Third-party Terraform module security/reproducibility

I am using a module listed in the Terraform Registry, which is working great. For security and reproducibility reasons, I want to ensure the exact version of third-party modules and their dependencies get used across machines. Ideas:

• Specify the specific version of the module rather than a range
  • Problems:
    • Git tags (which the Registry uses for versioning) aren’t guaranteed to point to the same commit over time
    • Doesn’t lock the dependencies
• Point the module source to a specific Git SHA
  • Problem: Doesn’t lock the dependencies
• Add the modules and their dependencies to the repository manually
  • Problems (minor):
    • Clutters the repository
    • Harder to upgrade
• Add .terraform/modules/modules.json to version control
  • Problem: Terraform may not guarantee this file is used to pick the specific module versions.
• Add .terraform/modules/ to version control
  • Problem (minor): Clutters the repository

Thoughts? Essentially, I want the equivalent of Bundler’s Gemfile.lock or NPM’s package-lock.json, but would be ok with “vendoring” (checking the modules into the repository) as a next-best thing. Thanks!

I was pointed to terraform-bundle, but it unfortunately doesn’t include third-party modules.

A possibility is to fork the dependency and point the Terraform configuration to the forked git repo.

When you want to update, you would review the changes made in the upstream repo and bring them in the fork.

This is somehow equivalent to vendoring, with the advantage that the forked repo can be used by multiple projects of yours.

Hi @marco-m,

At the moment the only option that would (mostly) fit your constraints is to fork the modules you intend to use and then use your forks as dependencies. If you retain them as separate repositories then you can still pull in new tags from upstream relatively easily when you want to use them, but you’ll be in control of when they change.

Copying them into your repository is also possible, but I imagine you were looking for an automated tool to do that, rather than just doing it manually. There is no such tool today.

Dependency locking like the systems you referred to is likely to come eventually, but isn’t present today.

Hello @apparentlymart, I think you wanted to answer to @afeld ? My answer is essentially the same as yours

Yes, sorry @marco-m… the forum seems to prefer to match the most recent participant rather than the original poster, so I sometimes get caught out using tab completion.

@afeld @apparentlymart @marco-m
I developed a module to address this issue. Feedback would be appreciated.
https://registry.terraform.io/modules/Invicton-Labs/module-lock/null/latest

Four years ago when this topic was active it was true that Terraform Registry was returning tag names as the ref for modules hosted on GitHub, but that’s not actually true anymore:

Today’s Terraform Registry now checks which commit the tag refers to at import time and then always returns that specific commit for any future request. Even if the tag in the repository changes to refer to a different commit later, the registry will continue returning the commit it originally discovered.

The module @KyleKotowick shared does seem like a useful extra layer of check, though, and has the advantage that it is working client-side rather than registry-side and so it presumably works the same for modules from all sources, whether that be a third-party module registry or installation directly from some physical source address.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.