Verify module version

Hi - is there some common way to identify and use the module version as a variable? The use case I’m thinking of is to block “apply” for a module pulled from git if the reference parameter is empty/HEAD, rather than a semver tag.

Hi @razvan-ig,

A Terraform module cannot change its behavior depending on where it was installed from.

What you’re describing sounds like a local coding standards policy in your environment, which in the Terraform Cloud product suite is handled by Sentinel (in this case, using module_calls[...].source), enforcing an organization-wide policy for configurations.

For those not using Terraform Cloud or using it at a tier that does not include Sentinel, you can get a similar effect with some self-built automation using the following building blocks:

  • Use terraform plan -out=tfplan to save the plan to disk.
  • Use terraform show -json tfplan to obtain a JSON representation of the plan intended for consumption by outside tools.
  • In your own policy-check program, parse that JSON and access config.root_module.module_calls[...].resolved_source, and make any checks you deem appropriate against that resulting string.

In Terraform’s architecture, this sort of coding standards enforcement is thought of as a sort of automated code review step, building on the common practice within teams of automatically running terraform plan for pull requests in order to provide context for human reviewers, as described in Testing Pull Requests with terraform plan in the Running Terraform in Automation guide.

1 Like