Terraform Lockfile Missing zh
Hashes
#21701
Replies: 20 comments
-
Use |
Beta Was this translation helpful? Give feedback.
-
@viceice while that will work, I would consider that a workaround. If renovate is going to modify the lockfile, it should modify it correctly, terraform expects the zh hashes to be added and doesn't provide a way to NOT add them with the terraform binary, so renovate should act the same. |
Beta Was this translation helpful? Give feedback.
-
We discussed this already in discussion #11821 and it was declined |
Beta Was this translation helpful? Give feedback.
-
@viceice thanks, I'll go jump on that discussion as well. I disagree with the authors opinion on this. No need to duplicate my comments though, but I will link back. |
Beta Was this translation helpful? Give feedback.
-
My comments are here #11821 (comment) |
Beta Was this translation helpful? Give feedback.
-
Thanks. From that I can see that running |
Beta Was this translation helpful? Give feedback.
-
Another possible issue is that it appears that the constraints are performed as terraform would create them. For example when renovate updates a constraint it appears to be something like
Edited: this has been a very confusing week for me with terraform and automation, upgrading to terraform 1.1 with renovated repos has caused some issues and I've mixed up a few issues. |
Beta Was this translation helpful? Give feedback.
-
Can you explain more? I didn't understand from this example. |
Beta Was this translation helpful? Give feedback.
-
@rarkins apologies -- I edited by previous comment to clarify, I accidentally mixed a couple issues in my head after coming back from the weekend. Nevertheless I do believe that renovate having behavior that's different than terraform could cause problems, as it is with the To be clear, I'm not hitting a constraint issue at this time (I thought I was originally) -- I am however hitting the issue that unless read-only is always specified because the To give you an example on the constraint behavior between renovate and terraform ... when terraform updates the lock file would set the constraints to My main question would be why does terraform add the others if they aren't needed? Here is a screenshot of a diff. |
Beta Was this translation helpful? Give feedback.
-
I don't see a issue on that constraints, as terraform adds a new one which forces a higher version, so the old one's are obsolete. They are combined with I also use read-only flag on my ci checks, so if any of renovates updates would cause a constraint issue, the checks will catch those. |
Beta Was this translation helpful? Give feedback.
-
Generally speaking @viceice I would agree. I haven't seen an issue thus far, but at the same time, the behavior differs from the actual tool, this leads to the tools competing for who is right when updating dependencies. Renovate says X, but if you run a terraform init then it says Y. |
Beta Was this translation helpful? Give feedback.
-
I think we should solve the zh hashes issue first and then see if the range list causes any problems in practice. If it turns out it does, then we'd likely need to wait for the feature request to be implemented in terraform, which may be never. |
Beta Was this translation helpful? Give feedback.
-
Not adding IMO to move away from our custom implementation following issues have to at least be solved first:
|
Beta Was this translation helpful? Give feedback.
-
@rarkins I like the approach and I agree, the range comments can be tabled, apologies for the confusion there. @secustor I think the custom implementation is probably best given the scope of renovatebot and how it runs and allowing you all to cache hashes for subsequent runs is prudent.
I'll have to test this out a couple times to be sure, but I believe the assertion is partly correct. The For example if I just remove the lockfile and run terraform init, the Based on the 29958, if the files already exist in a local folder, then it's probably correct that the I do admit given this information that the behavior is then a bit inconsistent from the terraform side, however I still think adding the zh hashes is the correct thing to do. |
Beta Was this translation helpful? Give feedback.
-
At the moment I'm leaning towards:
The fact that Terraform itself has known cases where it does not generate |
Beta Was this translation helpful? Give feedback.
-
Honestly I'm a bit torn after our discussions now. Thanks for having them @rarkins and @secustor.
I agree, this is actually the case when the file is retrieved from a In fact, found this when reading the docs for the thousandth time.
I guess the question is, how often are mirrors and caches being used to download the providers instead of the official registry? I think that if it's trivial to add the However if it is not trivial or adds a lot of network traffic, I'm happy to close the issue. Thank you again for talking through the issue. For now I've implemented all my automation to |
Beta Was this translation helpful? Give feedback.
-
This behavior is problematic, as it doesn't match what terraform does. |
Beta Was this translation helpful? Give feedback.
-
Terraform won't add the |
Beta Was this translation helpful? Give feedback.
-
@viceice my question was specifically about |
Beta Was this translation helpful? Give feedback.
-
How are you running Renovate?
WhiteSource Renovate hosted app on github.com
If you're self-hosting Renovate, tell us what version of Renovate you run.
No response
Please select which platform you are using if self-hosting.
github.com
If you're self-hosting Renovate, tell us what version of the platform you run.
No response
Describe the bug
The terraform manager only calculates the
h1
hashes butzh
hashes are still used and expected (even though they are legacy), if you then subsequently runterraform init
on at least terraform 1.1 it'll modify the lockfile with zh hashes, this then results in inconsistent lockfile errors depending on when and how this is run.It would be best until
zh
is fully deprecated to calculate and add those hashes to the lockfile entries too.Relevant debug logs
Logs
Have you created a minimal reproduction repository?
No reproduction repository
Beta Was this translation helpful? Give feedback.
All reactions