How Lock Files Work
Audience: Developers, infrastructure operators Question: How does version pinning affect my daily workflow?
In Development
terraform init
This command reads .terraform.lock.hcl and uses only the pinned versions listed there. It does not check for newer versions.
In CI/CD Pipelines
GitHub Actions workflows run:
terraform init
Same behavior as development: uses pinned versions only. The -upgrade flag is never used.
See the dev deployment workflow for the actual pipeline configuration.
Lock File Changes
The .terraform.lock.hcl file changes only when:
- You run
terraform init -upgradelocally (intentional upgrade) - You add a new provider or module
- Terraform detects corrupted cached files
Lock files in the main branch stay stable. CI/CD pipelines never update them.
What This Means
- All developers use the same provider versions as CI/CD
- No surprises where "it works locally but fails in production"
- Version drift is impossible