Dependency Lock File + Checkpoint + Multi OS

Terraform
1

Continuing the discussion from Terraform 0.14: The Dependency Lock File:

Thanks for you reply @apparentlymart!

With that said, it sounds like you have some non-default CLI configuration which is overriding Terraform’s default behavior of installing each provider directly from its origin registry and, at the same time, capturing all of the checksums signed by the original publisher to get coverage across all platforms.

I am trying to use Terraform as simply and natively possible. I don’t use a wrapper, I am actually running away from Terragrunt and I barely have some environment variables set.

Here is the templated provider.tf that I use:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.0"
    }
  }
}

locals {
  namespace     = basename(dirname(dirname(dirname(dirname(dirname(abspath(path.root)))))))
  account_alias = basename(dirname(dirname(dirname(abspath(path.root)))))
  environment   = basename(dirname(dirname(abspath(path.root))))
  region        = basename(dirname(abspath(path.root)))
  stack_name    = basename(abspath(path.root))
  accounts      = jsondecode(file("${path.root}/../../../../accounts.json"))
  account       = lookup(local.accounts, local.account_alias)
}

provider "aws" {
  region = local.region

  assume_role {
    role_arn = local.account.role_arn
  }

  default_tags {
    tags = {
      ManagedBy = "Terraform"
    }
  }
}

Here is the manually locked file:

provider "registry.terraform.io/hashicorp/aws" {
  version     = "3.56.0"
  constraints = "~> 3.0"
  hashes = [
    "h1:L0F0l8AuDcLL+Grob4eHWdc3jm/dCufnU5lWWEpi+F8=",
    "h1:NOcsKH9iVol7wvVaKJxzAy99rWLXx24FETwVwC8ok5Y=",
    "h1:XuiEcFvwm+GkRpt4MqfwJpfdU2BssSjpyqMkqrI3Pjs=",
    "h1:i7QpN5YsUdrd6GNY4RkRu6+a7F16nBsd3tDVxNp1iAQ=",
    "h1:tVVNmfRMjOQ+LJYWfqLbDTkNnraXG1JFMgHKJAcERb4=",
    "zh:001373be6fbc5738bf8c3aa8688b248ba5f99b04174310c0efcbbf23e6c4dc29",
    "zh:0d4af59266668089790f5a7bdeb25642ba750fb5dc7934fe28d1cc36310ba495",
    "zh:1413ff4d445678c096d46e8957e27320df94561354955d7bc5d8054b6df7b299",
    "zh:19d614259f7ce16b50ec07868404b58749702baaf86bcd14fbaea2756e1c9f25",
    "zh:2d148ff632da25852622b06b5be9f5a0b6d509621a002a47338f96509021945b",
    "zh:3959a1d989c99f3e7cdd5de07eb3e7df7a85e19677488278c77ab753dd7127e6",
    "zh:5d8d65b458a8934dc67d22904da368b5bc3a77fb9c900ac89c54e736a221b76f",
    "zh:94d5660e56118fcaa40fccaff960a9bf4166b7b0e7fedeb21b2402c8fc7b4cb1",
    "zh:a6002ecc23ebc468ccac6f36c0ed7cc95de3223ef6b100e6c81762d22cc14077",
    "zh:b0880c82bc2ad395ef3dbf5a592a23e65bf943df8995d5d4238740f96a02f529",
    "zh:ee65f3d2c13653e0828222a63fb832f98e9835b84443eeca00ce36ae39783c08",
  ]
}

Then, regenerating the lock file:

$ mv .terraform.lock.hcl .terraform.lock.hcl.old
$ terraform init

Initializing the backend...

Initializing provider plugins...
- terraform.io/builtin/terraform is built in to Terraform
- Finding hashicorp/aws versions matching "~> 3.0"...
- Installing hashicorp/aws v3.57.0...
- Installed hashicorp/aws v3.57.0 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
$ cat .terraform.lock.hcl
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.

provider "registry.terraform.io/hashicorp/aws" {
  version     = "3.57.0"
  constraints = "~> 3.0"
  hashes = [
    "h1:H6JCnoa3swF3rgHL0ys9KNArffU+IEGPvhQ6JnfQY/c=",
    "zh:241a4203078ea35f63202b613f0e4b428a842734ded62d9f487cdf7c2a66d639",
    "zh:2c1cbf3cd03a2a7ff267be09cedf1698738c372b1411ca74cfcb3bf4b0846f27",
    "zh:318ad2331f60e03d284f90f728486b9df7ac9570af641c43b56216357e624b52",
    "zh:43ff96b34b4829a34693281492786b9ca6dd06870dd45b0ae82ea352c33353d7",
    "zh:6c36b874622603793fc637272742d84ecbf68dfe4c8d8148bb6e9b733cd0e216",
    "zh:7a1aaac01c82d06f9ebc997ae2094a7d96e7a467aaaeaa1cda64ee952f3144d8",
    "zh:9b917b03b8771f87a021fe7aa9fd00ae06cc455a1eaa1fb748930182617b2772",
    "zh:bd90550e6d9311092170f4935e42e91e6d8bed5241e41eca39fa4aeca28d9c6f",
    "zh:be5076ea705c174581fd616b118e0c17d15bd8ab0da1b3eee4f3fb6b11e78f2c",
    "zh:f4f0d13414c932ecf65ba92daab6e755c244dcb77b4be59a3ac18ba2f56cdc00",
    "zh:fa3575a23fd20ce00658977374491022c4c0c36a00260ebeebb0c3f3af4824aa",
  ]
}

Could it be related to CHECKPOINT_DISABLE=true in my env? I set this to not get this constant reminder. Looks like it has an impact. Unsetting this var, removing lockfile and rerunning terraform init, I dont have the zh anymore:

$ git diff
diff --git a/.envrc b/.envrc
index 95198c8..e110b1f 100644
--- a/.envrc
+++ b/.envrc
@@ -16,6 +16,6 @@ export AWS_STS_REGIONAL_ENDPOINTS=regional

 # Using version pinning, not interested in getting notifications
 # from HashiCorp about newer version of Terraform.
-export CHECKPOINT_DISABLE=true
+#export CHECKPOINT_DISABLE=true

 source_env_if_exists .envrc.private
diff --git a/stacks/infrastructure/aws/main/production/ap-southeast-2/iam/.terraform.lock.hcl b/stacks/infrastructure/aws/main/production/ap-southeast-2/iam/.terraform.lock.hcl
index e04f8ec..34eeda0 100644
--- a/stacks/infrastructure/aws/main/production/ap-southeast-2/iam/.terraform.lock.hcl
+++ b/stacks/infrastructure/aws/main/production/ap-southeast-2/iam/.terraform.lock.hcl
@@ -2,24 +2,9 @@
 # Manual edits may be lost in future updates.

 provider "registry.terraform.io/hashicorp/aws" {
-  version     = "3.56.0"
+  version     = "3.57.0"
   constraints = "~> 3.0"
   hashes = [
-    "h1:L0F0l8AuDcLL+Grob4eHWdc3jm/dCufnU5lWWEpi+F8=",
-    "h1:NOcsKH9iVol7wvVaKJxzAy99rWLXx24FETwVwC8ok5Y=",
-    "h1:XuiEcFvwm+GkRpt4MqfwJpfdU2BssSjpyqMkqrI3Pjs=",
-    "h1:i7QpN5YsUdrd6GNY4RkRu6+a7F16nBsd3tDVxNp1iAQ=",
-    "h1:tVVNmfRMjOQ+LJYWfqLbDTkNnraXG1JFMgHKJAcERb4=",
-    "zh:001373be6fbc5738bf8c3aa8688b248ba5f99b04174310c0efcbbf23e6c4dc29",
-    "zh:0d4af59266668089790f5a7bdeb25642ba750fb5dc7934fe28d1cc36310ba495",
-    "zh:1413ff4d445678c096d46e8957e27320df94561354955d7bc5d8054b6df7b299",
-    "zh:19d614259f7ce16b50ec07868404b58749702baaf86bcd14fbaea2756e1c9f25",
-    "zh:2d148ff632da25852622b06b5be9f5a0b6d509621a002a47338f96509021945b",
-    "zh:3959a1d989c99f3e7cdd5de07eb3e7df7a85e19677488278c77ab753dd7127e6",
-    "zh:5d8d65b458a8934dc67d22904da368b5bc3a77fb9c900ac89c54e736a221b76f",
-    "zh:94d5660e56118fcaa40fccaff960a9bf4166b7b0e7fedeb21b2402c8fc7b4cb1",
-    "zh:a6002ecc23ebc468ccac6f36c0ed7cc95de3223ef6b100e6c81762d22cc14077",
-    "zh:b0880c82bc2ad395ef3dbf5a592a23e65bf943df8995d5d4238740f96a02f529",
-    "zh:ee65f3d2c13653e0828222a63fb832f98e9835b84443eeca00ce36ae39783c08",
+    "h1:H6JCnoa3swF3rgHL0ys9KNArffU+IEGPvhQ6JnfQY/c=",
   ]
 }