I’m interested to know how terraform suggest we should be using lock files alongside a CI solution. I understand that the idea of a dependency lock is to allow the dependency versions to be consistent when running terraform. Naturally, I would expect a lock file to be committed into the code base, so that when a CI tool then clones the repo and runs terraform, the dependencies that are selected are predictable.
The confusion comes here when we start using a CI tool for all runs of terraform. Let me explain the use-case in more detail:
We don’t want engineers download or store service account keys on their local machines to use to run plans while developing. Therefore, engineers don’t run plans locally, instead they push code to a VCS branch, and the CI tool will then run a plan and generate an output for the engineer to view. This is great because all our service accounts are kept secure, and we don’t need to grant our engineers any permissions (following concept of least privileged access).
However, this means that we never commit any changes to the lock file, because the CI doesn’t commit anything into VCS (and this would seem overly complicated to set up), and an engineers never runs terraform locally.
What is the suggested way to use lock files with CI? Are we doing something drastically wrong here? Or should we just ignore lock files completely and specifically set exact versions in our terraform code? It would be good to get some opinions / examples of how other people are using terraform locks!
Thanks in advance!