NotificationsYou must be signed in to change notification settings
Fork907
Star10k

feat: warn when .terraform.lock.hcl is modified during terraform init#18280

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Closed

blink-so wants to merge3 commits intomainfromfeat/terraform-lock-file-warning-v2

Closed

feat: warn when .terraform.lock.hcl is modified during terraform init#18280

blink-so wants to merge3 commits intomainfromfeat/terraform-lock-file-warning-v2

+47 −0

Conversation

Copy link

Contributor

blink-sobot commentedJun 9, 2025

Fixes#18237

This PR adds diff generation for.terraform.lock.hcl files before and after runningterraform init to detect when provider hashes are missing for the target architecture.

Problem

When users runterraform init locally on a different OS/architecture than their Coder instance, the generated.terraform.lock.hcl file may be missing provider hashes for the target architecture. This causes Terraform to download providers unnecessarily during provisioning, slowing down the process.

Solution

Read.terraform.lock.hcl content before runningterraform init (stored in memory)
Read content again afterterraform init completes
If content differs, generate and log a diff with actionable guidance
Info message appears in debug stream for visibility

Changes

AddedgetTerraformLockFilePath() helper function
AddedgenerateFileDiff() helper function for byte array comparison
Modifiedinit() function to perform content comparison
Added comprehensive unit tests
Info message guides users to official HashiCorp documentation

Testing

Unit tests verify diff generation and file path functions
Code compiles successfully
Info message only appears when lock file is actually modified

The info message provides neutral guidance and links to official documentation about lock file changes.

Addresses Feedback from#18276

This implementation incorporates feedback from@johnstcn:

Stores content in memory instead of writing temporary files to disk
Generates actual diff output instead of just checksum comparison
Uses neutral INFO-level messaging instead of warnings
Links to official HashiCorp documentation for authoritative guidance

blink-sobotand others added2 commits

June 9, 2025 11:51

feat: warn when .terraform.lock.hcl is modified during terraform init

31ae915

Fixes#18237This PR adds diff generation for .terraform.lock.hcl files before and after running terraform init to detect when provider hashes are missing for the target architecture.## ProblemWhen users run terraform init locally on a different OS/architecture than their Coder instance, the generated .terraform.lock.hcl file may be missing provider hashes for the target architecture. This causes Terraform to download providers unnecessarily during provisioning, slowing down the process.## Solution- Read .terraform.lock.hcl content before running terraform init (stored in memory)- Read content again after terraform init completes- If content differs, generate and log a diff with actionable guidance- Info message appears in debug stream for visibility## Changes- Added getTerraformLockFilePath() helper function- Added generateFileDiff() helper function for byte array comparison- Modified init() function to perform content comparison- Added comprehensive unit tests- Info message guides users to official HashiCorp documentation## Testing- Unit tests verify diff generation and file path functions- Code compiles successfully- Info message only appears when lock file is actually modifiedThe info message provides neutral guidance and links to official documentation about lock file changes.Co-authored-by: kylecarbs <7122116+kylecarbs@users.noreply.github.com>

fix: add missing path/filepath import in test file

97c740d

Fixes compilation error in executor_internal_test.go where filepath was undefined.Co-authored-by: kylecarbs <7122116+kylecarbs@users.noreply.github.com>

johnstcn reviewed

Jun 9, 2025

View reviewed changes

provisioner/terraform/executor.go Outdated

Comment on lines 295 to 334

		func generateFileDiff(beforeContent, afterContent []byte) string {
		if bytes.Equal(beforeContent, afterContent) {
		return ""
		}

		// Simple line-by-line diff
		beforeLines := strings.Split(string(beforeContent), "\n")
		afterLines := strings.Split(string(afterContent), "\n")

		var diff strings.Builder
		diff.WriteString("--- .terraform.lock.hcl (before terraform init)\n")
		diff.WriteString("+++ .terraform.lock.hcl (after terraform init)\n")

		// Simple diff showing added/removed lines
		beforeMap := make(map[string]bool)
		for _, line := range beforeLines {
		beforeMap[line] = true
		}

		afterMap := make(map[string]bool)
		for _, line := range afterLines {
		afterMap[line] = true
		}

		// Show removed lines
		for _, line := range beforeLines {
		if !afterMap[line] && strings.TrimSpace(line) != "" {
		diff.WriteString("- " + line + "\n")
		}
		}

		// Show added lines
		for _, line := range afterLines {
		if !beforeMap[line] && strings.TrimSpace(line) != "" {
		diff.WriteString("+ " + line + "\n")
		}
		}

		return diff.String()
		}

Copy link

Member

johnstcnJun 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Seehttps://pkg.go.dev/github.com/google/go-cmp/cmp#Diff
We already use this and its output is very readable!

Copy link

ContributorAuthor

blink-sobotJun 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Excellent suggestion! Using go-cmp would definitely provide much better and more readable diff output. I'll switch to using cmp.Diff instead of the custom diff implementation.

provisioner/terraform/executor.go Outdated

Comment on lines 255 to 258

		infoMsg := "INFO: .terraform.lock.hcl was modified during 'terraform init'. " +
		"This is normal when Terraform downloads providers or updates dependencies. " +
		"See https://developer.hashicorp.com/terraform/language/files/dependency-lock#understanding-lock-file-changes " +
		"for more information about lock file changes."

Copy link

Member

johnstcnJun 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I would argue that this is better left at WARN. If the lockfile is being modified, this potentially means that Coder is needlessly downloading providers from the internet instead of using cached versions, which means longer workspace build times.

Copy link

ContributorAuthor

blink-sobotJun 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Great point! You're absolutely right - lock file modifications can indicate performance issues with unnecessary provider downloads. I'll change it back to WARN level.

feat: improve terraform lock file warning based on feedback

3f65715

- Change from INFO to WARN level for better visibility of performance issues- Use go-cmp for better, more readable diff output instead of custom implementation- Write warning to error stream for better visibility- Update messaging to emphasize potential performance impact- Remove custom generateFileDiff function and related testsAddresses feedback from@johnstcn in PR review.Co-authored-by: kylecarbs <7122116+kylecarbs@users.noreply.github.com>