What is .terraform.lock.hcl?
In the cloud-platform-infrastructure repo, each layer has a .terraform.lock.hcl file, for example.
The lock file is concerned with pinning provider versions. Terraform providers manage resources by communicating between Terraform and the target APIs eg. the kubectl provider allows terraform to take hcl code and run kubectl commands.
The lock file ensures that every user is using the same providers. This is important because different providers can deploy resources differently, resulting in inconsistent applies on each machine.
Everytime you run the terraform init command, terraform creates or updates the .terraform.lock.hcl file.
There are 2 aspects to pinning providers:
- terraform that specifies version constraints for example
- the
.terraform.lock.hcldependency lock file which contains the specific hashes for the version to be used
Working with .terraform.lock.hcl files
Due to the architecture difference between our mac m* chips and the pipeline, every time a user runs a terraform init, it will make changes to the .terraform.lock.hcl file. This diff is sometimes misleading.
Rules
- Do not commit the lock file if you have not changed any provider versions
- If you make changes to any provider versions, then you should use the command below to add a platform-compatible lock file
Commiting changes to the lock file
Because the team is mainly on mac m* chips, we are generally running a different architecture (arm64) to the terraform that will run in the pipeline (amd64). Therefore if you want to commit a compatible lock file, you must run the following before adding it to git:
terraform providers lock -platform=linux_amd64