Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

terraform: add h1 hashes for multiple os_arch in terraform.lock.hcl file #4042

Closed
mwieczorek opened this issue Jul 13, 2021 · 4 comments
Closed

terraform: add h1 hashes for multiple os_arch in terraform.lock.hcl file #4042

mwieczorek opened this issue Jul 13, 2021 · 4 comments
Labels
L: terraform Terraform packages T: feature-request Requests for new features

Comments

@mwieczorek
Copy link

Problem

Dependabot updates terraform.lock.hcl file with h1 hash for new provider version, but only for default platform it runs on. Example PR: https://github.com/mwieczorek/dependabot-test/pull/1

In above example I run locally command

terraform providers lock \                      
  -platform=linux_arm64 \
  -platform=linux_amd64 \
  -platform=darwin_amd64 \
  -platform=windows_amd64

which produced 4 h1 hashes in file. When depedabot run, it added only one h1 hash (linux_amd64).

If I merge that PR and then clone the repository locally I may run into one of the issues:

  1. (cached providers: plugin_cache_dir set in .terraformrc file) - during local terraform init I'll get an error like Error while importing hashicorp/vault v2.21.0 from the shared cache directory: the provider cache at .terraform/providers has a copy of registry.terraform.io/hashicorp/vault 2.21.0 that doesn't match
  2. (no cached providers) - localterraform init will update terraform.lock.hcl file with new h1

Proposed solution

Add most common os_arch 'platforms' to 'terraform providers lock' command. F.e. linux_amd64, darwin_amd64, windows_amd64

I understand some providers may not have all of those os_arch combinations, so dependabot should gracefully ignore if one of them is not available.
@mwieczorek mwieczorek added the T: feature-request Requests for new features label Jul 13, 2021
@asciimike asciimike added the L: terraform Terraform packages label Jul 14, 2021
@billinghamj
Copy link

billinghamj commented Nov 2, 2021
edited
Loading

I wonder if this could be worked around temporarily with a GitHub Actions workflow which adds to the dependabot PR 🤔

@moritzheiber
Copy link

Right now, all of dependabot's PRs for Terraform are useless to us because they only include the hashes for linux_amd64, and not any of the other architectures. I'd love to see this either turned into an option (e.g. architectures = [linux_amd64, darwin_amd64]) or default to "all platforms" by default.

@sebbrandt87 sebbrandt87 mentioned this issue Mar 2, 2022
Closed
@sebbrandt87
Copy link
Contributor

sebbrandt87 commented Mar 2, 2022
edited
Loading

It would be valuable to have to option to extend the platform providers locking.

dependabot-core/terraform/lib/dependabot/terraform/file_updater.rb

Line 115 in f6acb90

SharedHelpers.run_shell_command("terraform providers lock #{provider_source} -no-color")

Or we simply add all needed platforms in the hcl.lock through the flags -platform=linux_amd64 -platform=linux_arm64 -platform=darwin_amd64 -platform=windows_amd64.

Parsing the hcl.lock and deciding which to take might be to much.

Quote Terraform docs

If you wish to avoid ongoing additions of new h1: hashes as you work with your configuration on new target platforms, or if you are installing providers from a mirror that therefore can't provide official signed checksums, you can ask Terraform to pre-populate hashes for a chosen set of platforms using the terraform providers lock command:

terraform providers lock \
  -platform=linux_arm64 \
  -platform=linux_amd64 \
  -platform=darwin_amd64 \
  -platform=windows_amd64

The above command will download and verify the official packages for all of the required providers across all four of the given platforms, and then record both zh: and h1: checksums for each of them in the lock file, thus avoiding the case where Terraform will learn about a h1: equivalent only at a later time. See the terraform providers lock documentation for more information on this command.

@sebbrandt87 sebbrandt87 mentioned this issue Mar 2, 2022
Closed
sebbrandt87 added a commit to sebbrandt87/dependabot-core that referenced this issue Mar 2, 2022
@sebbrandt87
feat(terraform): defined all supported Terraform platforms for locking
b893c03 
For the purpose of Terraform locking, we now have defined all supported Terraform platforms in the `terraform providers lock` command.

This makes sure that we have all h1 sums in the `.terraform.lock.hcl` so that we keep compatability and do not run in errors on runs at other platforms than Linux.

Solves: dependabot#4042
sebbrandt87 added a commit to sebbrandt87/dependabot-core that referenced this issue Mar 2, 2022
@sebbrandt87
feat(terraform): defined all supported Terraform platforms for locking
5c24eba 
For the purpose of Terraform locking, we now have defined all supported Terraform platforms in the `terraform providers lock` command.

This makes sure that we have all h1 sums in the `.terraform.lock.hcl` so that we keep compatability and do not run in errors on runs at other platforms than Linux.

resolves: dependabot#4042
sebbrandt87 added a commit to sebbrandt87/dependabot-core that referenced this issue Mar 2, 2022
@sebbrandt87
feat(terraform): defined all supported Terraform platforms for locking
0a4d2ba 
For the purpose of Terraform locking, we now have defined all supported Terraform platforms in the `terraform providers lock` command.

This makes sure that we have all h1 sums in the `.terraform.lock.hcl` so that we keep compatability and do not run in errors on runs at other platforms than Linux.

resolves: dependabot#4042
sebbrandt87 added a commit to sebbrandt87/dependabot-core that referenced this issue Mar 4, 2022
@sebbrandt87
feat(terraform): defined all supported Terraform platforms for locking
6f0d528 
For the purpose of Terraform locking, we now have defined all supported Terraform platforms in the `terraform providers lock` command.

This makes sure that we have all h1 sums in the `.terraform.lock.hcl` so that we keep compatability and do not run in errors on runs at other platforms than Linux.

resolves: dependabot#4042
sebbrandt87 added a commit to sebbrandt87/dependabot-core that referenced this issue Mar 4, 2022
@sebbrandt87
feat(terraform): defined all supported Terraform platforms for locking
de3f846 
For the purpose of Terraform locking, we now have defined all supported Terraform platforms in the `terraform providers lock` command.

This makes sure that we have all h1 sums in the `.terraform.lock.hcl` so that we keep compatability and do not run in errors on runs at other platforms than Linux.

resolves: dependabot#4042
sebbrandt87 added a commit to sebbrandt87/dependabot-core that referenced this issue Mar 11, 2022
@sebbrandt87
feat(terraform): defined nearly all supported Terraform platforms for…
5f0d559 
… locking

For the purpose of Terraform locking, we now have defined nearly all supported Terraform platforms in the `terraform providers lock` command.

Except linux_arm64, as not all providers seem to be present yet for that platform.

This makes sure that we have all h1 sums in the `.terraform.lock.hcl` so that we keep compatability and do not run in errors on runs at other platforms than Linux.

resolves: dependabot#4042
@jeffwidman
Copy link
Member

Wasn't this effectively fixed by?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
L: terraform Terraform packages T: feature-request Requests for new features
Projects
None yet
Milestone
No milestone
6 participants
@jeffwidman @moritzheiber @sebbrandt87 @billinghamj @asciimike @mwieczorek