Terraform Versioning: The Basics and a Quick Tutorial

What Is Terraform Versioning? 

Terraform versioning manages different software releases, ensuring consistent and reproducible infrastructure deployments. By using versioning, users can specify compatible versions of Terraform, its providers, and modules for their configurations. This approach helps mitigate risks associated with running incompatible or untested infrastructure code. 

The versioning system in Terraform follows semantic versioning principles, allowing users to track major, minor, and patch-level changes that may impact their environments. A structured versioning strategy is crucial for maintaining reliable infrastructure as code. It enables teams to lock specific versions to avoid unexpected surprises during deployments or upgrades. 

Terraform versioning also includes a constraints system that helps define acceptable versions of providers and modules, promoting consistency and stability across different environments.

This is part of a series of articles about DevOps pipelines.

How Terraform Versions Impact Your Infrastructure 

Terraform versions influence the stability and functionality of an infrastructure. Incorrect versioning may lead to compatibility issues or introduce bugs, affecting the deployment process. By locking Terraform to specific versions, users can ensure that code runs as expected across different environments and timeframes. 

Consistent versioning helps avoid accidental upgrades that might result in compatibility breaks between the infrastructure code and Terraform’s capabilities. It enables organizations to implement reliable testing and deployment practices. This approach ensures that any changes in the code or underlying technology stack won’t unintentionally disrupt production systems. 

Versioning also supports collaboration by providing a common framework where all team members work with vetted and known components.

Understanding Terraform Core, Provider, and Module Versions 

How Terraform Core Is Versioned

Terraform core follows semantic versioning, indicating the nature of changes in new releases. Major versions may contain breaking changes that require code adjustments. Minor versions include new features but maintain backward compatibility. Patch updates fix bugs without affecting existing functionality. 

Terraform core versions are centrally managed, allowing users to specify exact desired versions in configuration files. This practice prevents unexpected upgrades and helps ensure consistent execution across environments. 

How Providers Are Versioned

A provider in Terraform handles interactions with infrastructure platforms like AWS, Azure, and GCP. Providers also follow semantic versioning, which assists users in managing compatibility and functionality. As with Terraform core, providers indicate potential breaking changes with major version increments, while minor versions deliver backward-compatible features. 

Determining provider version constraints is essential for aligning infrastructure changes with platform capabilities. Managing provider versions requires understanding the dependencies and potential impacts of changes on existing infrastructure. Defining provider version constraints within configuration files helps maintain operational stability by ensuring that upgrades occur in a controlled manner. Providers often release updates to improve performance or add features.

How Modules Are Versioned

Module versioning in Terraform helps manage reusable code blocks within different projects, ensuring consistent configurations. Modules are versioned similarly to providers, following semantic principles that indicate changes’ impact. Defining versions in configuration files allows using reliable module versions across environments. It prevents disruptions due to unexpected or incompatible updates.

By managing module versions, organizations can adopt a modular infrastructure as code strategy, fostering collaboration across teams. Version constraints ensure that projects use vetted modules, reducing errors and improving development efficiency. 

Related content: Read our guide to platform engineering

Tips From the Expert

In my experience, here are tips that can help you better manage Terraform versioning:

1. Pin versions explicitly in production environments; While version constraints (e.g., ~>) provide flexibility, pinning exact versions (e.g., = 1.7.5) for production ensures absolute consistency. Reserve constraint ranges for non-production environments to test compatibility with future versions.
2. Automate compatibility testing with Terraform upgrade testing tools: Use tools like tflint or tfsec integrated with CI/CD pipelines to test module and provider compatibility with newer Terraform versions. This can catch issues early in the development cycle.
3. Standardize provider versioning policies across teams: Define organizational policies for acceptable provider version constraints to avoid fragmentation. For example, mandate using the same provider major version (~> 3.0) across all projects for a unified baseline.
4. Set up a private module registry for approved versions: Host vetted versions of Terraform modules and enforce their use through a private module registry. This ensures consistency and avoids reliance on unverified or outdated modules from public sources.
5. Monitor for deprecations using automated dependency scanners: Incorporate tools that can scan Terraform files and highlight deprecated features or provider versions, ensuring you stay ahead of required upgrades.

Ran Cohen

CTO & Co-Founder, Configu

Before co-founding Configu, Ran was a full stack developer at Testim.io and previously served in an elite cybersecurity unit in the Israeli Defense Forces.

Tutorial: Managing Terraform Versions 

These instructions are adapted from the Terraform Documentation.

Prerequisites

To follow this tutorial, ensure you have the following:

• Terraform CLI: Version 1.2 or later, installed locally.
• AWS account: Access credentials with appropriate permissions.
• Git CLI: Installed and configured on your system.
• AWS credentials: Configured locally, including access keys and a default region.

1. Setting Up an Example Repository

Start by cloning the example GitHub repository provided for this tutorial:

$ git clone https://github.com/hashicorp-education/learn-terraform-versions

Navigate into the project directory:

$ cd learn-terraform-versions

This example repository includes a Terraform configuration for deploying a sample web application on AWS.

2. Reviewing a Configuration

Examine the terraform.tf file in the repository:

terraform {
  required_providers {
    aws = {
      version = "~> 5.52.0"
    }
    random = {
      version = "~> 3.6.2"
    }
  }

  required_version = "~> 1.7.5"
}

Details:

• The required_version constraint (~> 1.7.5) specifies compatibility with patch versions greater than 1.7.5, but not later major or minor versions.
• Similar constraints are applied to providers like aws and random.

To check the Terraform version and providers in use, run:

$ terraform version

If the local version is incompatible, Terraform will prompt an update or provide an error when running commands like terraform init.

3. Inspect the Terraform state file

If the current version is incompatible, update the required_version field in terraform.tf to match the local Terraform version:

terraform {
  required_providers {
    # Provider configurations...
  }

  required_version = "~> "
}

Reinitialize the configuration:

$ terraform init

Verify provider installations and initialize your workspace. The output will confirm the compatibility of plugins and the configuration.

Terraform version constraints

Terraform records the version of its CLI and the state file format in the state file. To view these details, use the grep command:

$ grep -e '"version"' -e '"example_tf_version"' terraform.tfstate

Output example:

"version": 5,
"example_tf_version": "1.7.5",

The state file version updates when required by Terraform, but the example_tf_version field changes with every new apply operation. Older Terraform versions will throw errors if the state file is created with a newer version.

Cleaning Up the Infrastructure

After experimenting, destroy the resources to avoid incurring unnecessary costs:

$ terraform destroy

Confirm the destruction by typing yes when prompted. Terraform will remove all managed resources and display a summary.

Example output:

Plan: 0 to add, 0 to change, 4 to destroy.
Destroy complete! Resources: 4 destroyed.

6 Best Practices for Versioning in Terraform 

Developers should consider these best practices when configuring versions in Terraform.

1. Use Version Constraints to Ensure Compatibility

By delineating acceptable software versions, developers avoid accidental conflicts that can arise from untested upgrades. Version constraints guide Terraform in selecting suitable versions automatically during deployments. This practice mitigates risks of using unstable or incompatible software that could disrupt infrastructure functionality.

Using clear version constraints also supports collaboration, providing a standardized framework for team members across different environments. This approach simplifies integration testing, as consistent software versions yield predictable results. Constraints help maintain equilibrium between innovation and stability, allowing teams to responsibly incorporate new features.

2. Keep Dependencies Up to Date

Regularly reviewing and updating Terraform versions help align infrastructure with vendor improvements and security patches. Establishing schedules for dependency reviews, aligned with provider release cycles, ensures timely updates and ongoing compatibility with underlying platforms. It also helps address deprecations.

Dependency updates demand thorough testing to avoid unintended side effects on production systems. Implementing updates in a sandbox or non-critical environment provides a testing stage to assess impacts fully. Maintaining contemporary versions helps optimize system resilience and leverages innovative capabilities that providers continuously introduce. 

3. Coordinate Version Upgrades with the Team

Effective communication about planned upgrades, potential impacts, and testing schedules fosters a cooperative environment. Collaborative planning ensures all team members understand changes, reducing the risk of conflicts or confusion during rollout phases.

Holding regular team meetings that address forthcoming changes and sharing documentation and best practices can improve upgrade strategies. A centralized communication tool can further consolidate versioning discussions and updates. It provides a platform for team members to voice concerns, suggest improvements, or propose alternative approaches.

4. Test Changes in a Safe Environment

Testing changes in a controlled, safe environment before deploying to production is crucial for validating new configurations and identifying potential issues. Setting up development or staging environments replicates production aspects without the associated risks. This separation enables thorough testing, allowing teams to address bugs, validate configurations, and optimize performance prior to live deployment.

Automated testing tools and continuous integration practices further improve testing, offering scalable solutions for a range of scenarios. Implementing test suites can simplify the detection of anomalies related to version changes. Safe testing environments improve confidence in deploying updates, as issues can be anticipated and resolved beforehand.

5. Document Version Requirements Clearly

Providing explicit version constraints within project documentation ensures that team members are aware of compatibility needs. Detailed documentation covers the rationale for version choices, alongside potential impacts of deviations.

Consistent documentation assists in onboarding new team members and supports maintenance tasks, reducing the time required to grasp configurations. It also serves as a historical record during audits or troubleshooting sessions, offering insights into previous decisions.

6. Utilizing the terraform.lock.hcl File

The terraform.lock.hcl file can record precise versions of providers used in a deployment. This lock file ensures consistent deployments across environments by locking versions, minimizing risks of changes that could inadvertently alter infrastructure. Using this file improves reliability and repeatability, critical for maintaining system integrity during updates.

When Terraform initializes, it reads the lock file’s contents to decide which provider versions to use. By applying the lock file, users ensure infrastructure consistency against unexpected updates, aligning practice with deterministic deployment models. Regular updates to the lock file after verifying new versions ensures it reflects current and valid dependencies.

Managing Configurations in IaC Environements with Configu

Configu is a configuration management platform comprised of two main components, the stand-alone Orchestrator, which is open source, and the Cloud, which is a SaaS solution:

Configu Orchestrator

As applications become more dynamic and distributed in microservices architectures, configurations are getting more fragmented. They are saved as raw text that is spread across multiple stores, databases, files, git repositories, and third-party tools (a typical company will have five to ten different stores).

The Configu Orchestrator, which is open-source software, is a powerful standalone tool designed to address this challenge by providing configuration orchestration along with Configuration-as-Code (CaC) approach.

Configu Cloud

Configu Cloud is the most innovative store purpose-built for configurations, including environment variables, secrets, and feature flags. It is built based on the Configu configuration-as-code (CaC) approach and can model configurations and wrap them with unique layers, providing collaboration capabilities, visibility into configuration workflows, and security and compliance standardization.

Unlike legacy tools, which treat configurations as unstructured data or key-value pairs, Configu is leading the way with a Configuration-as-Code approach. By modeling configurations, they are treated as first-class citizens in the developers’ code. This makes our solution more robust and reliable and also enables Configu to provide more capabilities, such as visualization, a testing framework, and security abilities.

Learn more about Configu