Generate provider lock file before running terraform init

[DanielMSchmidt]

trafficstars

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

CDKTF bindings pin provider versions in general, therefore we could generate the .terraform.lock.hcl file for each stack as part of our synthetization. This makes using the provider across different machines / architectures easier and improves our upgrade workflow to have one less step, see #2020. This means we trim the sources of provider versions down to just the provider bindings instead of e.g. the last run of terraform init as well.

References

[jsteinich]

I like this from a versioning perspective, but I worry about it from a security perspective. .terraform.lock.hcl functions as both version pinning and checksum matching.

[nikowatari]

can the alternative approach be considered?

1. terraform plugins will be bundled directly into respective language packages
2. extracted to some directory
3. path to that directory provided to terraform as TF_PLUGIN_CACHE_DIR

thay way terraform will always use the same provider binary as long as the same e.g. python package is used, w/o the need to touch .terraform.lock.hcl

what's your opinion?