Terraform Lock File Management

Avatar
Brent Woodruff
  • Updated

Introduction

Terraform 0.14 and later utilize a lock file to enable teams to standardize on specific, approved, verified versions of provider plugins. The lock file is essential for Terraform's operation and so will always be generated if one does not exist, even if it is not retained or distributed.

Scenario

Teams using Terraform generally take two different approaches to managing the Terraform lock file, both of which require some action to ensure smooth usage and operation on all platforms and pipelines.
  • One approach is to ignore the lock file and allow Terraform to regenerate it each time terraform init  is run. This effectively matches Terraform's behavior in Terraform 0.13 and below.
  • Another approach is to create a suitable lock file that will be used by all who will be working with that configuration, including HCP Terraform/Terraform Enterprise. This approach requires adjusting the lock file as versions of the providers are updated.

Recommendation

Scenario 1

To ignore Terraform's lock file when collaborating with a team, add .terraform.lock.hcl to the repository's .gitignore file. Doing so will prevent the distribution of the lock file to other team members. Each person, CI system, and HCP Terraform/Terraform Enterprise that executes terraform init will create a new lock file for their own use.

Scenario 2

To distribute a lock file so that all team members and HCP Terraform/Terraform Enterprise standardize on the same version, the lock file should first be generated with terraform init as usual.  The generated lock file will contain the signatures of all available releases for this provider version. The provider version becomes a requirement for terraform init  to succeed.
 
For example, in MacOS with a configuration containing a null_resource, the MacOS version of the provider is retrieved and hashed. Signatures for all releases are recorded. When this configuration runs elsewhere, the version will be required and the provider must be signed with the same signature.
$ terraform init
[ init output ]

$ cat .terraform.lock.hcl 
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.

provider "registry.terraform.io/hashicorp/null" {
  version = "3.1.0"
  hashes = [
    "h1:xhbHC6in3nQryvTQBWKxebi3inG5OCgHgc4fRxL0ymc=",
    "zh:02a1675fd8de126a00460942aaae242e65ca3380b5bb192e8773ef3da9073fd2",
    "zh:53e30545ff8926a8e30ad30648991ca8b93b6fa496272cd23b26763c8ee84515",
    "zh:5f9200bf708913621d0f6514179d89700e9aa3097c77dac730e8ba6e5901d521",
    "zh:9ebf4d9704faba06b3ec7242c773c0fbfe12d62db7d00356d4f55385fc69bfb2",
    "zh:a6576c81adc70326e4e1c999c04ad9ca37113a6e925aefab4765e5a5198efa7e",
    "zh:a8a42d13346347aff6c63a37cda9b2c6aa5cc384a55b2fe6d6adfa390e609c53",
    "zh:c797744d08a5307d50210e0454f91ca4d1c7621c68740441cf4579390452321d",
    "zh:cecb6a304046df34c11229f20a80b24b1603960b794d68361a67c5efe58e62b8",
    "zh:e1371aa1e502000d9974cfaff5be4cfa02f47b17400005a16f14d2ef30dc2a70",
    "zh:fc39cc1fe71234a0b0369d5c5c7f876c71b956d23d7d6f518289737a001ba69b",
    "zh:fea4227271ebf7d9e2b61b89ce2328c7262acd9fd190e1fd6d15a591abfa848e",
  ]
}
When the provider version is to be updated, the lock file can be updated with terraform init -upgrade or regenerated by removing the current contents of .terraform  and rerunning terraform init . Similarly, adding a new provider can be done with just 
terraform init .
 

Additional Information

Articles in this section

See more

Related articles