Terraform: Upgrading TF CLI Version and AzureRM Version

2 minute read

Description:

So a critical part of using terraform across many repositories on a team is to practice version pinning to ensure consistency between environments. This was discussed in my Git Tagging post but it was in reference to modules. Here we want to pin the Terraform CLI version and the AzureRM, AzureAD, and any other providers we use.

To Resolve:

  1. To ensure your Terraform CLI version, you can usually pass that as a parameter in your pipeline. For example:

    1
    2
    3
    4
    
    - task: ms-devlabs.custom-terraform-tasks.custom-terraform-installer-task.TerraformInstaller@0
       displayName: 'Install Terraform 1.3.6'
       inputs:
          terraformVersion: 1.3.6
    
  2. To ensure your provider versions, just mention them in any of your *.tf files, typically backend.tf, versions.tf, or providers.tf:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    
    terraform {
    required_providers {
       azurerm = {
          source  = "hashicorp/azurerm"
          version = "3.37.0"
       }
       azuread = {
          source  = "hashicorp/azuread"
          version = "2.26.0"
       }
       random = {
          source  = "hashicorp/random"
          version = "3.4.3"
       }
    }
    required_version = "1.3.6"
    }
    
  3. After updating, run a terraform plan and pay attention to the terraform init output in your pipeline. It should specifically mention what versions of providers it is installing.

  4. I had an issue once where I was going crazy because I had pinned to a specific version and it kept updating to the latest versions.

    • I first found this link which made me think that since I didn’t have a lock file, that terraform was upgrading automatically like in the example so I created a lock file and pushed it.
    • That worked, but I later found the culprit. The pipeline had for whatever reason used terraform init -upgrade so I removed that flag and it started working as expected.
  5. To create the lock file I did this:

    • cd to my repo
    • Run terraform init . on my dev box
    • Terraform creates a .terraform.lock.hcl
    • I then had to remove .terraform from my .gitignore so I can push lock to repo
    • Push file to repo
  6. OK, so after updating the terraform CLI and the AzureRM, AzureAD, ect. providers, the next thing is to run terraform plan pipelines and fix any errors that come up. They are usually descriptive like attribute depreciated, please use $x.

  7. If you haven’t already, ensure that you bookmark the Terraform docs to the version you use everywhere in your environment. This makes it easy to see what attributes are available for all resources using your pinned version. For example, I usually bookmark the azurerm_storage_account resource. Notice the version in the URL? azurerm/3.33.0/docs?