Terraform Upgrade + terraform upgrade process upgrade#1714
Merged
Conversation
whi-tw
force-pushed
the
whi-tw/terraform-upgrade
branch
16 times, most recently
from
b81a368 to
6231b85
Compare
whi-tw
force-pushed
the
whi-tw/terraform-upgrade
branch
from
6231b85 to
7177003
Compare
whi-tw
force-pushed
the
whi-tw/terraform-upgrade
branch
2 times, most recently
from
ee50873 to
7177003
Compare
whi-tw
commented
Sep 10, 2025
whi-tw
force-pushed
the
whi-tw/terraform-upgrade
branch
from
1b3e447 to
7177003
Compare
Contributor
Author
|
TODO: check new terraform version doesn't ruin everything |
whi-tw
force-pushed
the
whi-tw/terraform-upgrade
branch
4 times, most recently
from
30f953d to
60a3177
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR modernizes the Terraform upgrade process by replacing a custom Ruby script with the industry-standard tfupdate tool and introduces automated workflows for managing provider lock files. The changes upgrade Terraform from version 1.11.4 to 1.13.1 and convert all version constraints from JSON to HCL format while switching from fuzzy version matching to exact version pinning.
Key changes:
- Replaces the Ruby upgrade script with a new Bash script using
tfupdatefor more reliable version management - Adds automated GitHub workflow to handle
.terraform.lock.hclfile updates wheninfra/shared/versions.tfchanges - Introduces Dependabot configuration for Terraform providers with automatic lock file updates
Reviewed Changes
Copilot reviewed 55 out of 81 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| infra/shared/versions.tf.json → infra/shared/versions.tf | Converts from JSON to HCL format and upgrades all provider versions |
| infra/scripts/upgrade_tf_version.rb | Removes the legacy Ruby upgrade script |
| infra/scripts/upgrade_tf_version.sh | New Bash script using tfupdate for version management |
| .github/workflows/update-provider-locks.yml | Automated workflow for provider lock file management |
| .github/dependabot.yml | Adds Terraform provider dependency management |
| Multiple versions.tf symlinks | Updates all symlink references from .json to .tf files |
Files not reviewed (26)
- infra/deployments/deploy/account/.terraform.lock.hcl: Language not supported
- infra/deployments/deploy/coordination/.terraform.lock.hcl: Language not supported
- infra/deployments/deploy/e2e-tests-image-builder/.terraform.lock.hcl: Language not supported
- infra/deployments/deploy/ecr/.terraform.lock.hcl: Language not supported
- infra/deployments/deploy/engineer-access/.terraform.lock.hcl: Language not supported
- infra/deployments/deploy/image-builders/.terraform.lock.hcl: Language not supported
- infra/deployments/deploy/tools/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/account/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/account/init-state-bucket/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/auth0/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/dns/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/environment/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/forms-admin/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/forms-api/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/forms-product-page/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/forms-runner/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/health/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/health/monitoring/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/pipelines/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/rds/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/redis/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/ses/.terraform.lock.hcl: Language not supported
- infra/deployments/integration/account/.terraform.lock.hcl: Language not supported
- infra/deployments/integration/review/.terraform.lock.hcl: Language not supported
- infra/deployments/integration/review/vpc/.terraform.lock.hcl: Language not supported
- infra/modules/forms-api/.terraform.lock.hcl: Language not supported
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
cadmiumcat
reviewed
Sep 10, 2025
Contributor
cadmiumcat
left a comment
cadmiumcat
left a comment
There was a problem hiding this comment.
This is great 👏
I'm happy to approve once you've gone through the TODOs and your own self deprecating comments
whi-tw
force-pushed
the
whi-tw/terraform-upgrade
branch
2 times, most recently
from
9dbd8dc to
417bc2f
Compare
Contributor
Author
whi-tw
force-pushed
the
whi-tw/terraform-upgrade
branch
from
0946f5e to
17b006b
Compare
whi-tw
force-pushed
the
whi-tw/terraform-upgrade
branch
from
5202f55 to
79b4ce7
Compare
Contributor
Author
|
@cadmiumcat there was a merge conflict after the redis PR went out - can you please re-review. specifically |
cadmiumcat
approved these changes
Sep 11, 2025
tfupdate only works on hcl files, so we need to switch back to hcl.
Rather than the manual ruby script, we can use tfupdate to do the heavy lifting of finding and updating the versions of terraform and the providers. Tfupdate also has the ability to update the lock files for us using an in-memory cache of the plugins, removing the need for us to `init` and download the plugins multiple times. This does switch us away from fuzzy version matching to exact versions, but that is a good thing as it means we know exactly what version we are using. We no longer read the terraform version from terraform_version.tf.json, instead we read it from .terraform-version. This ensures that the version used in codebuild and locally are the same, as tfenv reads this file.
- if dependabot opened the PR, commit any updated lock files - if a human opened the PR, fail if lock files are not updated
Some people prefer `mise` - this lets it fail over to that when run locally. Also, bump a gemfile lock for a new MacOS version.
We use the null provider in a few places, so it makes sense for us to actually pin and lock the version we use.
whi-tw
force-pushed
the
whi-tw/terraform-upgrade
branch
from
79b4ce7 to
00ee757
Compare
|
Warning You are changing the Terraform version. Before you merge this PR, you must apply the |
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 57 out of 84 changed files in this pull request and generated 1 comment.
Files not reviewed (26)
- infra/deployments/deploy/account/.terraform.lock.hcl: Language not supported
- infra/deployments/deploy/coordination/.terraform.lock.hcl: Language not supported
- infra/deployments/deploy/e2e-tests-image-builder/.terraform.lock.hcl: Language not supported
- infra/deployments/deploy/ecr/.terraform.lock.hcl: Language not supported
- infra/deployments/deploy/engineer-access/.terraform.lock.hcl: Language not supported
- infra/deployments/deploy/image-builders/.terraform.lock.hcl: Language not supported
- infra/deployments/deploy/tools/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/account/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/account/init-state-bucket/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/auth0/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/dns/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/environment/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/forms-admin/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/forms-api/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/forms-product-page/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/forms-runner/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/health/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/health/monitoring/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/pipelines/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/rds/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/redis/.terraform.lock.hcl: Language not supported
- infra/deployments/forms/ses/.terraform.lock.hcl: Language not supported
- infra/deployments/integration/account/.terraform.lock.hcl: Language not supported
- infra/deployments/integration/review/.terraform.lock.hcl: Language not supported
- infra/deployments/integration/review/vpc/.terraform.lock.hcl: Language not supported
- infra/modules/forms-api/.terraform.lock.hcl: Language not supported
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What problem does this pull request solve?
Trello card: https://trello.com/c/MCDTH5Ll/644-terraform-upgrade
This pull request modernizes and improves the Terraform upgrade process for the forms-deploy repository by introducing automated tooling and GitHub workflows to handle version updates and provider lock file management.
It also updates terraform and the providers.
Key improvements:
Replaces manual Ruby script with
tfupdate- Switches from the custom Ruby upgrade script to the industry-standardtfupdatetool, which provides more reliable and comprehensive Terraform version management.Automated provider lock file management - Introduces a GitHub workflow that automatically handles
.terraform.lock.hclfile updates wheninfra/shared/versions.tfis modified, with different behavior for Dependabot vs. human-created PRs.Dependabot integration - Adds Dependabot configuration for Terraform providers and ensures lock files are automatically updated in Dependabot PRs.
HCL format standardization - Converts from
versions.tf.jsontoversions.tfto ensure compatibility withtfupdateand maintain consistency with Terraform best practices.Things to consider when reviewing
DEPENDABOT_PATsecret to be configured for Dependabot PRs to work correctlyKey files to review:
infra/scripts/upgrade_tf_version.sh- New upgrade script usingtfupdate.github/workflows/update-provider-locks.yml- Automated lock file management.github/dependabot.yml- Dependabot configuration for Terraforminfra/shared/versions.tf- Converted from JSON to HCL formatReminders
DEPENDABOT_PATrepository secret before merginginfra/shared/versions.tfchanges after merge