Terraform lock file irresolvable problem

[gtmtech]

Terraform Version

Terraform v1.2.3
on darwin_arm64
+ provider registry.terraform.io/hashicorp/archive v2.2.0
+ provider registry.terraform.io/hashicorp/aws v4.37.0
+ provider registry.terraform.io/hashicorp/time v0.9.0

Terraform Configuration Files

Not relevant

Debug Output

Not able to supply at this stage

Expected Behavior

When running terraform - e.g. terraform init, it should consult the lockfile and figure out which providers to download manually. It should do this regardless of how the lockfile has been put together (ie on which distro ir was originally generated and committed).

Actual Behavior

Actually the lockfile is causing many errors:

First of all the initial state of the lockfile (that was generated by someone else in the team using original terraform init, and then committing)

# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.

provider "registry.terraform.io/hashicorp/archive" {
  version = "2.2.0"
  hashes = [
    "h1:2K5LQkuWRS2YN1/YoNaHn9MAzjuTX8Gaqy6i8Mbfv8Y=",
  ]
}

Now I check out the same repo, and issue a terraform init

terraform init

Initializing modules...

Initializing the backend...

Initializing provider plugins...
- Reusing previous version of hashicorp/archive from the dependency lock file
- Using hashicorp/archive v2.2.0 from the shared cache directory

╷
│ Error: Failed to install provider from shared cache
│ 
│ Error while importing hashicorp/archive v2.2.0 from the shared cache directory: the provider cache at .terraform/providers has a copy of
│ registry.terraform.io/hashicorp/archive 2.2.0 that doesn't match any of the checksums recorded in the dependency lock file.
╵

Trying this suggestion (tried from GH issue)

terraform init -reconfigure

...
╷
│ Error: Failed to install provider from shared cache
│ 
│ Error while importing hashicorp/archive v2.2.0 from the shared cache directory: the provider cache at .terraform/providers has a copy of
│ registry.terraform.io/hashicorp/archive 2.2.0 that doesn't match any of the checksums recorded in the dependency lock file.
╵

Trying this suggestion (tried from GH issue)

terraform init -upgrade

...
╷
│ Error: Failed to install provider from shared cache
│ 
│ Error while importing hashicorp/archive v2.2.0 from the shared cache directory: the provider cache at .terraform/providers has a copy of
│ registry.terraform.io/hashicorp/archive 2.2.0 that doesn't match any of the checksums recorded in the dependency lock file.
╵

Trying this suggestion (tried from GH issue)

terraform providers lock -platform=darwin_amd64 -platform=linux_amd64 -platform=darwin_arm64 -platform=linux_arm64
- Fetching hashicorp/archive 2.2.0 for darwin_amd64...
- Obtained hashicorp/archive checksums for darwin_amd64 (signed by HashiCorp)
- Fetching hashicorp/archive 2.2.0 for linux_amd64...

╷
│ Error: Could not retrieve providers for locking
│ 
│ Terraform failed to fetch the requested providers for linux_amd64 in order to calculate their checksums: some
│ providers could not be installed:
│ - registry.terraform.io/hashicorp/archive: the current package for registry.terraform.io/hashicorp/archive 2.2.0
│ doesn't match any of the checksums previously recorded in the dependency lock file
│ - registry.terraform.io/hashicorp/aws: the current package for registry.terraform.io/hashicorp/aws 4.33.0 doesn't
│ match any of the checksums previously recorded in the dependency lock file
│ - registry.terraform.io/hashicorp/time: the current package for registry.terraform.io/hashicorp/time 0.8.0 doesn't
│ match any of the checksums previously recorded in the dependency lock file.

So it seems whatever I try, it really wants to try and download/check against some hash that exists and it cant find any that match?

OK - so now I blow away the file and start with the providers lock command:

rm .terraform.lock.hcl && terraform providers lock -platform=darwin_amd64 -platform=linux_amd64 -platform=darwin_arm64 -platform=linux_arm64
- Fetching hashicorp/archive 2.2.0 for darwin_amd64...
- Obtained hashicorp/archive checksums for darwin_amd64 (signed by HashiCorp)
- Fetching hashicorp/archive 2.2.0 for linux_amd64...
- Obtained hashicorp/archive checksums for linux_amd64 (signed by HashiCorp)
- Fetching hashicorp/archive 2.2.0 for darwin_arm64...
- Obtained hashicorp/archive checksums for darwin_arm64 (signed by HashiCorp)
- Fetching hashicorp/archive 2.2.0 for linux_arm64...
- Obtained hashicorp/archive checksums for linux_arm64 (signed by HashiCorp)

Success! Terraform has updated the lock file.

So what is the difference pre and post this change?

sdiff terraform.lock.hcl.old terraform.lock.hcl

provider "registry.terraform.io/hashicorp/archive" {		provider "registry.terraform.io/hashicorp/archive" {
  version = "2.2.0"						  version = "2.2.0"
  hashes = [							  hashes = [
    "h1:2K5LQkuWRS2YN1/YoNaHn9MAzjuTX8Gaqy6i8Mbfv8Y=",		    "h1:2K5LQkuWRS2YN1/YoNaHn9MAzjuTX8Gaqy6i8Mbfv8Y=",
							      >	    "h1:62mVchC1L6vOo5QS9uUf52uu0emsMM+LsPQJ1BEaTms=",
							      >	    "h1:CIWi5G6ob7p2wWoThRQbOB8AbmFlCzp7Ka81hR3cVp0=",
							      >	    "h1:mZPzA0bba3fHD0Ht01Qu1r1x8uKHGJbKK1/CJn11vFI=",
							      >	    "zh:06bd875932288f235c16e2237142b493c2c2b6aba0e82e8c85068
							      >	    "zh:0c681b481372afcaefddacc7ccdf1d3bb3a0c0d4678a526bc8b02
							      >	    "zh:100fc5b3fc01ea463533d7bbfb01cb7113947a969a4ec12e27f5b
							      >	    "zh:55c0d7ddddbd0a46d57c51fcfa9b91f14eed081a45101dbfc7fd9
							      >	    "zh:73a5dd68379119167934c48afa1101b09abad2deb436cd5c44673
							      >	    "zh:841fc4ac6dc3479981330974d44ad2341deada8a5ff9e3b1b4510
							      >	    "zh:91be62c9b41edb137f7f835491183628d484e9d6efa82fcb75cfa
							      >	    "zh:acd5f442bd88d67eb948b18dc2ed421c6c3faee62d3a12200e442
							      >	    "zh:ad5720da5524641ad718a565694821be5f61f68f1c3c5d2cfa244
							      >	    "zh:e63f12ea938520b3f83634fc29da28d92eed5cfbc5cc8ca08281a
							      >	    "zh:f6542918faa115df46474a36aabb4c3899650bea036b5f8a5e296
  ]								  ]
}

It seems very much to me that the lockfile system is kinda broken - in this case I had a perfectly valid hash (note that after the final success, the original hash is still there) - but when using providers lock after the original has been generated, as it iterates through the OS distributions it is trying to match a hash for one distro with the list of hashes for an iterated distro - they dont match, so it refuses to generate the file.

Also there seems to be no information in the lockfile about which hashes relate to which distros - in which case you probably cant figure this out from the code either - so this multi-distro terraforming is bound to be problematic?

Steps to Reproduce

I've included all the info above

Additional Context

No response

References

No response

[crw]

Thanks for filing this bug report.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.