Requiring provider versions through cdktf.json

I am trying to pin the required provider in my cdktf.json to a specific version of a provider but it doesn’t appear to acting how I would expect.

In my cdktf.json I have:

"terraformProviders": [
  "aws",
  "github@= 4.26.0"
],

However, when I run the cdktf plan command, I see the following produced in my cdk.tf.json:

"required_providers": {
  "aws": {
    "source": "aws",
    "version": "4.24.0"
  },
  "github": {
    "source": "integrations/github",
    "version": "4.28.0"
  }
}

It seems to always pull the latest version no matter what permutation of version constraining I add to the cdktf.json. Is my understanding off here? Is this how I’m supposed to be setting it?

Did you run cdktf get before planning again?

Yes I did, but I think I found the root cause of the issue:

It seems as though the npm package for the github provider hardcodes the version used, which probably overwrites whatever is specified in the cdktf.json

Hi @dvargas92495

It seems like you are using both a pre-built provider (installed via npm) and a locally built one. You can only use either one at the same time.

If there is a specific reason for pinning a certain version of the Github Terraform provider, you can use local bindings (as defined in cdktf.json). You have to change your imports to import from ./.gen/providers/github (roughly) in that case.
If you use the pre-built one, you can remove it from the cdktf.json file.

P.S. You can also run cdktf provider add github@=4.26.0 which will automatically either install the version of the pre-built Github provider that contains exactly that provider version or default to the locally built provider (adding it to cdktf.json) if no pre-built provider package for that exact version exists.

Ah I see, so if I’m using the pre-build providers, then I don’t need to specify "terraformProviders" in my cdktf.json? That would be preferred.

So it appears then if I want the provider version 4.26.0, I just need to rollback my pre-built provider, which seems to work

Ah I see, so if I’m using the pre-build providers, then I don’t need to specify "terraformProviders" in my cdktf.json?

Exactly!

So it appears then if I want the provider version 4.26.0, I just need to rollback my pre-built provider, which seems to work

Yup, that would be the way to go. However, as soon as you might need to upgrade CDKTF, there probably won’t be a pre-built provider for that 4.26.0 which may require you to use locally generated bindings then (or upgrade the provider version as hopefully whatever might be holding you back could be fixed in a future version then).

Just out of curiosity: What is keeping you on version 4.26.0?

Version 4.27.0 and 4.27.1 were taken off of GitHub, so was just trying to find one that worked. I thought version 4.28.0 was also broken in the same way, but since the start of my post, I realized I had a user error and have upgraded the prebuilt package to latest. Thanks for the help!