Issues with Terraform provider updates in local child modules

[wiebeck]

Type of discussion.

I just want to chat

Tell us more.

We're having issues updating our required_providers in Terraform child modules. Terraform recommends to list providers with lower bound version in modules where they are being used. TFLint complains if we list providers in modules (e.g. the root module) where they are not being used. We want to make both TFLint happy and allow Renovate to properly update provider versions in both the .tf file (if it's an exact version) and the .terraform.lock.hcl file.

If we specify version constraints with lower bound (e.g. >= 3.2.0) for a provider in a child module then Renovate seems to completely ignore the provider. This can be observerd here: https://github.com/wiebeck/tflint-renovate-3

If we specify exact version numbers for a provider in a child module Renovate properly updates the version in the .tf file but does not update the lock file in the root module causing errors when running terraform init. This can be observed here: https://github.com/wiebeck/tflint-renovate-2

Renovate only works as expected if we list all providers in the root module, even if they are only being used in child modules. The child module needs to specify the provider again but may omit the version constraint. Unfortunately this violates the TFLint rule that checks for unused providers since not all providers are actually being used in the root module. This can be observed here: https://github.com/wiebeck/tflint-renovate-1

We're in a dilemma here. We want to write nice code (tflint) and want to incorporate all provider updates (Renovate) but it seems we cannot accomplish that without using workarounds. :-/

I believe it can be considered a "bug" if Renovate updates a provider version in a child module without adapting the lock file. Once this is solved we're happy again. :-)

Do you experience the same? Do you have any recommendations?

Cheers

[viceice]

Currently we only look for a silbling lockfike

renovate/lib/modules/manager/terraform/lockfile/util.ts

Lines 25 to 27 in 5624b5e

	export function findLockFile(packageFilePath: string): string {
	return getSiblingFileName(packageFilePath, lockFile);
	}

we can probably also look inside upper dirs for lockfile.

I'll test it now

[viceice]

• chore(deps): update terraform random to v3.5.1 (viceicebot) renovate-reproductions/tflint-renovate-2#2
  💪

[viceice]

should be supported with

• feat(manager/terraform): search lockfile on parent dirs #22403

[wiebeck]

Awesome! That was quick! How fast will this go into production once the PR gets merged if I may ask?

[viceice]

for self-hosted directly after release, the hosted app is updated nearly once every workday