Terraform/OpenTofu lock files are not updated with child module constraints

[rarkins]

Discussed in #29821

^{Originally posted by bdalpe June 24, 2024}

What would you like help with?

I think I found a bug

How are you running Renovate?

Mend Renovate hosted app on github.com

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

GitHub

Please tell us more about your question or problem

This is a re-open of #17402.

Renovate does not correctly update version constraints in .terraform.lock.hcl files in root modules that contain child modules when constraints are not explicitly provided in the root module.

Renovate only changes the version constraints and hashes if the root module contains required_providers or providers blocks. This is not ideal behavior because TF does not require these to be specified at the root level. When running terraform init, these dependencies are written into the lock file from recursively extracting the required_providers from all child and sub-child modules.

It would be awesome if Renovate could update this automatically.

Reproduction: https://github.com/renovate-reproductions/29944

[secustor]

This is only possible with local modules ATM, as we decided against running an initialization of Terraform/OpenTofu before running the manager. The reason has been that Renovate would need access to all modules and backend states, which include secrets like access tokens and such.

Therefore IMO not a bug, but rather a feature request to support module constraints at all.