Add terragrunt_providers_lock hook

[Tensho]

What problem are you facing?

There is no terraform_providers_lock analogue for Terragrunt. Unfortunately, the official Gruntworks pre-commit hooks repo doesn't provide it either.

How could pre-commit-terraform help solve your problem?

Introduce terragrunt_providers_lock hook which does pretty much the same as its Terraform counterpart – locks provider versions for specific platforms.

[yermulnik]

What is the rationale behind this request?
As far as I can see TG "relays" non-TG commands to underlying TF: https://terragrunt.gruntwork.io/docs/reference/cli-options/#all-terraform-built-in-commands — onwards it handles TF lock files that are based in the source dir with TF code: https://terragrunt.gruntwork.io/docs/features/lock-file-handling/#how-terragrunt-solves-this-problem
Given the above you should be all fine to use existing hook to lock providers: https://github.com/antonbabenko/pre-commit-terraform?tab=readme-ov-file#terraform_providers_lock

Please elaborate on the difference you're encompassing within this request.

[Tensho]

You are correct, terragrunt providers lock relays to terraform providers lock. I'd be thinking about something like terragrunt_providers_lock is an alias to terraform_providers_lock hook, similar to terragrunt_validate –> terraform_validate. Does it make sense?

[Tensho]

Ah, I just realised terragrunt_validate doesn't relay to terraform_validate as it checks Terragrunt *.hcl configuration files. @yermulnik Thanks for pointing me out to the right direction.

[Tensho]

I had another thought about it and realised terraform_providers_lock doesn't much help with Terragrunt live infrastructure repo. I could target terraform_providers_lock hook against .terragrunt-cache directory to execute terraform, but the lock file lives outside of the cache folder (working directory). Here is a layout example:

client
  environment
    component
      .terragrunt-cache
        ABCDEF
          GHIJKL
             main.tf
      .terraform.lock.hcl
      terragrunt.hcl

Usually, I run terragrunt providers lock command inside client/environment/component folder. terragrunt runs terraform inside the working directory (.terragrunt-cache/ABCDEF/GHIJKL), but .terraform.lock.hcl file remains at the component root level.

[yermulnik]

@Tensho I'm not familiar with TG and hence what you're saying contradicts to me with what is explained at https://terragrunt.gruntwork.io/docs/features/lock-file-handling/#how-terragrunt-solves-this-problem

1. If Terragrunt finds a .terraform.lock.hcl file in your working directory (e.g., in /live/stage/vpc), before running Terraform, Terragrunt will copy that lock file into the temp folder it uses when running your Terraform code (e.g., .terragrunt-cache/xxx/vpc). This way, if you had a lock file checked into version control, Terragrunt will respect and use it with your Terraform code as you’d expect.
2. After running Terraform, if Terragrunt finds a .terraform.lock.hcl in the temp folder (e.g., .terragrunt-cache/xxx/vpc), it will copy that lock file back to your working directory (e.g., to /live/stage/vpc). That way, you can commit the lock file (or the changes to the lock file) to version control as usual.

Not sure whether @MaxymVlasov uses TG though. If he doesn't, I think it would make sense for you to try and contribute by copying over the terragrunt_validate.sh hook and adjusting it for the providers lock use case. We're always open for and welcome contributions 🤞🏻

[yermulnik]

I even can recall that some person was recently spamming some issue(s?) with their own repo with TG(?) hooks that they forked from this repo and didn't seem to will to contribute back to this repo. I cannot find that issue(s?) now I don't know why though 🤷🏻 But GH search gives me e.g. this: https://github.com/kiecan/terragrunt-pre-commit/blob/main/hooks/terragrunt_providers_lock.sh — as of look of it that repo is based off of pre-commit-terraform so it shouldn't take long to copy over back here and improve for the use case altogether with having the data to run tests across (as we may have no TG bits of code to test new hook with).

[yermulnik]

The main culprit I can see though is that, given the use case you outlined, it requires the hook to run in the different folder rather than the one where the files have changed. And this is what the logic has to be written around and… and that might be a bit of a toil as the hook needs to cover not just the specific use case, but also be applicable for others.
We'll be happy to try and assist with the code though.

[Tensho]

A friend of mine has already prototyped the hook code and it works like a charm:

- repo: https://github.com/wzooff/pre-commit-terraform
    rev: 5b9e33a
    hooks:
      - id: terragrunt_providers_lock
        args:
          - --args=-platform=darwin_arm64
          - --args=-platform=darwin_amd64
          - --args=-platform=linux_amd64

I guess he will open PR with these changes rather sooner than later.

cc @wzooff

[antonbabenko]

This issue has been resolved in version 1.88.0 🎉

[Tensho]

FOSS like a boss 😎 Thank you, chaps.

[yermulnik]

FOSS like a boss 😎 Thank you, chaps.

@Tensho @wzooff Hope to see more contributions, folks 👍🏻