Generate provider lock file before running terraform init

DanielMSchmidt commented 1 year ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

CDKTF bindings pin provider versions in general, therefore we could generate the .terraform.lock.hcl file for each stack as part of our synthetization. This makes using the provider across different machines / architectures easier and improves our upgrade workflow to have one less step, see #2020. This means we trim the sources of provider versions down to just the provider bindings instead of e.g. the last run of terraform init as well.

References

jsteinich commented 1 year ago

I like this from a versioning perspective, but I worry about it from a security perspective. .terraform.lock.hcl functions as both version pinning and checksum matching.

nikowatari commented 1 year ago

can the alternative approach be considered?

terraform plugins will be bundled directly into respective language packages
extracted to some directory
path to that directory provided to terraform as TF_PLUGIN_CACHE_DIR

thay way terraform will always use the same provider binary as long as the same e.g. python package is used, w/o the need to touch .terraform.lock.hcl

what's your opinion?

hashicorp / terraform-cdk