Skip to content

Latest commit

 

History

History
97 lines (68 loc) · 3.39 KB

terraform_module_version.md

File metadata and controls

97 lines (68 loc) · 3.39 KB
Raw

terraform_module_version

Ensure that all modules sourced from a Terraform Registry specify a version.

Configuration

Name Description Default Type
exact Require an exact version false Boolean 
rule "terraform_module_version" {
  enabled = true
  exact = false # default
}

Example

module "exact" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "1.0.0"
}

module "range" {
  source  = "terraform-aws-modules/vpc/aws"
  version = ">= 1.0.0"
}

module "latest" {
  source  = "terraform-aws-modules/vpc/aws"
}
$ tflint
1 issue(s) found:

Warning: module "latest" should specify a version (terraform_module_version)

  on main.tf line 11:
  11: module "latest" {

Reference: https://github.com/terraform-linters/tflint/blob/master/docs/rules/terraform_module_version.md

Exact

rule "terraform_module_version" {
  enabled = true
  exact = true
}
module "exact" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "1.0.0"
}

module "range" {
  source  = "terraform-aws-modules/vpc/aws"
  version = ">= 1.0.0"
}
$ tflint
1 issue(s) found:

Warning: module "range" should specify an exact version, but a range was found (terraform_module_version)

  on main.tf line 8:
   8:   version = ">= 1.0.0"

Reference: https://github.com/terraform-linters/tflint/blob/master/docs/rules/terraform_module_version.md

Why

Terraform's module version documentation states:

When using modules installed from a module registry, we recommend explicitly constraining the acceptable version numbers to avoid unexpected or unwanted changes.

When no version is specified, Terraform will download the latest version available on the registry. Using a new major version of a module could cause the destruction of existing resources, or the creation of new resources that are not backwards compatible. Generally you should at least constrain modules to a specific major version.

Exact Versions

Depending on your workflow, you may want to enforce that modules specify an exact version by settings exact = true for this rule. This will disallow any module that includes multiple comma-separated version constraints, or any constraint operator other than =. Exact versions are often used with automated dependency managers like Dependabot and Renovate, which will automatically propose a pull request to update the module when a new version is released.

Keep in mind that the module may include further child modules, which have their own version constraints. TFLint does not check version constraints set in child modules. Enabling this rule cannot guarantee that terraform init will be deterministic. Use Terraform dependency lock files to ensure that Terraform will always use the same version of all modules (and providers) until you explicitly update them.

How To Fix

Specify a version. If exact = true, this must be an exact version.