.terraform.lock.hcl - commit it
Terraform generates this file on terraform init - it pins the exact provider versions and their checksums so every team member and CI run uses the same binaries.
provider "registry.terraform.io/hashicorp/aws" {
version = "5.50.0"
constraints = "~> 5.0"
hashes = [
"h1:abc123...",
"zh:def456...",
]
}
what it contains
-
version- exact version that was selected -
constraints- the constraint fromrequired_providers -
hashes- checksums for each platform (linux, darwin, windows)
why commit it
- reproducible builds - everyone gets the same provider binary
- audit trail - version changes are visible in git diff
- faster CI - Terraform can skip checksum verification with
-lockfile=readonly
updating it
# upgrade a specific provider
terraform init -upgrade
# upgrade all providers
terraform init -upgrade -reconfigure
CI flag
# fails if lock file is out of date - use in CI
terraform init -lockfile=readonly
Originally published at https://bard.sh/posts/terraform_lock_hcl/
Top comments (0)