terraform code. Our second Terraform best practice is to always have a .gitignore file in your repository with all the required rules in order to ignore unnecessary files by Git and avoid pushing them out unknowingly. Always keep the file structure consistent across all Terraform projects.
Per the Terraform documentation on the Dependency Lock File:
Terraform automatically creates or updates the dependency lock file each time you run the terraform init command. You should include this file in your version control repository so that you can discuss potential changes to your external dependencies via code review, just as you would discuss potential changes to your configuration itself.
The key to understanding why you should commit that file is found in the following section on Dependency Installation Behavior:
When terraform init is working on installing all of the providers needed for a configuration, Terraform considers both the version constraints in the configuration and the version selections recorded in the lock file.
If a particular provider has no existing recorded selection, Terraform will select the newest available version that matches the given version constraint, and then update the lock file to include that selection.
If a particular provider already has a selection recorded in the lock file, Terraform will always re-select that version for installation, even if a newer version has become available. You can override that behavior by adding the -upgrade option when you run terraform init, in which case Terraform will disregard the existing selections and once again select the newest available version matching the version constraint.
Essentially this is intended to have Terraform continue to use the version of the provider selected when you added it. If you do not checkin the lock file, you will always be automatically upgraded to the latest version that obeys the constraint in code, which could lead to unintended consequences.
Note: You can force Terraform to upgrade when doing the init call by passing the -upgrade flag.
terraform init -upgrade
Update for Cross-Platform Development
From the Terraform documentation on the providers lock command:
Specifying Target Platforms In your environment you may, for example, have both developers who work with your Terraform configuration on their Windows or macOS workstations and automated systems that apply the configuration while running on Linux.
In that situation, you could choose to verify that all of your providers support all of those platforms, and to pre-populate the lock file with the necessary checksums, by running terraform providers lock and specifying those three platforms:
terraform providers lock \
-platform=windows_amd64 \
-platform=darwin_amd64 \
-platform=linux_amd64 \
-platform=darwin_arm64 \
-platform=linux_arm64
The above example uses Unix-style shell wrapping syntax for readability. If you are running the command on Windows then you will need to replace the backslashes with carets (for
cmd) or backticks (for PowerShell).
So you should still check the lock file into version control, but you should ensure the lock file contains the checksums for providers on all platforms.
65
I think the above advice is only useful if your source control repository is being used by a homogenous set of engineers and/or a single engineer. On a large heterogenous group, it will fail with the following error:
│ Error: Failed to install provider
│
│ Error while installing hashicorp/null v3.1.1: the local package for registry.terraform.io/hashicorp/null 3.1.1 doesn't match any of the checksums previously recorded in the dependency lock file
│ (this might be because the available checksums are for packages targeting different platforms)
To solve that error, delete the .terraform.lock.hcl file, and re-initalise. It will regenerate the file for your own workstation.
I am willing to entertain that we're doing it wrong, but at least in our case, we need to add this to .gitignore, or every time one engineer makes a commit, all engineers using a different OS will get this error and have to terraform init again.
4
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
