Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

feat: warn when .terraform.lock.hcl is modified during terraform init#18276

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
blink-so wants to merge6 commits intomain
base:main
Choose a base branch
Loading
fromfix/terraform-lock-file-warning

Conversation

blink-so[bot]
Copy link
Contributor

@blink-soblink-sobot commentedJun 8, 2025

Fixes#18237

This PR adds checksum validation for.terraform.lock.hcl files before and after runningterraform init to detect when provider hashes are missing for the target architecture.

Problem

When users runterraform init locally on a different OS/architecture than their Coder instance, the generated.terraform.lock.hcl file may be missing provider hashes for the target architecture. This causes Terraform to download providers unnecessarily during provisioning, slowing down the process.

Solution

  • Calculate SHA256 checksum of.terraform.lock.hcl before runningterraform init
  • Calculate checksum again afterterraform init completes
  • If checksums differ, log a warning with actionable guidance
  • Warning appears in both debug and error streams for visibility

Changes

  • AddedcalculateFileChecksum() helper function using SHA256
  • AddedgetTerraformLockFilePath() helper function
  • Modifiedinit() function to perform checksum validation
  • Added comprehensive unit tests
  • Warning message guides users to regenerate lock file on correct architecture

Testing

  • Unit tests verify checksum calculation and file path functions
  • Code compiles successfully
  • Warning only appears when lock file is actually modified

The warning message provides clear guidance on how to resolve the issue by regenerating the lock file on the same OS/architecture as the Coder instance.

blink-sobotand others added5 commitsJune 8, 2025 02:20
This change addresses issue#18237 by adding checksum validation for.terraform.lock.hcl files before and after running terraform init.When the lock file is modified during init, it indicates that providerhashes may be missing for the target architecture, leading to unnecessaryprovider downloads and slower provisioning.Changes:- Add calculateFileChecksum() helper function using SHA256- Add getTerraformLockFilePath() helper function- Modify init() function to calculate checksums before/after terraform init- Log warning when lock file changes with actionable guidance- Add unit tests for new functionalityThe warning message guides users to regenerate the lock file on the sameOS/architecture as their Coder instance to improve performance.Co-authored-by: kylecarbs <7122116+kylecarbs@users.noreply.github.com>
Co-authored-by: kylecarbs <7122116+kylecarbs@users.noreply.github.com>
Co-authored-by: kylecarbs <7122116+kylecarbs@users.noreply.github.com>
Co-authored-by: kylecarbs <7122116+kylecarbs@users.noreply.github.com>
Fixes gosec G306 linting error that expects WriteFile permissionsto be 0600 or less for security reasons.Co-authored-by: kylecarbs <7122116+kylecarbs@users.noreply.github.com>
Copy link
Member

@johnstcnjohnstcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

There's lots of other reasons for modifications to the lock file. The current wording we add could potentially send folks down a rabbit hole.

What if we instead:

  1. Logged thediff of the lock file to provide additional troubleshooting information,

  2. Linked to the official documentationhttps://developer.hashicorp.com/terraform/language/files/dependency-lock#understanding-lock-file-changes so that folks can figure out the potential reason on their own?

@blink-soblink.so
Copy link
ContributorAuthor

blink-sobot commentedJun 9, 2025

Great feedback@johnstcn! You're absolutely right that there are many reasons for lock file modifications and the current warning could be misleading.

I'll implement your suggestions:

  1. Log the diff: This will provide much more actionable troubleshooting information
  2. Link to official docs: Better to direct users to authoritative documentation rather than making assumptions

This approach will be more helpful and less presumptuous about the cause. Let me update the implementation accordingly.

Based on review feedback from@johnstcn, this commit improves theterraform lock file change detection by:1. **Logging actual diff**: Instead of just checksums, now logs the   actual differences in the lock file, providing actionable   troubleshooting information.2. **Neutral messaging**: Changed from WARNING to INFO level with   neutral language that doesn't assume the cause of changes.3. **Official documentation**: Links to HashiCorp's official   documentation about lock file changes instead of making   assumptions about the cause.4. **Better user experience**: Users get helpful diff output and   can understand what changed and why, rather than being sent   down a potentially incorrect troubleshooting path.The implementation now:- Saves the original lock file before terraform init- Generates a simple diff showing added/removed lines- Provides informative messaging with official docs link- Includes comprehensive test coverageCo-authored-by: kylecarbs <7122116+kylecarbs@users.noreply.github.com>
@blink-soblink.so
Copy link
ContributorAuthor

blink-sobot commentedJun 9, 2025

Implemented the suggested improvements!

I've updated the implementation based on your excellent feedback:

Changes Made

1.Actual Diff Logging 📊

  • Replaced checksum comparison with actual file diff generation
  • Shows added/removed lines with+/- prefixes
  • Provides actionable troubleshooting information

2.Neutral Messaging ℹ️

  • Changed fromWARNING toINFO level
  • Removed assumptions about the cause
  • Uses neutral language: "This is normal when Terraform downloads providers or updates dependencies"

3.Official Documentation Link 📚

4.Better Implementation 🔧

  • Saves original lock file beforeterraform init
  • Generates simple but informative diff output
  • Cleans up temporary files automatically
  • Added comprehensive test coverage for the new diff functionality

Example Output

INFO: .terraform.lock.hcl was modified during 'terraform init'. This is normal when Terraform downloads providers or updates dependencies. See https://developer.hashicorp.com/terraform/language/files/dependency-lock#understanding-lock-file-changes for more information about lock file changes.Lock file changes:--- .terraform.lock.hcl (before terraform init)+++ .terraform.lock.hcl (after terraform init)- # This file is maintained automatically by "terraform init".+ # This file is maintained automatically by "terraform init".+ provider "registry.terraform.io/hashicorp/aws" {+   version = "5.99.1"+   hashes = [+     "h1:abc123...",+   ]+ }

This approach is much more helpful and doesn't make assumptions about why the lock file changed. Thanks for the great suggestions! 🙏


// Copy the lock file if it exists
if lockFileData, err := os.ReadFile(lockFilePath); err == nil {
_ = os.WriteFile(preInitLockFile, lockFileData, 0644)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

  1. This needs to be formatted speficially as octal, e.g.:
-_ = os.WriteFile(preInitLockFile, lockFileData, 0644)+_ = os.WriteFile(preInitLockFile, lockFileData, 0o644)
  1. I don't think we should be writing to the work directory directly. If we need to write a file, we should write to a temporary directory instead. Do weactually need to persist the lock file content pre-init? Can't we just store in memory instead?

  2. If we write a file to disk, we need to ensure we use minimal permissions (0o600) or thegosec linter will complain.

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@johnstcnjohnstcnjohnstcn left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Warn if your .terraform.lock.hcl is modified after runningterraform init
1 participant
@johnstcn

[8]ページ先頭

©2009-2025 Movatter.jp