renovate
renovate copied to clipboard
renovatebot
Support updating Terragrunt-generated `terraform.lock.hcl` lock files
What would you like Renovate to be able to do?
Terraform lock files are generated when running Terragrunt commands (because Terragrunt is just a wrapper of Terraform). These lock files are exactly the same as lock files generated by using Terraform directly, but they don't currently seem to be updated as part of lock file maintenance (minimal repo demonstrating this).
I would like Renovate to update Terraform lock files, regardless of how they were generated.
If you have any ideas on how this should be implemented, please tell us here.
I'm a senior Terraform/Terragrunt dev, but not a skilled Javascript dev. I might be able to implement the feature if someone from the Renovate dev team can explain the Terraform manager code better to me. Maybe we could schedule a 20 minute chat?
Otherwise, see #13375 , #13356 for my thoughts on how this could be implemented.
Is this a feature you are interested in implementing yourself?
Yes
As I told before in renovate terragrunt and terraform are two different managers and only the terraform manager supports lockfiles.
This should be easily extended to the terragrunt manager.
Maybe it's enough to re-export the update artifacts function from terraform manager.
As I told before in renovate terragrunt and terraform are two different managers and only the terraform manager supports lockfiles.
Yes, and I think there is confusion - Terragrunt does not have lock files. It calls Terraform, which creates the lockfiles.
That is why I think this may be a bug and not a feature request - because Terragrunt does not have lock files, and the tool currently supports Terraform lock files, so it seems like it should work 🤷
Regardless - I am offering to do some or all of the work to figure this out if someone can just explain the code better to me. I can make either a new Terragrunt lock file manager, or patch the Terraform lock file manager, whatever is preferred. I just need input on how to accomplish it.
I just saw this note in the Contributor docs. I will ask for a Slack invite to get more information. 🙇
For that reason, we have a Slack channel dedicated to helping anyone who's working on or considering Pull Requests for Renovate. Please email [email protected] and simply mention that you need an invitation to the channel and you'll be added ASAP.
If you only need lock file maintenance, then in fact a simple wrapper of https://github.com/renovatebot/renovate/blob/de140c24ff3d515af2c434fc7e7fde46b4ae59a8/lib/manager/terraform/lockfile/index.ts#L59 should work.
This wrapper should only call the Terraform function if config.updateType === 'lockFileMaintenance' tough, else it will fail as the updated dependency will not be a provider but a module.
I'm a coworker of @tpansino (in fact, since he posted this he's been promoted to be my manager), and I'm planning on working on this feature.
:tada: This issue has been resolved in version 35.95.0 :tada:
The release is available on:
- GitHub release
-
35.95.0
Your semantic-release bot :package::rocket:
@rarkins my wording was wrong. I would love to help to implement the feature but at the moment lack the time as well as the typescript skills for being helpful. What I meant to say was, I would love to see it implemented. What I could offer would be support in testing and debugging.
OK. Please avoid "me too" comments in future because they just create noise
I don't know if this would fall within the scope of this feature request or if I should open a separate one.
It would be very helpful if updates to terragrunt lockfiles on provider updates could support automatically adding hashes for multiple architectures in the lockfile. As far as I can tell, the only way to generate a lockfile for an arch other than the one running terraform is with terraform providers lock -platform=darwin_arm64 -platform=linux_arm64 -platform=foo. Currently I'm attempting to work around this with a post update command that finds all terraform.lock.hcl files and runs the above command but it adds substantial time to updates, especially when a required_providers.tf being updated is only used in a few terragrunt paths and the vast majority of the lock updates are a noop.
that's possible, renovate has already code to do that inside terraform manager which can be reused
I don't know if this would fall within the scope of this feature request or if I should open a separate one.
It would be very helpful if updates to terragrunt lockfiles on provider updates could support automatically adding hashes for multiple architectures in the lockfile. As far as I can tell, the only way to generate a lockfile for an arch other than the one running terraform is with
terraform providers lock -platform=darwin_arm64 -platform=linux_arm64 -platform=foo. Currently I'm attempting to work around this with a post update command that finds allterraform.lock.hclfiles and runs the above command but it adds substantial time to updates, especially when arequired_providers.tfbeing updated is only used in a few terragrunt paths and the vast majority of the lock updates are a noop.
From top of my head this should work out of the box as the terragrunt manager is reusing the terraform code base, which already add hashes for all found platforms.
One thing I'm noticing is that the lockfile-only update works fine, but using pinned versions in the provider spec means that either Renovate will propose an update without the lockfile changes for anything that's pinned, and propose an update with the lockfile changes only (but not bumping in the provider spec, which I think is more or less correct behavior) for anything that has a fuzzier version spec (>5.8.0).
