terraform init does not populate .terraform.lock.hcl with hashes for all platforms

[masonelmore]

Terraform Version

Terraform v1.0.9
on linux_amd64
+ provider registry.terraform.io/hashicorp/null v3.1.0

Terraform Configuration Files

resource "null" "this" {}

Debug Output

https://gist.github.com/masonelmore/2f057fbdf0162b9f0bf3ff5fb51de194

Expected Behavior

terraform init should populate .terraform.lock.hcl with hashes for all available platforms.

provider "registry.terraform.io/hashicorp/null" {
  version = "3.1.0"
  hashes = [
    "h1:/pDuGENc39GlIz47Ehrdzgk+Pu7p7RB4ChNbK7QFg/I=",
    "h1:SFT7X3zY18CLWjoH2GfQyapxsRv6GDKsy9cF1aRwncc=",
    "h1:vpC6bgUQoJ0znqIKVFevOdq+YQw42bRq0u+H3nto8nA=",
    "h1:xhbHC6in3nQryvTQBWKxebi3inG5OCgHgc4fRxL0ymc=",
    "zh:02a1675fd8de126a00460942aaae242e65ca3380b5bb192e8773ef3da9073fd2",
    "zh:53e30545ff8926a8e30ad30648991ca8b93b6fa496272cd23b26763c8ee84515",
    "zh:5f9200bf708913621d0f6514179d89700e9aa3097c77dac730e8ba6e5901d521",
    "zh:9ebf4d9704faba06b3ec7242c773c0fbfe12d62db7d00356d4f55385fc69bfb2",
    "zh:a6576c81adc70326e4e1c999c04ad9ca37113a6e925aefab4765e5a5198efa7e",
    "zh:a8a42d13346347aff6c63a37cda9b2c6aa5cc384a55b2fe6d6adfa390e609c53",
    "zh:c797744d08a5307d50210e0454f91ca4d1c7621c68740441cf4579390452321d",
    "zh:cecb6a304046df34c11229f20a80b24b1603960b794d68361a67c5efe58e62b8",
    "zh:e1371aa1e502000d9974cfaff5be4cfa02f47b17400005a16f14d2ef30dc2a70",
    "zh:fc39cc1fe71234a0b0369d5c5c7f876c71b956d23d7d6f518289737a001ba69b",
    "zh:fea4227271ebf7d9e2b61b89ce2328c7262acd9fd190e1fd6d15a591abfa848e",
  ]
}

Actual Behavior

terraform init only populates .terraform.lock.hcl with hashes for the current platform.

provider "registry.terraform.io/hashicorp/null" {
  version = "3.1.0"
  hashes = [
    "h1:vpC6bgUQoJ0znqIKVFevOdq+YQw42bRq0u+H3nto8nA=",
    "zh:02a1675fd8de126a00460942aaae242e65ca3380b5bb192e8773ef3da9073fd2",
    "zh:53e30545ff8926a8e30ad30648991ca8b93b6fa496272cd23b26763c8ee84515",
    "zh:5f9200bf708913621d0f6514179d89700e9aa3097c77dac730e8ba6e5901d521",
    "zh:9ebf4d9704faba06b3ec7242c773c0fbfe12d62db7d00356d4f55385fc69bfb2",
    "zh:a6576c81adc70326e4e1c999c04ad9ca37113a6e925aefab4765e5a5198efa7e",
    "zh:a8a42d13346347aff6c63a37cda9b2c6aa5cc384a55b2fe6d6adfa390e609c53",
    "zh:c797744d08a5307d50210e0454f91ca4d1c7621c68740441cf4579390452321d",
    "zh:cecb6a304046df34c11229f20a80b24b1603960b794d68361a67c5efe58e62b8",
    "zh:e1371aa1e502000d9974cfaff5be4cfa02f47b17400005a16f14d2ef30dc2a70",
    "zh:fc39cc1fe71234a0b0369d5c5c7f876c71b956d23d7d6f518289737a001ba69b",
    "zh:fea4227271ebf7d9e2b61b89ce2328c7262acd9fd190e1fd6d15a591abfa848e",
  ]
}

Steps to Reproduce

1. terraform init
2. cp .terraform.lock.hcl .terraform.lock.hcl.bak
3. terraform providers lock -platform=linux_arm64 -platform=linux_amd64 -platform=darwin_amd64 -platform=windows_amd64
4. diff .terraform.lock.hcl .terraform.lock.hcl.bak

Here's a script to help reproduce. It uses Docker to ensure the default CLI configuration is used. The diff at the end of the script should be empty.

#!/usr/bin/env sh
set -x

# rm -rf .terraform/ .terraform.lock.hcl .terraform.lock.hcl.bak
# echo 'resource "null_resource" "this" {}' > main.tf

docker run -v $(pwd):/src -w /src -e TF_LOG=trace hashicorp/terraform:1.0.9 init

cp .terraform.lock.hcl .terraform.lock.hcl.bak

docker run -v $(pwd):/src -w /src -e TF_LOG=trace hashicorp/terraform:1.0.9 providers lock \
  -platform=linux_arm64 \
  -platform=linux_amd64 \
  -platform=darwin_amd64 \
  -platform=windows_amd64

diff .terraform.lock.hcl .terraform.lock.hcl.bak

References

• terraform init and lock file platform #28041

[jbardin]

Hi @masonelmore,

It appears you are demonstrating the current expected behavior for init, which can only record the hash for binaries which it has downloaded. As you've shown the terraform providers lock command can fetch additional binaries and record their hashes, which appears to have worked correctly in this case, adding 3 more hashes for the additional 3 architectures given on the command line.

Since this is documented already in the linked issues, and we have feature requests open in #27264 and #27811, I'm going to close this one to keep the discussion in one place.

Thanks!

[masonelmore]

Thanks, @jbardin

I think I misunderstood the documentation.

If you install a provider from an origin registry which provides checksums that are signed with a cryptographic signature, Terraform will treat all of the signed checksums as valid as long as one checksum matches. The lock file will therefore include checksums for both the package you installed for your current platform and any other packages that might be available for other platforms.

In this case, the terraform init output will include the fingerprint of the key that signed the checksums, with a message like (signed by a HashiCorp partner, key ID DC9FC6B1FCE47986). You may wish to confirm that you trust the holder of the given key before committing the lock file containing the signed checksums, or to retrieve and verify the full set of available packages for the given provider version.

Specifically the last sentence which suggests it's up the user to "retrieve and verify the full set of available packages for the given provider version."

[masonelmore]

Also, I'll put more effort into searching for relevant issues in the future. :)

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.