Terragrunt ignores the version constraint of a Terraform module

[dhoppe]

Describe the bug

Terragrunt ignores the version constraint of a Terraform module and instead wants to use a previous version of the AWS provider.

Steps To Reproduce

The following output shows how the .terraform.lock.hcl has been generated and that Terragrunt ignores the version constraint of a Terraform module.

Terraform

❯ cat versions.tf
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }

  required_version = ">= 1.0"
}

❯ terraform init -upgrade
Initializing the backend...
Initializing provider plugins...
- Finding hashicorp/aws versions matching "~> 5.0"...
- Installing hashicorp/aws v5.66.0...
- Installed hashicorp/aws v5.66.0 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

❯ cat .terraform.lock.hcl
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.

provider "registry.terraform.io/hashicorp/aws" {
  version     = "5.66.0"
  constraints = "~> 5.0"
  hashes = [
    "h1:yGcVdhj9IKbS/b7BSHtgGjCiFnKK+81ImkK/x7UCgEI=",
    "zh:071c908eb18627f4becdaf0a9fe95d7a61f69be365080aba2ef5e24f6314392b",
    "zh:3dea2a474c6ad4be5b508de4e90064ec485e3fbcebb264cb6c4dec660e3ea8b5",
    "zh:56c0b81e3bbf4e9ccb2efb984f8758e2bc563ce179ff3aecc1145df268b046d1",
    "zh:5f34b75a9ef69cad8c79115ecc0697427d7f673143b81a28c3cf8d5decfd7f93",
    "zh:65632bc2c408775ee44cb32a72e7c48376001a9a7b3adbc2c9b4d088a7d58650",
    "zh:6d0550459941dfb39582fadd20bfad8816255a827bfaafb932d51d66030fcdd5",
    "zh:7f1811ef179e507fdcc9776eb8dc3d650339f8b84dd084642cf7314c5ca26745",
    "zh:8a793d816d7ef57e71758fe95bf830cfca70d121df70778b65cc11065ad004fd",
    "zh:8c7cda08adba01b5ae8cc4e5fbf16761451f0fab01327e5f44fc47b7248ba653",
    "zh:96d855f1771342771855c0fb2d47ff6a731e8f2fa5d242b18037c751fd63e6c3",
    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
    "zh:b2a62669b72c2471820410b58d764102b11c24e326831ddcfae85c7d20795acf",
    "zh:b4a6b251ac24c8f5522581f8d55238d249d0008d36f64475beefc3791f229e1d",
    "zh:ca519fa7ee1cac30439c7e2d311a0ecea6a5dae2d175fe8440f30133688b6272",
    "zh:fbcd54e7d65806b0038fc8a0fbdc717e1284298ff66e22aac39dcc5a22cc99e5",
  ]
}

Terragrunt

❯ terragrunt init -upgrade
09:30:59.187 INFO   Terragrunt Cache server is listening on 127.0.0.1:59846
09:30:59.187 INFO   Start Terragrunt Cache server
09:30:59.576 INFO   Downloading Terraform configurations from file:///Users/dhoppe/Documents/customers/siemens/terragrunt/terragrunt-aws-nbm/modules/aws-data into /Users/dhoppe/Documents/customers/siemens/terragrunt/terragrunt-aws-nbm/stacks/dev/us-east-2/aws-data/.terragrunt-cache/1klylyiqYO0KFyf0u1oUkTjrYxw/KrtfoKBczd_PpPJjZfeW7fDSg8s
09:31:03.336 INFO   Caching terraform providers for /Users/dhoppe/Documents/customers/siemens/terragrunt/terragrunt-aws-nbm/stacks/dev/us-east-2/aws-data/.terragrunt-cache/1klylyiqYO0KFyf0u1oUkTjrYxw/KrtfoKBczd_PpPJjZfeW7fDSg8s
09:31:07.772 STDOUT terraform: Initializing the backend...
09:31:09.851 STDOUT terraform: Initializing provider plugins...
09:31:09.851 STDOUT terraform: - Finding hashicorp/aws versions matching "~> 5.0"...
09:31:09.915 STDOUT terraform: - Installing hashicorp/aws v5.66.0...
09:31:10.491 STDOUT terraform: - Installed hashicorp/aws v5.66.0 (unauthenticated)
09:31:10.491 STDOUT terraform: Terraform has been successfully initialized!
09:31:10.491 STDOUT terraform:
09:31:10.491 STDOUT terraform: You may now begin working with Terraform. Try running "terraform plan" to see
09:31:10.491 STDOUT terraform: any changes that are required for your infrastructure. All Terraform commands
09:31:10.491 STDOUT terraform: should now work.
09:31:10.491 STDOUT terraform: If you ever set or change modules or backend configuration for Terraform,
09:31:10.491 STDOUT terraform: rerun this command to reinitialize your working directory. If you forget, other
09:31:10.491 STDOUT terraform: commands will detect it and remind you to do so if necessary.
09:31:10.492 INFO   Shutting down Terragrunt Cache server...
09:31:10.492 INFO   Terragrunt Cache server stopped

❯ cat .terraform.lock.hcl
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.

provider "registry.terraform.io/hashicorp/aws" {
  version     = "5.66.0"
  constraints = "5.66.0"
  hashes = [
    "h1:yGcVdhj9IKbS/b7BSHtgGjCiFnKK+81ImkK/x7UCgEI=",
    "zh:071c908eb18627f4becdaf0a9fe95d7a61f69be365080aba2ef5e24f6314392b",
    "zh:3dea2a474c6ad4be5b508de4e90064ec485e3fbcebb264cb6c4dec660e3ea8b5",
    "zh:56c0b81e3bbf4e9ccb2efb984f8758e2bc563ce179ff3aecc1145df268b046d1",
    "zh:5f34b75a9ef69cad8c79115ecc0697427d7f673143b81a28c3cf8d5decfd7f93",
    "zh:65632bc2c408775ee44cb32a72e7c48376001a9a7b3adbc2c9b4d088a7d58650",
    "zh:6d0550459941dfb39582fadd20bfad8816255a827bfaafb932d51d66030fcdd5",
    "zh:7f1811ef179e507fdcc9776eb8dc3d650339f8b84dd084642cf7314c5ca26745",
    "zh:8a793d816d7ef57e71758fe95bf830cfca70d121df70778b65cc11065ad004fd",
    "zh:8c7cda08adba01b5ae8cc4e5fbf16761451f0fab01327e5f44fc47b7248ba653",
    "zh:96d855f1771342771855c0fb2d47ff6a731e8f2fa5d242b18037c751fd63e6c3",
    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
    "zh:b2a62669b72c2471820410b58d764102b11c24e326831ddcfae85c7d20795acf",
    "zh:b4a6b251ac24c8f5522581f8d55238d249d0008d36f64475beefc3791f229e1d",
    "zh:ca519fa7ee1cac30439c7e2d311a0ecea6a5dae2d175fe8440f30133688b6272",
    "zh:fbcd54e7d65806b0038fc8a0fbdc717e1284298ff66e22aac39dcc5a22cc99e5",
  ]
}

Expected behavior

Terragrunt should keep the version constraint of a Terraform module, like ~> 5.0 instead of a static version 5.66.0.

Nice to haves

• Terminal output
• Screenshots

Versions

• Terragrunt version: Terragrunt v0.67.4
• OpenTofu/Terraform version: Terraform v1.9.5
• Environment details (Ubuntu 20.04, Windows 10, etc.): Ubuntu 22.04

Additional context

The current behaviour causes some trouble regarding our GitLab CI pipeline.

terraform: │ Error: Failed to query available provider packages
terraform: │
terraform: │ Could not retrieve the list of available versions for provider
terraform: │ hashicorp/aws: locked provider registry.terraform.io/hashicorp/aws 5.65.0
terraform: │ does not match configured version constraint ~> 5.66; must use terraform
terraform: │ init -upgrade to allow selection of new versions

Maybe I am wrong, but I would expect Terragrunt to simply use the last available AWS provider and not bother with the version constraint in the .terraform.lock.hcl of Terragrunt and instead follow the requirement of the Terraform module.

[dhoppe]

I have been thinking a bit about my own bug report and I am afraid Terragrunt is working as expected. After all, the .terraform.lock.hcl ensures that Terragrunt works with the previously defined versions.

Even if I use a dedicated repository for each Terraform module and Renovate takes care of the .terraform.lock.hcl, this does not create a new version which could then be used by Terragrunt to generate a new .terraform.lock.hcl via Renovate based on the latest version of the AWS provider. 🤔