Terraform: install modules when updating lockfile

Terraform requires modules to be installed with `terraform init` when
updating the lockfile. Opted to only run `terraform init` if the call to
`terraform providers lock` bails out and retry.

We could opt to always run `terraform init` if there are any modules
defined but would mean parsing the dependency files and checking if any
of the dependencies are modules as we only have access to the current
dependency, which in this case is provider.

terraform/lib/dependabot/terraform/file_updater.rb

@@ -90,7 +90,7 @@ def update_registry_declaration(new_req, old_req, updated_content)
         end
       end
 
-      def update_lockfile_declaration
+      def update_lockfile_declaration # rubocop:disable Metrics/AbcSize
         return if lock_file.nil?
 
         new_req = dependency.requirements.first
@@ -115,6 +115,14 @@ def update_lockfile_declaration
                  content.scan(declaration_regex).first.scan(/^\s*version\s*=.*/)
             content.sub!(declaration_regex, updated_dependency)
           end
+        rescue SharedHelpers::HelperSubprocessFailed => e
+          raise if @retrying_lock || !e.message.include?("terraform init")
+
+          # NOTE: Modules need to be installed before terraform can update the
+          # lockfile
+          @retrying_lock = true
+          SharedHelpers.run_shell_command("terraform init")
+          retry
         end
 
         content

terraform/spec/dependabot/terraform/file_updater_spec.rb

@@ -838,5 +838,51 @@ module "github_terraform" {
         )
       end
     end
+
+    describe "with a lockfile and modules that need to be installed" do
+      let(:files) { project_dependency_files("lockfile_with_modules") }
+      let(:dependencies) do
+        [
+          Dependabot::Dependency.new(
+            name: "integrations/github",
+            version: "4.12.0",
+            previous_version: "4.4.0",
+            requirements: [{
+              requirement: "4.12.0",
+              groups: [],
+              file: "main.tf",
+              source: {
+                type: "registry",
+                registry_hostname: "registry.terraform.io",
+                module_identifier: "integrations/github"
+              }
+            }],
+            previous_requirements: [{
+              requirement: "4.4.0",
+              groups: [],
+              file: "main.tf",
+              source: {
+                type: "registry",
+                registry_hostname: "registry.terraform.io",
+                module_identifier: "integrations/github"
+              }
+            }],
+            package_manager: "terraform"
+          )
+        ]
+      end
+
+      it "updates the version in the lockfile" do
+        lockfile = subject.find { |file| file.name == ".terraform.lock.hcl" }
+
+        expect(lockfile.content).to include(
+          <<~DEP
+            provider "registry.terraform.io/integrations/github" {
+              version     = "4.12.0"
+              constraints = "~> 4.4"
+          DEP
+        )
+      end
+    end
   end
 end

terraform/spec/fixtures/projects/lockfile_with_modules/caf_module.tf

@@ -0,0 +1,4 @@
+module "caf" {
+  source  = "aztfmod/caf/azurerm"
+  version = "5.1.0"
+}

terraform/spec/fixtures/projects/lockfile_with_modules/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = "~> 4.4"
+    }
+  }
+  required_version = ">= 0.14"
+}