Terraform
Lock and upgrade provider versions
Terraform providers manage resources by communicating between Terraform and target APIs. Whenever the target APIs change or add functionality, provider maintainers may update and version the provider.
When multiple users or automation tools run the same Terraform configuration, they should all use the same versions of their required providers. There are two ways for you to manage provider versions in your configuration.
- Specify provider version constraints in your configuration's
terraformblock. - Use the dependency lock file
If you do not scope provider version appropriately, Terraform will download the latest provider version that fulfills the version constraint. This may lead to unexpected infrastructure changes. By specifying carefully scoped provider versions and using the dependency lock file, you can ensure Terraform is using the correct provider version so your configuration is applied consistently.
In this tutorial, you will create a S3 bucket from an initialized Terraform configuration. Then, you will update the Terraform dependency lock file to use the latest version of the AWS provider, and edit the Terraform configuration to conform to the new provider version's requirements.
Prerequisites
You can complete this tutorial using the same workflow with either Terraform Community Edition or HCP Terraform. HCP Terraform is a platform that you can use to manage and execute your Terraform projects. It includes features like remote state and execution, structured plan output, workspace resource summaries, and more.
Select the HCP Terraform tab to complete this tutorial using HCP Terraform.
This tutorial assumes that you are familiar with the Terraform workflow. If you are new to Terraform, complete the Get Started tutorials first.
In order to complete this tutorial, you will need the following:
- Terraform v1.2+ installed locally.
- An AWS account with local credentials configured for use with Terraform.
Clone example repository
Clone the Learn Terraform Provider Versioning repository.
$ git clone https://github.com/hashicorp/learn-terraform-provider-versioning.git
Navigate to the repository directory in your terminal.
$ cd learn-terraform-provider-versioning
Review configuration
This directory is a pre-initialized Terraform project with three files:
main.tf, terraform.tf, and .terraform.lock.hcl. HashiCorp has released a
newer version of the AWS provider since this workspace was first initialized.
Explore main.tf
Open the main.tf file. This file uses the AWS and random providers to deploy a
randomly named S3 bucket to the us-west-2 region.
main.tf
provider "aws" {
region = "us-west-2"
}
resource "random_pet" "petname" {
length = 5
separator = "-"
}
resource "aws_s3_bucket" "sample" {
bucket = random_pet.petname.id
tags = {
public_bucket = false
}
}
Explore terraform.tf
Open the terraform.tf file. Here you will find the terraform block which
specifies the required provider version and required Terraform version for this
configuration.
terraform.tf
terraform {
/* Uncomment this block to use Terraform Cloud for this tutorial
cloud {
organization = "organization-name"
workspaces {
name = "learn-terraform-provider-versioning"
}
}
*/
required_providers {
random = {
source = "hashicorp/random"
version = "3.1.0"
}
aws = {
source = "hashicorp/aws"
version = ">= 4.5.0"
}
}
required_version = "~> 1.2"
}
The terraform block contains the required_providers block, which specifies
the provider local name, the source
address,
and the version.
When you initialize this configuration, Terraform will download:
- Version 3.1.0 of the random provider.
- The latest version of the AWS provider that is at greater than 4.5.0. The
>=version constraint operator specifies the minimum provider version that is compatible with the configuration.
The Terraform block also specifies that only Terraform binaries v1.x, but newer
than v1.2, can run this configuration by using the ~> operator.
Explore terraform.lock.hcl
When you initialize a Terraform configuration for the first time with Terraform
1.1 or later, Terraform will generate a new .terraform.lock.hcl file in the
current working directory. You should include the lock file in your version
control repository to ensure that Terraform uses the same provider versions
across your team and in ephemeral remote execution environments.
Open the .terraform.lock.hcl file.
.terraform.lock.hcl
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
version = "4.5.0"
constraints = ">= 4.5.0"
hashes = [
"h1:PR5m6lcJZzSIYqfhnMd0YWTN+On2XGgfYV5AKIvOvBo=",
"zh:0573de96ba316d808be9f8d6fc8e8e68e0e6b614ed4d707bd236c4f7b46ac8b1",
## ...
"zh:f4722596e8b5f012013f87bf4d2b7d302c248a04a144de4563b3e3f754a30c51",
]
}
provider "registry.terraform.io/hashicorp/random" {
version = "3.1.0"
constraints = "3.1.0"
hashes = [
"h1:9cCiLO/Cqr6IUvMDSApCkQItooiYNatZpEXmcu0nnng=",
"zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc",
## ...
"zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7",
"zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a",
]
}
Notice the two providers specified in your terraform.tf file. The AWS provider
version is v4.5.0. This fulfills the >=4.5.0 constraint, but is no longer the
latest version of the AWS provider. The random provider is set to v3.1.0 and
fulfills its version constraints.
Initialize and apply the configuration
Initialize this configuration.
$ terraform init
Initializing the backend...
Initializing provider plugins...
- Reusing previous version of hashicorp/aws from the dependency lock file
- Reusing previous version of hashicorp/random from the dependency lock file
- Installing hashicorp/aws v4.5.0...
- Installed hashicorp/aws v4.5.0 (signed by HashiCorp)
- Installing hashicorp/random v3.1.0...
- Installed hashicorp/random v3.1.0 (signed by HashiCorp)
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
Notice that instead of installing the latest version of the AWS provider that conforms with the configured version constraints, Terraform installed the version specified in the lock file. While initializing your workspace, Terraform read the dependency lock file and downloaded the specified versions of the AWS and random providers.
If Terraform did not find a lock file, it would download the latest versions of
the providers that fulfill the version constraints you defined in the
required_providers block. The following table shows which provider Terraform
would download in this scenario, based on the version constraint and presence of
a lock file.
| Provider | Version Constraint | terraform init (no lock file) | terraform init (lock file) |
|---|---|---|---|
| aws | >= 4.5.0 | Latest version (e.g. 5.55.0) | Lock file version (4.5.0) |
| random | 3.1.0 | 3.1.0 | Lock file version (3.1.0) |
The lock file instructs Terraform to always install the same provider version, ensuring that consistent runs across your team or remote sessions.
Apply your configuration. Respond to the confirmation prompt with a yes to
create the example infrastructure.
$ terraform apply
Terraform used the selected providers to generate the following execution plan.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_s3_bucket.sample will be created
+ resource "aws_s3_bucket" "sample" {
+ acceleration_status = (known after apply)
## ...
Plan: 2 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
## ...
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
Upgrade the AWS provider version
The -upgrade flag will upgrade all providers to the latest version consistent
within the version constraints specified in your configuration.
Upgrade the AWS provider.
Note
You should never directly modify the lock file.
$ terraform init -upgrade
Initializing HCP Terraform...
Initializing provider plugins...
- Finding hashicorp/aws versions matching ">= 4.5.0"...
- Finding hashicorp/random versions matching "3.1.0"...
- Installing hashicorp/aws v5.56.1...
- Installed hashicorp/aws v5.56.1 (signed by HashiCorp)
- Using previously-installed hashicorp/random v3.1.0
Terraform has made some changes to the provider dependency selections recorded
in the .terraform.lock.hcl file. Review those changes and commit them to your
version control system if they represent changes you intended to make.
Terraform has been successfully initialized!
## ...
Notice that Terraform installs the latest version of the AWS provider.
Open the .terraform.lock.hcl file and notice that the AWS provider's version
is now the latest version.
.terraform.lock.hcl
provider "registry.terraform.io/hashicorp/aws" {
version = "5.56.1"
constraints = ">= 4.5.0"
## ...
}
Tip
You can also use the -upgrade flag to downgrade the provider
versions if the version constraints are modified to specify a lower provider
version that the one specified in the lock file.
Plan your configuration to ensure that it works with the upgraded provider.
$ terraform plan
random_pet.petname: Refreshing state... [id=gratefully-radically-quickly-fitting-troll]
aws_s3_bucket.sample: Refreshing state... [id=gratefully-radically-quickly-fitting-troll]
No changes. Your infrastructure matches the configuration.
Terraform has compared your real infrastructure against your configuration and
found no differences, so no changes are needed.
Tip
Occasionally a provider upgrade will require that you to modify your configuration to work with the new provider version. For example, attribute names or requirements may change from one major provider version to another. Always run a Terraform plan after changing your provider versions.
If the plan step completes successfully, it is safe to commit the configuration with the updated lock file to version control. If the plan or apply steps fail, do not commit the lock file to version control until you've resolved the error.
Clean up infrastructure
After verifying that the resources were deployed successfully, destroy them.
Remember to respond to the confirmation prompt with yes.
$ terraform destroy
## ...
Terraform used the selected providers to generate the following execution plan.
Resource actions are indicated with the following symbols:
- destroy
Terraform will perform the following actions:
# aws_s3_bucket.sample will be destroyed
- resource "aws_s3_bucket" "sample" {
## ...
Plan: 0 to add, 0 to change, 2 to destroy.
Do you really want to destroy all resources?
Terraform will destroy all your managed infrastructure, as shown above.
There is no undo. Only 'yes' will be accepted to confirm.
Enter a value: yes
## ...
Destroy complete! Resources: 2 destroyed.
If you used HCP Terraform for this tutorial, after destroying your resources,
delete the learn-terraform-provider-versioning workspace from your HCP
Terraform organization.
Next steps
In this tutorial, you used the dependency lock file to manage provider versions, and upgraded the lock file.
To learn more about providers, visit the following resources.
- Dependency lock file documentation
- Provider Version Constraint documentation
- Call APIs with Terraform Providers tutorials walk you through how providers serve as a bridge between Terraform and target APIs, and show you how to build a custom Terraform provider.