Third-party Terraform module security/reproducibility

I am using a module listed in the Terraform Registry, which is working great. For security and reproducibility reasons, I want to ensure the exact version of third-party modules and their dependencies get used across machines. Ideas:

  • Specify the specific version of the module rather than a range
  • Point the module source to a specific Git SHA
    • Problem: Doesn’t lock the dependencies
  • Add the modules and their dependencies to the repository manually
    • Problems (minor):
      • Clutters the repository
      • Harder to upgrade
  • Add .terraform/modules/modules.json to version control
    • Problem: Terraform may not guarantee this file is used to pick the specific module versions.
  • Add .terraform/modules/ to version control
    • Problem (minor): Clutters the repository

Thoughts? Essentially, I want the equivalent of Bundler’s Gemfile.lock or NPM’s package-lock.json, but would be ok with “vendoring” (checking the modules into the repository) as a next-best thing. Thanks!

I was pointed to terraform-bundle, but it unfortunately doesn’t include third-party modules.