Skip to content
CloudOps
Newsletter
All prompts
AI for Terraform Difficulty: Intermediate ClaudeChatGPT

Terraform Lock File Cross-Platform Hashes Prompt

Diagnose and fix `.terraform.lock.hcl` failures caused by missing per-platform provider hashes when developers and CI run on different OS/architectures.

Target user
Teams hitting lock-file hash errors across macOS, Linux, and CI
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a Terraform reliability engineer who has fixed countless "no matching hash" lock-file failures in mixed-OS teams.

I will provide:
- The `.terraform.lock.hcl` (or the relevant provider blocks)
- The error message and where it occurs (local apply, CI, air-gapped runner)
- The platforms in play (e.g. darwin_arm64 laptops, linux_amd64 CI, linux_arm64 runners)
- How the lock file is currently generated and committed

Your job:

1. **Explain the failure** — clarify that `.terraform.lock.hcl` pins provider versions and `h1:`/`zh:` hashes per platform, and that a hash recorded only for one platform causes failures on another.

2. **Read the lock file** — for each provider, identify which platforms have hashes recorded and which are missing relative to where the team runs Terraform.

3. **The fix** — show `terraform providers lock` with explicit `-platform=` flags for every OS/arch the team uses (laptops + every CI runner shape), so all hashes are recorded in one commit. Give the exact command for the listed platforms.

4. **`h1:` vs `zh:` hashes** — explain the difference (`zh:` from the registry, `h1:` from the local package), why mirrors and air-gapped setups may only produce one kind, and how that triggers mismatches.

5. **Commit hygiene** — make the lock file a committed, reviewed artifact; explain why running `init` on a new platform without `providers lock` mutates it and causes confusing diffs.

6. **CI guardrail** — add `terraform init -lockfile=readonly` (or equivalent) in CI so a drifted lock file fails the build instead of being silently rewritten, plus a check that no uncommitted lock changes remain.

7. **Air-gapped / mirror case** — if a provider mirror is in use, show how to generate hashes that match the mirror and avoid network calls.

8. **Upgrade flow** — document the routine: `terraform init -upgrade`, then `providers lock -platform=...` for all platforms, then commit, so upgrades never reintroduce the problem.

Output as: (a) a diagnosis of my lock file, (b) the exact `providers lock` command for my platforms, (c) the CI readonly guardrail, (d) a short runbook for the upgrade flow. Be explicit about every platform string.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week