📰

.terraform.lock.hcl - commit it

DEV Community: terraform·Bartłomiej Danek·about 1 month ago

#dev #class #code #terraform #highlight #photo

Reading 0:00

15s threshold

`.terraform.lock.hcl` - commit it

Terraform generates this file on terraform init - it pins the exact provider versions and their checksums so every team member and CI run uses the same binaries.

provider "registry.terraform.io/hashicorp/aws" {
  version     = "5.50.0"
  constraints = "~> 5.0"
  hashes = [
    "h1:abc123...",
    "zh:def456...",
  ]
}

what it contains

version - exact version that was selected
constraints - the constraint from required_providers
hashes - checksums for each platform (linux, darwin, windows)

why commit it

reproducible builds - everyone gets the same provider binary
audit trail - version changes are visible in git diff
faster CI - Terraform can skip checksum verification with -lockfile=readonly

updating it

# upgrade a specific provider
terraform init -upgrade

# upgrade all providers
terraform init -upgrade -reconfigure

CI flag

# fails if lock file is out of date - use in CI
terraform init -lockfile=readonly

Originally published at https://bard.sh/posts/terraform-lock-hcl/

Menu

.terraform.lock.hcl - commit it

.terraform.lock.hcl - commit it

what it contains

why commit it

updating it

CI flag

`.terraform.lock.hcl` - commit it