[英]Inconsistent dependency when i do terraform apply from plan -out=file
I am attempting to create new resources on GCP with a remote backend After doing terraform init plan -out=tfplan and then terraform apply tfplan I get the following error:我正在尝试使用远程后端在 GCP 上创建新资源在执行 terraform init plan -out=tfplan 然后 terraform apply tfplan 之后,我收到以下错误:
Error: Inconsistent dependency lock file
│
│ The following dependency selections recorded in the lock file are
│ inconsistent with the configuration in the saved plan:
│ Terraform 0.13 and earlier allowed provider version constraints inside the
│ provider configuration block, but that is now deprecated and will be
│ removed in a future version of Terraform. To silence this warning, move the
│ provider version constraint into the required_providers block.
│
│ (and 22 more similar warnings elsewhere)
╵
│ - provider registry.terraform.io/hashicorp/aws: required by this configuration but no version is selected
│ - provider registry.terraform.io/hashicorp/external: required by this configuration but no version is selected
│ - provider registry.terraform.io/hashicorp/google-beta: required by this configuration but no version is selected
│ - provider registry.terraform.io/hashicorp/google: required by this configuration but no version is selected
│ - provider registry.terraform.io/hashicorp/local: required by this configuration but no version is selected
│ - provider registry.terraform.io/hashicorp/null: required by this configuration but no version is selected
│ - provider registry.terraform.io/hashicorp/random: required by this configuration but no version is selected
│
│ A saved plan can be applied only to the same configuration it was created
│ from. Create a new plan from the updated configuration.
╵
╷
│ Error: Inconsistent dependency lock file
│
│ The given plan file was created with a different set of external dependency
│ selections than the current configuration. A saved plan can be applied only
│ to the same configuration it was created from.
│
│ Create a new plan from the updated configuration.
On the other hand when I do it terraform init plan and apply -auto-approve its working with no issues另一方面,当我这样做时 terraform 初始化计划并应用 -auto-approve 它的工作没有问题
Part of the work of terraform init
is to install all of the required providers into a temporary directory .terraform/providers
so that other Terraform commands can run them. terraform init
的部分工作是将所有必需的提供程序安装到临时目录.terraform/providers
中,以便其他 Terraform 命令可以运行它们。 For entirely new providers, it will also update the dependency lock file to record which versions it selected so that future terraform init
can guarantee to make the same decisions.对于全新的提供者,它还将更新依赖锁定文件以记录它选择的版本,以便未来的
terraform init
可以保证做出相同的决定。
If you are running terraform apply tfplan
in a different directory than where you ran terraform plan -out=tfplan
then that local cache of the needed provider plugins won't be available and thus the apply will fail.如果您正在运行
terraform apply tfplan
在与运行terraform plan -out=tfplan
的目录不同的目录中应用 tfplan,则所需提供程序插件的本地缓存将不可用,因此应用将失败。
Separately from that, it also seems that when you ran terraform init
prior to creating the plan, Terraform had to install some new providers that were not previously recorded in the dependency lock file, and so it updated the dependency lock file.另外,似乎当您在创建计划之前运行
terraform init
时,Terraform 必须安装一些以前未记录在依赖锁文件中的新提供程序,因此它更新了依赖锁文件。 However, when you ran terraform apply tfplan
later those changes to the lock file were not visible and so Terraform reported that the current locks are inconsistent with what the plan was created from.但是,当您稍后运行
terraform apply tfplan
时,这些对锁定文件的更改不可见,因此 Terraform 报告当前锁定与创建计划的内容不一致。
The Running Terraform in Automation guide has a section Plan and Apply on Different Machines which discusses some of the special concerns that come into play when you're trying to apply somewhere other than where you created the plan.自动化指南中的 Running Terraform有一个计划并在不同机器上应用部分,其中讨论了当您尝试在创建计划的地方以外的地方应用时出现的一些特殊问题。 However, I'll try to summarize the parts which seem most relevant to your situation, based on this error message.
但是,我将根据此错误消息尝试总结与您的情况最相关的部分。
Firstly, an up-to-date dependency lock file should be recorded in your version control system so that your automation is only reinstalling previously-selected providers and never making entirely new provider selections.首先,应在您的版本控制系统中记录一个最新的依赖锁定文件,以便您的自动化仅重新安装先前选择的提供程序,而不会进行全新的提供程序选择。 That will then ensure that all of your runs use the same provider versions, and upgrades will always happen under your control.
这将确保您的所有运行都使用相同的提供程序版本,并且升级将始终在您的控制之下进行。
You can make your automation detect this situation by adding the -lockfile=readonly
option to terraform init
, which makes that command fail if it would need to change the dependency lock file in order to perform its work:您可以通过将
-lockfile=readonly
选项添加到terraform init
来使您的自动化检测到这种情况,如果需要更改依赖项锁定文件以执行其工作,这会使该命令失败:
terraform init -lockfile=readonly
If you see that fail in your automation, then the appropriate fix would be to run terraform init
without -lockfile=readonly
inside your development environment, and then check the updated lock file into your version control system.如果您发现自动化失败,那么适当的修复方法是在您的开发环境中运行
terraform init
而没有-lockfile=readonly
,然后将更新的锁定文件检查到您的版本控制系统中。
If you cannot initialize the remote backend in your development environment, you can skip that step but still install the needed providers by adding -backend=false
, like this:如果您无法在开发环境中初始化远程后端,您可以跳过该步骤,但仍通过添加
-backend=false
来安装所需的提供程序,如下所示:
terraform init -backend=false
Getting the same providers reinstalled again prior to the apply step is the other part of the problem here.在应用步骤之前重新安装相同的提供程序是问题的另一部分。
The guide I linked above suggests to achieve this by archiving up the entire working directory after planning as an artifact and then re-extracting it at the same path in the apply step.我在上面链接的指南建议通过在计划为工件后归档整个工作目录然后在应用步骤中的相同路径重新提取它来实现这一点。 That is the most thorough solution, and in particular is what Terraform Cloud does in order to ensure that any other files created on disk during planning (such as using the
archive_file
data source from the hashicorp/archive
provider) will survive into the apply phase.这是最彻底的解决方案,尤其是 Terraform Cloud 所做的,以确保在计划期间在磁盘上创建的任何其他文件(例如使用来自
hashicorp/archive
提供程序的archive_file
数据源)将在应用阶段继续存在。
However, if you know that your configuration itself doesn't modify the filesystem during planning (which is a best practice, where possible) then it can also be valid to just re-run terraform init -lockfile=readonly
before running terraform apply tfplan
, which will therefore reinstall the previously-selected providers, along with all of the other working directory initialization work that terraform init
usually does.但是,如果您知道您的配置本身在规划期间不会修改文件系统(这是一个最佳实践,如果可能的话),那么在运行
terraform apply tfplan
之前重新运行terraform init -lockfile=readonly
也是有效的,因此,它将重新安装先前选择的提供程序,以及terraform init
通常执行的所有其他工作目录初始化工作。
As a final note, tangential to the rest of this, it seems like Terraform was also printing a warning about a deprecated language feature and on your system the warning output became interleaved with the error output, making the first message confusing because it includes a paragraph from the warning inside of it. As a final note, tangential to the rest of this, it seems like Terraform was also printing a warning about a deprecated language feature and on your system the warning output became interleaved with the error output, making the first message confusing because it includes a paragraph从里面的警告。
I believe the intended error message text, without the errant extra content from the warning, is as follows:我相信预期的错误消息文本,没有来自警告的错误额外内容,如下所示:
Error: Inconsistent dependency lock file
│
│ The following dependency selections recorded in the lock file are
│ inconsistent with the configuration in the saved plan:
│ - provider registry.terraform.io/hashicorp/aws: required by this configuration but no version is selected
│ - provider registry.terraform.io/hashicorp/external: required by this configuration but no version is selected
│ - provider registry.terraform.io/hashicorp/google-beta: required by this configuration but no version is selected
│ - provider registry.terraform.io/hashicorp/google: required by this configuration but no version is selected
│ - provider registry.terraform.io/hashicorp/local: required by this configuration but no version is selected
│ - provider registry.terraform.io/hashicorp/null: required by this configuration but no version is selected
│ - provider registry.terraform.io/hashicorp/random: required by this configuration but no version is selected
│
│ A saved plan can be applied only to the same configuration it was created
│ from. Create a new plan from the updated configuration.
╵
There could be various reasons but main reason is you might update your template and you might use some plugins in my case i updated my template and added random module solution to that problem is to upgrade lockfile with below command可能有多种原因,但主要原因是您可能会更新模板,并且在我的情况下您可能会使用一些插件我更新了模板并添加了随机模块解决该问题的方法是使用以下命令升级 lockfile
terraform init -upgrade
it will install new modules and make lock file consistent automatically它将自动安装新模块并使锁定文件保持一致
When you do terraform init
, it generates a file called .terraform.lock.hcl
.当您执行
terraform init
时,它会生成一个名为.terraform.lock.hcl
的文件。 Make sure you have this file in the directory where you are running terraform apply
.确保在运行
terraform apply
的目录中有此文件。 If you are using CICD to run terraform, make sure the file is available too when running terraform apply
.如果您使用 CICD 运行 terraform,请确保在运行
terraform apply
时该文件也可用。
For example, in a GitLab CICD pipeline, you can add these files in the cache:例如,在 GitLab CICD 管道中,您可以将这些文件添加到缓存中:
cache:
paths:
- .terraform
- .terraform.lock.hcl
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.