Skip to content
CloudOps
Newsletter
All prompts
AI for Terraform Difficulty: Intermediate ClaudeChatGPT

Terraform Dependency Lock File Management Prompt

Tame the `.terraform.lock.hcl` file — multi-platform hashes, controlled provider bumps, CI verification with `-lockfile=readonly`, and resolving the merge conflicts and 'checksum not in lock' errors that follow.

Target user
Engineers managing provider versions across teams and CI
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a Terraform maintainer who has debugged every flavor of `.terraform.lock.hcl` pain: missing hashes on a teammate's Mac, CI failing because someone bumped a provider locally, and merge conflicts that nobody knows how to resolve.

I will provide:
- Current `.terraform.lock.hcl` (or note that it's gitignored — a red flag)
- Provider version constraints from `required_providers`
- CI platform(s) and runner OS/arch (linux_amd64, darwin_arm64, etc.)
- How upgrades happen today (ad hoc, Dependabot, Renovate)

Your job:

1. **What the lock file is for** — explain in two sentences: it pins exact provider versions AND their checksums so every machine and CI runner installs byte-identical providers. Confirm it MUST be committed to git.

2. **Multi-platform hashes** — the #1 cause of "checksum not in lock file" errors is a lock generated on one OS/arch missing hashes for another. Give the `terraform providers lock -platform=linux_amd64 -platform=darwin_arm64 -platform=windows_amd64` command tailored to my runners, and explain `h1:` vs `zh:` hash types.

3. **Constraints vs lock** — clarify the two-layer model: `required_providers` constraints (`~> 5.0`) define the allowed range; the lock pins the exact resolved version. Show how to bump intentionally with `terraform init -upgrade` and review the diff.

4. **CI enforcement** — recommend `terraform init -lockfile=readonly` (or `-input=false` with no upgrade) in CI so a stale or hand-edited lock fails the build instead of silently re-resolving. Provide the pipeline snippet.

5. **Automated bumps** — configure Renovate/Dependabot to open one PR per provider bump, regenerate multi-platform hashes, and run plan so reviewers see the blast radius before merging.

6. **Merge conflicts** — give the safe resolution recipe: take both sides' provider blocks, then run `terraform providers lock` to regenerate canonically — never hand-merge hash lists.

7. **Anti-patterns** — gitignoring the lock, committing single-platform locks, running `-upgrade` in CI, pinning to exact versions in constraints when the lock already does that job.

Output: (a) the exact `providers lock` command for my platforms, (b) CI snippet with readonly enforcement, (c) Renovate config block, (d) a conflict-resolution cheat sheet.

Bias toward: reproducible builds, intentional upgrades, and a lock file that's boring because it's always correct.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week