IntenseWebs/opentofu
3
0
Fork 0
mirror of https://github.com/opentofu/opentofu.git synced 2025-02-25 18:45:20 -06:00
Code Issues Packages Projects Releases Wiki Activity
3b3822d770
opentofu/website/docs/cli/commands/providers/lock.mdx
Christian Mesh 3b3822d770
Improve documentation around static evaluation (#1843) 
Signed-off-by: Christian Mesh <christianmesh1@gmail.com>
Signed-off-by: ollevche <ollevche@gmail.com>
Co-authored-by: ollevche <ollevche@gmail.com>
2024-07-23 09:31:50 -04:00

192 lines
9.3 KiB
Plaintext
Raw Blame History

---
description: |-
The `tofu providers lock` command adds new provider selection information
to the dependency lock file without initializing the referenced providers.
---
# Command: providers lock
The `tofu providers lock` consults upstream registries (by default) in
order to write provider dependency information into
[the dependency lock file](../../../language/files/dependency-lock.mdx).
The common way to update the dependency lock file is as a side-effect of normal
provider installation during
[`tofu init`](../../../cli/commands/init.mdx), but there are several situations where that
automatic approach may not be sufficient:
* If you are running OpenTofu in an environment that uses
[alternative provider installation methods](../../../cli/config/config-file.mdx#provider-installation),
such as filesystem or network mirrors, normal provider installation will not
access the origin registry for a provider and therefore OpenTofu will not
be able to populate all of the possible package checksums for the selected
provider versions.
If you use `tofu lock` to write the official release checksums for a
provider into the dependency lock file then future `tofu init` runs
will verify the packages available in your selected mirror against the
official checksums previously recorded, giving additional certainty that
the mirror is serving the provider packages it is claiming to.
* If your team runs OpenTofu across a number of different platforms (e.g.
on both Windows and Linux) and the upstream registry for a provider is unable
to provide signed checksums using the latest hashing scheme, subsequent runs
of OpenTofu on other platforms may
[add additional checksums to the lock file](../../../language/files/dependency-lock.mdx#new-provider-package-checksums).
You can avoid that by pre-populating hashes for all of the platforms you
intend to use, using the `tofu providers lock` command.
## Usage
Usage: `tofu providers lock [options] [providers...]`
:::note
Use of variables in [module sources](../../../language/modules/sources.mdx#support-for-variable-and-local-evaluation)
requires [assigning values to root module variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables)
when running `tofu providers lock`.
:::
This command accepts the following generic options:
* `-var 'NAME=VALUE'` - Sets a value for a single
[input variable](../../../language/values/variables.mdx) declared in the
root module of the configuration. Use this option multiple times to set
more than one variable. Refer to
[Input Variables on the Command Line](../plan.mdx#input-variables-on-the-command-line) for more information.
* `-var-file=FILENAME` - Sets values for potentially many
[input variables](../../../language/values/variables.mdx) declared in the
root module of the configuration, using definitions from a
["tfvars" file](../../../language/values/variables.mdx#variable-definitions-tfvars-files).
Use this option multiple times to include values from more than one file.
There are several other ways to set values for input variables in the root
module, aside from the `-var` and `-var-file` options. Refer to
[Assigning Values to Root Module Variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information.
With no additional command line arguments, `tofu providers lock` will
analyze the configuration in the current working directory to find all of
the providers it depends on, and it will fetch the necessary data about those
providers from their origin registries and then update
[the dependency lock file](../../../language/files/dependency-lock.mdx) to
include a selected version for each provider and all of the package checksums
that are covered by the provider developer's cryptographic signature.
:::warning
The `tofu providers lock` command prints information
about what it has fetched and whether each package was signed using a
cryptographic signature, but it cannot automatically verify that the
providers are trustworthy and that they comply with your local system
policies or relevant regulations. Review the signing key information
in the output to confirm that you trust all of the signers before committing
the updated lock file to your version control system.
:::
If you list one or more provider source addresses on the command line then
`tofu providers lock` will restrict its work only to those providers,
leaving the lock entries for other providers (if any) unchanged.
You can customize the default behavior using the following additional option:
* `-fs-mirror=PATH` - Direct OpenTofu to look for provider packages in the
given local filesystem mirror directory, instead of in upstream registries.
The given directory must use the usual filesystem mirror directory layout.
* `-net-mirror=URL` - Direct OpenTofu to look for provider packages in the
given network mirror service, instead of in upstream registries. The
given URL must implement
[the OpenTofu provider network mirror protocol](../../../internals/provider-network-mirror-protocol.mdx).
* `-platform=OS_ARCH` - Specify a platform you intend to use to work with this
OpenTofu configuration. OpenTofu will ensure that the providers are all
available for the given platform and will save enough package checksums in
the lock file to support _at least_ the specified platforms.
Use this option multiple times to include checksums for multiple target
systems.
Target platform names consist of an operating system and a CPU
architecture. For example, `linux_amd64` selects the Linux operating system
running on an AMD64 or x86_64 CPU.
There is more detail on this option in the following section.
## Specifying Target Platforms
In your environment you may, for example, have both developers who work with
your OpenTofu configuration on their Windows or macOS workstations _and_
automated systems that apply the configuration while running on Linux.
In that situation, you could choose to verify that all of your providers support
all of those platforms, and to pre-populate the lock file with the necessary
checksums, by running `tofu providers lock` and specifying those three
platforms:
```
tofu providers lock \
-platform=windows_amd64 \ # 64-bit Windows
-platform=darwin_amd64 \ # 64-bit macOS
-platform=linux_amd64 # 64-bit Linux
```
(The above example uses Unix-style shell wrapping syntax for readability. If
you are running the command on Windows then you will need to put all of the
arguments on a single line, and remove the backslashes and comments.)
## Lock Entries for In-house Providers
An _in-house provider_ is one that isn't published on a real OpenTofu provider
registry because it's developed and used only within a particular organization and
distributed via either a filesystem mirror or network mirror.
By default, `tofu providers lock` assumes all providers are available
at a OpenTofu provider registry and tries to contact the origin registries
in order to get access to the most detailed information about the provider
packages.
To create a lock entry for a particular provider that is available only in a
local mirror, you can use either the `-fs-mirror` or `-net-mirror` command
line options to override the default behavior of consulting the provider's
origin registry:
```
tofu providers lock \
-fs-mirror=/usr/local/tofu/providers
-platform=windows_amd64 \
-platform=darwin_amd64 \
-platform=linux_amd64 \
tf.example.com/ourcompany/ourplatform
```
(The above example uses Unix-style shell wrapping syntax for readability. If
you are running the command on Windows then you will need to put all of the
arguments on a single line, and remove the backslashes.)
Because the command above includes the provider source address
`tf.example.com/ourcompany/ourplatform`, `tofu providers lock` will only
attempt to access that particular provider and will leave the lock entries
for any other providers unchanged. If you have a variety of different providers
available from different sources, you can run `tofu providers lock`
multiple times and specify a different subset of your providers each time.
The `-fs-mirror` and `-net-mirror` options have the same meaning as
`filesystem_mirror` and `network_mirror` blocks in
[the provider installation methods configuration](../../../cli/config/config-file.mdx#provider-installation),
but specify only a single method in order to be explicit about where you
intend to derive the package checksum information from.
Note that only an origin registry can provide official checksums covered by
the original developer's cryptographic signature. Lock entries created from
filesystem or network mirrors will therefore cover only the exact platforms
you requested, and the recorded checksums will be those reported by the
mirror, rather than the origin registry's official checksums. If you want
to ensure that the recorded checksums are the ones signed by the original
provider publisher, run this command _without_ either the `-fs-mirror` or
`-net-mirror` options to fetch all information from origin registries.
If you wish, you can publish your in-house providers via an in-house provider
registry, which will then allow locking and installation of those providers
without any special options or additional CLI configuration. For more
information, see
[the provider registry protocol](../../../internals/provider-registry-protocol.mdx).
Reference in New Issue View Git Blame Copy Permalink