Public Cloud Infrastructure people -- what's you workflow with terraform/terragrunt/providers

I moved to NixOS from other Linuxes or macOS and at first I was confused where to start with configuriung terraform. Then I figured it out most of the stuff, limiting down providers that I really need in my work:

    (terraform_0_14.withPlugins (p: [

but then from time to time you need to use different tf versions for old legacy code base, which might be in ancient 0.11.10 or something, here I go and download HashiCorp binaries.

(i used to use tfenv and tgenv shell scripts to manage tf and tg versions, but they (shell scripts) are pretty slow so I dropped using them and now just using terragrunt from NixOS and terraform binary downloaded manually from HashiCorp).

I tried building 0.11.10 or something version and it failed, I guess I should have go and change terraform/default.nix. I understand I can adopt this in my own nix code.

Though I wanted a bit more welcome approach here.

So I was wondering what’s your guys approach and workflow working with different provider versions, different terraform versions using only Nix tooling?

lately i found this config option: CLI Configuration - Terraform by HashiCorp, which can help you minimize size on disk occupied by providers.

and using providers provided by Nix came to unnecessary burden.

1 Like

I’m a total beginner with terraform, but I just… only use terraform? I have a shell.nix that loads terraform and then I manually type ‘terraform apply’ to apply it to aws.

I guess this is only suitable for simple use cases?

@rmcgibbo yeah, that is rather simpler use-case, which I surely would have liked to follow.

consider this: you might run tf in pipeline as well, and you want package a container image with pinned tf version and might as well want to run tf locally on your machine. if you bump tf version locally you would rewrite state with never version and your pipeline (which uses older one) would fail.

so keeping tf version in sync with pipelines and local development is crucial; but, yeah, it hugely depends on use-cases.

and maybe i’m missing something which could have helped to adopt NixOS packaging of terraform and providers.

(i’m thinking that keeping multiple versions could be probably done with overlays, but that would be a hustle and would need to keep them in separate PATHs somehow).

1 Like

To the extent that the problem can be reduced to keeping the version of terraform and the version of the providers in sync between your local machine and pipeline, maybe pinning nixpkgs (potentially via a flake) is a sufficient solution?

1 Like

yeah, why not.

well, i’m running nixos for a couple of months, and i might miss some nix/nixpkgs/configuring internals, which could have helped me solves this in a nix way.

but, there’s another one: tf 0.14 introduced a lock mechanism for providers: Terraform 0.14 Introduces a Dependency Lock File for Providers

and this will not work as intended if we keep this lock file in repo when i will be using in-house tf providers (nixos) and someone would use macOS or other linux. – in house providers which are built in nixos infra and other providers will be built on hashicorp side, they will have different hashes.

meaning that probably managing providers in nixos is unneeded burden, but again i could miss someones case, which is why that is the way it is.

at least i won’t be downloading binaries manually: