Add CLI command to upgrade lock file without full initialization

[secustor]

Current Terraform Version

0.14.0

Use-cases

Currently to update the Terraform lock file a complete init has to be performed, but there are cases when the Dev has not all the configuration options available e.g. blob storage access keys for the backend.
Therefore he can not run terraform init -upgrade.

The same goes for centrally run tooling, where you want to also split up the secret management.

Attempted Solutions

Locally the user can remove the backend block temporarily.
Automation has not this option available.

Proposal

Add a flag which prevents the backend initialization terraform init -upgrade -skip-backend

Would you accept a PR for this?

[apparentlymart]

Hi @secustor,

If I'm understanding correctly the use-case you're describing, I think the existing terraform providers lock will do what you need.

[secustor]

Thx for the fast response!

This works for initially creating the lock file but not for updating it.
If I change the constraint and rerun terraform providers lock it does not update the existing .terraform.lock.hcl file.

As this is pretty similar to the use case which I have, there could be a flag added to terraform providers lock.
Some suggestions from top of my head:

• terraform providers lock -force
• terraform providers lock -reinitialize
• terraform providers lock -reconfigure

BTW terraform init -upgrade -backend=false doesn't update the lock file either

[minamijoyo]

I noticed that the terraform providers lock command requires terraform init if a root module depends on other modules.

For example:

main.tf

module "foo" {
  source = "./foo"
}

foo/foo.tf

resource "null_resource" "foo" {}

$ terraform -v
Terraform v0.14.0

Your version of Terraform is out of date! The latest version
is 0.14.2. You can update by downloading from https://www.terraform.io/downloads.html

$ terraform providers lock

Error: Module not installed

  on main.tf line 1:
   1: module "foo" {

This module is not yet installed. Run "terraform init" to install all modules
required by this configuration.

In my use-case, I have 200+ root modules and I'm automating a provider version upgrade process in CI, it's possible but inefficient that updating lock files requires initialization

[apparentlymart]

Hi @minamijoyo,

Thanks for that additional note. Unfortunately I'm not sure how best to deal with that constraint because the content of your modules contributes to deciding which providers and which versions to select, so we do need to have all of the modules available in order to make a correct version selection in order to update the lock file. 🤔

[apparentlymart]

It seems like part of what might help here is for the terraform providers lock command to also accept an -upgrade argument like terraform init does, which would cause the command to ignore all of the existing locks and select the newest version matching the constraints from upstream. That does seem doable, because we already have an example of such behavior in terraform init.

terraform init -upgrade not selecting a new version seems like a bug, so if you wouldn't mind I'd like to talk about that one in a separate issue so we can capture some reproduction steps for it and get it fixed independently of designing a solution for this feature request.

Thanks!

[apparentlymart]

A workaround for the moment, to get the same effect as I described for this -upgrade option, would be to delete .terraform.lock.hcl before you run terraform providers lock. That way Terraform will have no existing lock entries to refer to, and so it will be forced to select the latest available versions that meet the constraints. It'll then generate a new lock file based on that result, which you should still be able to git diff (or similar) with the previous one to see what changed.

[minamijoyo]

@apparentlymart Thank you for your reply. I have a related but different concern. So I've opened a new issue #27264 for sharing my context in detail.