Third-party Terraform module security/reproducibility

I am using a module listed in the Terraform Registry, which is working great. For security and reproducibility reasons, I want to ensure the exact version of third-party modules and their dependencies get used across machines. Ideas:

  • Specify the specific version of the module rather than a range
  • Point the module source to a specific Git SHA
    • Problem: Doesn’t lock the dependencies
  • Add the modules and their dependencies to the repository manually
    • Problems (minor):
      • Clutters the repository
      • Harder to upgrade
  • Add .terraform/modules/modules.json to version control
    • Problem: Terraform may not guarantee this file is used to pick the specific module versions.
  • Add .terraform/modules/ to version control
    • Problem (minor): Clutters the repository

Thoughts? Essentially, I want the equivalent of Bundler’s Gemfile.lock or NPM’s package-lock.json, but would be ok with “vendoring” (checking the modules into the repository) as a next-best thing. Thanks!

I was pointed to terraform-bundle, but it unfortunately doesn’t include third-party modules.

A possibility is to fork the dependency and point the Terraform configuration to the forked git repo.

When you want to update, you would review the changes made in the upstream repo and bring them in the fork.

This is somehow equivalent to vendoring, with the advantage that the forked repo can be used by multiple projects of yours.

Hi @marco-m,

At the moment the only option that would (mostly) fit your constraints is to fork the modules you intend to use and then use your forks as dependencies. If you retain them as separate repositories then you can still pull in new tags from upstream relatively easily when you want to use them, but you’ll be in control of when they change.

Copying them into your repository is also possible, but I imagine you were looking for an automated tool to do that, rather than just doing it manually. There is no such tool today.

Dependency locking like the systems you referred to is likely to come eventually, but isn’t present today.

Hello @apparentlymart, I think you wanted to answer to @afeld ? My answer is essentially the same as yours :slight_smile:

Yes, sorry @marco-m… the forum seems to prefer to match the most recent participant rather than the original poster, so I sometimes get caught out using tab completion. :upside_down_face: