Closed Gerrit-K closed 2 years ago
@Gerrit-K have you looked into https://www.terraform.io/docs/language/dependency-lock.html ?
@drdamour good point! :+1: I didn't ... that would definitely be the way to go if we used terraform alone. However, since we use cdktf, all terraform files are generated dynamically to ./cdktf.out/stacks/<stackname>/
, which we exclude from VCS, but that would exactly be the place to put the dependency lock file into, wouldn't it? Did I overlook something? Is there another way to use this lock file using cdktf?
I'm in favor of the build provider containing exactly the version that it was built against. See https://github.com/hashicorp/terraform-cdk/issues/318
This issue is now marked as stale because it hasn't seen activity for a while. Add a comment or it will be closed soon. If you wish to exclude this issue from being marked as stale, add the "backlog" label.
Not stale
(at least for now)
@jsteinich since my second suggestion is essentially the same as what you've already proposed in the main repo, I would be fine with closing this as a (semi-)duplicate of that one. WDYT?
@Gerrit-K: As Jon reacted with a thumbs up to your message, I'm going to close this 👍
We'll use https://github.com/hashicorp/terraform-cdk/issues/318 to track this from now on 👀
@ansgarm ah yes, sorry for the lack of response. Thanks for closing it :) I already subscribed to the other one ✅
I'm going to lock this issue because it has been closed for at least 7 days. This helps our maintainers find and focus on the active issues. If you've found a problem that seems similar to this, please open a new issue so we can investigate further.
This might rather be a question or starting point for discussion instead of an issue, but I hope it's still the right place to address it.
Issue description
When using the prebuilt providers, such as the
azurerm
provider, cdktf generates therequired_providers
section like this:This essentially causes terraform to always fetch the latest
2.0
provider, no matter what the prebuilt provider package was built against. Currently there seems to be no way to manually change that value to downgrade or pin the provider.Background
This is especially problematic for environments where you need reproducible builds. I.e., in our application we deliberately use a
yarn.lock
(as probably many other teams do as well; same withpackage-lock.json
) to pin working configurations in order for CI/CD pipelines to "replay" them consistently. Pinning there currently still does not pin the actual provider that is used.To give a real example with impact: our pipelines started to fail last friday due to a bug in the 2.86 release, although we didn't change anything in the configuration. As a temporary workaround, we now had to revert back to the generated provider instead of the prebuilt one to pin it to version 2.85, which, unfortunately, also required quite some code changes in the import statements.
Fix / Suggestion
It would be great if either:
required_providers
field to a custom version, orpackage.json
and the corresponding lock files. But one downside is that it would also tightly couple the release cycle of the prebuilt provider to the upstream terraform provider (if that's not already the case?).Looking forward to hear feedback and opinions on that.