Terraform Dependency Lock File — Complete Guide (.terraform.lock.hcl)

If you're managing infrastructure as code, the .terraform.lock.hcl file is your single source of truth for provider versions. Learn how to generate, update, commit, and troubleshoot lock files to keep your pipeline secure and deterministic.

Editorial Team Updated: Oct 2023 14 min read
Quick Answer

The Terraform dependency lock file (.terraform.lock.hcl) records the exact versions and checksums of Terraform providers used in your project. You should always commit this file to Git. To update it, run terraform init -upgrade. To fix an "inconsistent dependency lock file" error, delete the file and re-run terraform init.

What is .terraform.lock.hcl and Why Does It Matter?

When you run terraform init, Terraform downloads the plugins (providers like AWS, Azure, Google) required by your configuration. To ensure that everyone on your team—and your CI/CD pipeline—uses the exact same provider versions, Terraform generates a Terraform dependency lock file named .terraform.lock.hcl.

This file works exactly like node_modules/.package-lock.json in npm or a poetry.lock file in Python. It locks down the specific versions and cryptographic checksums of your providers.

Without a lock file, a patch release to a Terraform provider could silently break your production infrastructure deployment during your next pipeline run.

By default, Terraform will refuse to apply changes if the downloaded provider checksums do not match the hashes recorded in the lock file. This prevents supply chain attacks and guarantees reproducible builds.

Illustration of a Terraform dependency lock file securing provider checksums

Common Lock File Scenarios

Starting a New Project

When you add your first terraform {} block and run init, Terraform creates the lock file from scratch. It calculates the hashes for your current OS platform.

Upgrading a Provider

When an AWS or Azure provider releases a new feature, you must explicitly tell the lock file to upgrade using the -upgrade flag.

Multi-Platform CI/CD

If you develop on macOS but deploy via Linux CI runners, you must populate the lock file with checksums for both platforms.

Corrupted Dependencies

When a developer manually edits the lock file or merges conflicts poorly, Terraform throws an inconsistent dependency error requiring regeneration.

Programming lock file concept showing dependency consistency and version control
Cross-platform synchronization concept for development and CI environments

Update Terraform Lock File — Step-by-Step

Managing the lock file correctly is critical. Here are the primary commands every DevOps engineer needs.

1. How to Generate the Terraform Lock File

Difficulty: Easy

If the file does not exist, simply initialize the working directory. Terraform will read your `.tf` files, find the required providers, download them, and generate the lock file.

terraform init

2. How to Update the Lock File

If you want to update your providers to the newest versions allowed by your version constraints (e.g., ~> 4.0), you must force Terraform to ignore the existing lock.

terraform init -upgrade

3. Terraform Lock File for Multi-Platform Environments

Difficulty: Intermediate

By default, terraform init only captures the checksum for your local operating system (e.g., `darwin_arm64` for Mac M1). If your CI/CD pipeline runs on Linux, it will fail. You must generate platform-specific checksums.

terraform providers lock -platform=darwin_arm64 -platform=linux_amd64 -platform=windows_amd64
Secure virtual drive interface for protected local development files
Encrypted backup platforms for securing developer configuration files

Should You Commit .terraform.lock.hcl to Git?

Yes. You should always commit the .terraform.lock.hcl file to your version control system (Git).

Committing the lock file ensures that your CI/CD runners, your co-workers, and your future self are all executing Terraform plans against the exact same provider binaries. Ignoring the lock file in your .gitignore defeats its entire purpose.

Terraform State Lock vs Dependency Lock File

It is incredibly common to confuse the dependency lock file with the state lock. They serve two entirely different security and stability purposes in Terraform.

Feature Dependency Lock (.terraform.lock.hcl) State Lock (DynamoDB / Local)
What does it lock? Provider versions (AWS, Azure plugins) The actual `.tfstate` file during execution
Why is it needed? Ensures reproducible environments Prevents two people from deploying at the same time and corrupting state
Where does it live? In your local repo, committed to Git In a remote backend (e.g., AWS DynamoDB) or locally on disk via `.terraform.tfstate.lock.info`
How to resolve errors? terraform init -upgrade or delete file terraform force-unlock [ID]
Security shield protecting infrastructure state and dependency lock data
Editorial Recommendation

Securing Your Local Dev Environment

While .terraform.lock.hcl secures your provider dependencies, your local workspace contains something much more dangerous: the local Terraform state file (.tfstate) and environment variable files (.env).

Even if you utilize remote state management, developers frequently pull states down locally to debug, leaving AWS access keys, database credentials, and infrastructure schematics sitting in plain text. If a machine is compromised, or a malicious script runs, that entire infrastructure is at risk.

For local configuration protection, we recommend Folder Lock. Available across Windows, macOS, Android, and iOS, it allows developers to instantly encrypt and conceal specific project repositories. It ensures that local state files, API tokens, and `.git` config data remain completely inaccessible to unauthorized processes.

Try Folder Lock Free → View Full Features
Folder Lock feature banner for local file and folder protection

Folder Lock: Developer Toolkit

Powerful local security mechanisms designed for technical environments.

AES-256 On-the-Fly

Files are decrypted in memory, creating a virtual drive. Work seamlessly in VS Code without leaving decrypted footprints on your disk.

Kernel-Level Hiding

Conceal entire `.env` directories. The protection integrates at the OS level, meaning hidden configs stay invisible even if the system is booted into Safe Mode.

DOD-Standard Shredding

Deleting old `.tfvars` or `.pem` keys normally leaves them recoverable. Folder Lock overwrites the empty disk space to prevent forensic recovery.

Encrypted Cloud Sync

Safely back up your protected configuration vaults directly to Dropbox, Google Drive, or OneDrive while maintaining strict client-side encryption.

Folder Lock main lockers screen showing encrypted local vaults
Folder Lock protect folders screen for securing project repositories

Fix Terraform Inconsistent Dependency Lock File Error

The most common error developers face is:

Error: Inconsistent dependency lock file

This happens when the checksums in your `.terraform.lock.hcl` file do not match the checksums of the provider being downloaded. This usually occurs after a git merge conflict, or when someone manually modifies the lock file.

How to Remove and Regenerate the Lock File

The safest and most officially supported recovery path is to delete the lock file and regenerate it.

# Step 1: Remove the existing lock file
rm .terraform.lock.hcl

# Step 2: Clear local cached providers
rm -rf .terraform/

# Step 3: Re-initialize and generate a fresh lock file
terraform init

Related Error: could not lock config file .git/config

While dealing with lock files, developers frequently encounter Git lock errors, such as:

error: could not lock config file .git/config: Permission denied

Or: cannot lock ref git / a lock file already exists in the repository github desktop.

Cause: Git creates a temporary .lock file (e.g., index.lock or config.lock) when it performs an operation. If Git crashes or is interrupted, the lock file gets left behind, blocking all future operations.

Fix: Manually delete the orphaned lock file.

# Fix for config lock error:
rm .git/config.lock

# Fix for index lock error:
rm .git/index.lock
Audit trail and data logging concept for troubleshooting lock file activity

Advanced Configuration & Troubleshooting

If you are deploying infrastructure into an air-gapped environment (no internet access), you must move your provider binaries manually. Using Folder Lock's Portable Locker feature, you can bundle your `.terraform` directories, provider binaries, and `.flka` executable into an encrypted container on a USB drive. You can then plug the drive into the offline server and enter your password to extract the necessary Terraform dependencies without requiring a background installation of the software.

Similar to Terraform, Node.js uses node_modules/.package-lock.json to lock dependencies. If you need to regenerate it without installing dependencies, use: npm i --package-lock-only. To ignore it in git (not recommended for apps, only some libraries), add package-lock.json to your .gitignore.

This error typically occurs in Rust (Cargo) or Node.js environments when multiple processes try to access the build cache simultaneously. To resolve this, ensure you don't have multiple terminals running build commands concurrently. You can forcefully clear the cache (e.g., cargo clean) to remove the stale lock.

Secure cloud sync workflow for private development files
Data protection vault illustration for encrypted local and portable lockers

Digital Privacy & OS History Cleaning

As developers, we focus heavily on infrastructure security, but local digital hygiene is often overlooked. When executing commands, terminals and operating systems log extensive histories. A misplaced `terraform apply -var="password=secret"` command can sit in your bash history or Windows Run cache indefinitely.

Wiping the Digital Footprint

Beyond file encryption, robust security requires wiping execution trails. Tools like Folder Lock include a Clean History function that removes traces of computer activity, including Windows Temporary Files, Open/Save directory caches, Clipboard data, and Run/Search histories. Regularly clearing these caches ensures that temporary plaintext leaks of API tokens or infrastructure IDs cannot be recovered by forensic analysis or local malware.

Managing Credentials Securely

Rather than leaving database passwords or AWS keys scattered in unencrypted `.txt` notes on your desktop, leverage dedicated encrypted wallets. Folder Lock provides a specific Secrets management interface to securely store and categorize confidential text, bank details, and identity numbers using the same rigorous AES-256 encryption applied to your file system.

Folder Lock clean history screen for removing local operating system activity traces
Folder Lock secrets password manager screen for encrypted developer credentials

Folder Lock: Plans & Limitations

Folder Lock offers transparent, one-time pricing without ongoing subscriptions. Here is how the capabilities break down for technical users securing their local environments.

Folder Lock 10 product boxshot for full version encryption features

Free Trial

Essential local protection to test the workflow.

$0
  • 1 GB Max Locker Size
  • Sync Across 2 Devices
  • Mobile App Access
  • Basic Secrets & Wallets
  • No File Shredding
  • No Portable Lockers
Download Free
PRO

Full Version

Unrestricted encryption and data destruction tools.

$39.95 / one-time
  • Unlimited Locker Size
  • Sync Across 5 Devices
  • Create Portable Executable Lockers
  • Secure File & Drive Shredding
  • Secure User File Sharing
  • Clean OS History Footprints
Get Full Version →

Frequently Asked Questions

What is the .terraform.lock.hcl file?

It is a dependency lock file that records the exact versions and checksums of the providers (plugins) your Terraform configuration relies on, ensuring consistent runs across different machines.

How does Terraform use the lock file for provider versioning?

When you run terraform init, Terraform checks this file. If the downloaded provider binary's hash doesn't match the hash in the lock file, Terraform aborts the operation to prevent malicious or incompatible code from running.

How to handle .terraform.lock.hcl in CI/CD?

Always commit the lock file to source control. In your CI/CD pipeline, run a standard terraform init. If your CI runner uses a different OS than your dev machine, ensure you pre-populate the lock file with terraform providers lock -platform=....

What is the difference between Terraform state lock and dependency lock?

The dependency lock (.terraform.lock.hcl) tracks the versions of the plugins downloaded to run your code. The state lock is a mechanism (often via DynamoDB) that prevents two developers from running terraform apply simultaneously and corrupting the remote .tfstate file.

How to fix card locked on digital camera?

This physical "lock" is a small switch on the side of the SD card. Simply remove the SD card from the camera, slide the small toggle switch on the left edge up (towards the metal contacts) to unlock it, and reinsert it.

How to block digital purchases on amazon?

To prevent accidental digital purchases (like Kindle books or movies), log into Amazon, navigate to Account Settings > Voice Purchasing (to disable Alexa purchases) or set up Amazon Kids/Parental Controls to require a PIN for digital storefront transactions.

How to add a digital signature block in pdf for someone else to sign?

In Adobe Acrobat, go to Tools > Prepare Form. Select the "Digital Signature" tool from the toolbar and drag a box where you want the signature to go. Save the PDF and send it to the recipient; they will be able to click that block to apply their certificate.