I am using a module listed in the Terraform Registry, which is working great. For security and reproducibility reasons, I want to ensure the exact version of third-party modules and their dependencies get used across machines. Ideas:
Specify the specific version of the module rather than a range
Add the modules and their dependencies to the repository manually
Problems (minor):
Clutters the repository
Harder to upgrade
Add .terraform/modules/modules.json to version control
Problem: Terraform may not guarantee this file is used to pick the specific module versions.
Add .terraform/modules/ to version control
Problem (minor): Clutters the repository
Thoughts? Essentially, I want the equivalent of Bundler’s Gemfile.lock or NPM’s package-lock.json, but would be ok with “vendoring” (checking the modules into the repository) as a next-best thing. Thanks!
At the moment the only option that would (mostly) fit your constraints is to fork the modules you intend to use and then use your forks as dependencies. If you retain them as separate repositories then you can still pull in new tags from upstream relatively easily when you want to use them, but you’ll be in control of when they change.
Copying them into your repository is also possible, but I imagine you were looking for an automated tool to do that, rather than just doing it manually. There is no such tool today.
Dependency locking like the systems you referred to is likely to come eventually, but isn’t present today.
Yes, sorry @marco-m… the forum seems to prefer to match the most recent participant rather than the original poster, so I sometimes get caught out using tab completion.