Information about Terraform dependencies on 3rd party software

We are trying to move to Terraform 0.14 from a lower version. One prerequisite for getting organizational approval for use of Terraform is to provide a list of all the dependencies used by Terraform, and their respective licenses. In the earlier versions of Terraform, this information was present in the “vendor” folder of the Terraform source tree. In Terraform 0.14, the “vendor” folder has been removed. Where do we now get information about the dependencies and their licenses?

Hi @gihari,

In all versions of Terraform since we adopted Go Modules for dependency management, the primary way to see Terraform’s dependencies is to inspect the go.mod and go.sum files in the root of the repository, associated with the Git tag which describes the version you are interested in.

Another technique, which you could potentially combine with analyzing go.mod/go.sum if you need extra certainty, is to use the separate goversion utility to extract the module dependency information recorded by the Go toolchain directly from the Terraform executable file:

$ goversion -mh /usr/local/bin/bin/terraform
/home/mart/go/1.16.0/bin/terraform go1.16
        path  github.com/hashicorp/terraform
        mod   github.com/hashicorp/terraform                    (devel)
        dep   cloud.google.com/go                               v0.65.0                                h1:Dg9iHVQfrhq82rUNu9ZxUDrJLaxFUe/HlCVaLyRruq8=
        dep   cloud.google.com/go/storage                       v1.10.0                                h1:STgFzyU5/8miMl0//zKh2aQeTyeaUH3WN9bSUiJ09bA=
        dep   github.com/Azure/azure-sdk-for-go                 v47.1.0+incompatible                   h1:D6MsWmsxF+pEjN/yZDyKXoUrsamdBdTlPedIgBlvVx4=
        dep   github.com/Azure/go-autorest/autorest             v0.11.10                               h1:j5sGbX7uj1ieYYkQ3Mpvewd4DCsEQ+ZeJpqnSM9pjnM=
        dep   github.com/Azure/go-autorest/autorest/adal        v0.9.5                                 h1:Y3bBUV4rTuxenJJs41HU3qmqsb+auo+a3Lz+PlJPpL0=
        dep   github.com/Azure/go-autorest/autorest/azure/cli   v0.4.2                                 h1:dMOmEJfkLKW/7JsokJqkyoYSgmR08hi9KrhjZb+JALY=
        dep   github.com/Azure/go-autorest/autorest/date        v0.3.0                                 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw=
        dep   github.com/Azure/go-autorest/autorest/to          v0.4.0                                 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk=
        dep   github.com/Azure/go-autorest/autorest/validation  v0.3.0                                 h1:3I9AAI63HfcLtphd9g39ruUwRI+Ca+z/f36KHPFRUss=
        dep   github.com/Azure/go-autorest/logger               v0.2.0                                 h1:e4RVHVZKC5p6UANLJHkM4OfR1UKZPj8Wt8Pcx+3oqrE=
        dep   github.com/Azure/go-autorest/tracing              v0.6.0                                 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
        dep   github.com/Azure/go-ntlmssp                       v0.0.0-20200615164410-66371956d46c     h1:/IBSNwUN8+eKzUzbJPqhK839ygXJ82sde8x3ogr6R28=
...(etc)...

Of course in both of these cases you must trust that the metadata is truthful about what was used in the build, so depending on your threat model you may prefer to build your own terraform executable directly from the source code associated with the relevant tag, and thus be assured that the Go toolchain will select the exact packages recorded in go.mod and go.sum. (I can tell you that the official build process doesn’t do anything to subvert that usual process, so the result should not be materially different, but I can’t know whether your organizational policies allow you to trust that to be true for an executable you didn’t build.)

If you’re interested in all of the licenses for Terraform (or any Go project) dependencies, you might want to try golicense:

Hi,
Thank you very much for the detailed reply. I will try it out.

Hari