provider version gets pinned on synth

[ben-marengo-msmg]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

cdktf & Language Versions

cdktf 0.10.3
python 3.9

Affected Resource(s)

having the following in cdktf.json

  "terraformProviders": ["google@>= 3.84.0", "google-beta@>= 3.84.0"],

synthesising with cdk 0.9.0, cdktf.out/stacks/<my-stack>/cdk.tf.json shows

{
  ...,
  "terraform": {
    ...
    "required_providers": {
      "google": {
        "source": "google",
        "version": ">= 3.84.0"
      },
      "google-beta": {
        "source": "google-beta",
        "version": ">= 3.84.0"
      }
    }
  },
  ...
}

synthesising with cdk 0.10.3, cdktf.out/stacks/<my-stack>/cdk.tf.json shows

{
  ...,
  "terraform": {
    ...
    "required_providers": {
      "google": {
        "source": "google",
        "version": "4.19.0"
      },
      "google-beta": {
        "source": "google-beta",
        "version": "4.19.0"
      }
    }
  },
  ...
}

this is a problem because i deploy this synthesised cdk.tf.json as a module in other terraform stacks. pinning the version of the provider shackles the other terraform stacks to this version of the provider

[jsteinich]

This was added with #1586.

Pinning minimum required to what Terraform actually resolved is definitely intended. The generated code is quite likely not 100% compatible with the version specified in cdktf.json since any new / modified resource will only exist on the newer resolved version.

Also pinning maximum version is more subjective. The main reasoning behind this is to ensure that code written results in the same output regardless of where/when it is ran. Just specifying a minimum version means that a different version of the provider could be used than what a developer experienced locally.

I do see that pinning the maximum version is probably overly restrictive when using cdktf to create Terraform modules. Writing L2/L3 constructs could possibly run into some similar issues, so perhaps we'll need to loosen the restriction at the cost of less defined behavior. Alternatively, it might make sense to have a way to explicitly tell cdktf that a module is being created (see #1518 (comment)).

In the meantime, you should be able to use an escape hatch to override the value. Something along the lines of stack.add_override("terraform.required_providers.google.version", ">= 3.84.0")

[ben-marengo-msmg]

fyi - it currently contradicts the docs
https://www.terraform.io/cdktf/create-and-deploy/configuration-file#version-constraint