TrademarkTrademark
Features
Documentation

What are Terraform Lock Files

Learn what a Terraform lock file is and why it's important.
Ryan FeeAugust 15, 2025Updated April 24, 2026
What are Terraform Lock Files
Key takeaways
  • A Terraform lock file (.terraform.lock.hcl), introduced in Terraform 0.14, records the exact provider and module versions and checksums so they stay consistent across environments and teammates.
  • terraform init creates and updates the lock file automatically; you should commit it to version control and never edit it manually.
  • Committing the lock file prevents unexpected version upgrades, ensures reproducible deployments, and acts as a contract so everyone and CI use the same versions.
  • Common problems include checksum mismatches across operating systems, fixed with terraform providers lock, and stale lock files, fixed with terraform init -upgrade.
  • Merge conflicts in the lock file are resolved by keeping all provider blocks and checksums, then running terraform init to revalidate.

What are the Terraform lock files?

A Terraform lock file is a dependency lock file for Terraform modules and providers. It showed up in Terraform 0.14, and its job is to lock the exact versions of providers and modules a configuration uses so they stay consistent across different environments and team members.

Think of it like a package.json file in a Node.js project or a Gemfile.lock in a Ruby project. When you run terraform init, Terraform downloads the providers and modules you need and also records their exact versions and checksums in the .terraform.lock.hcl file.

This file is automatically created and updated by Terraform. It's not something you should edit manually.

Why is it important?

The main thing a Terraform lock file gives you is consistency. Here's why that matters so much:

  • Prevents unexpected changes: Without a lock file, Terraform might download a newer, potentially incompatible version of a provider when a teammate runs terraform init. This could lead to a configuration that works on one machine but fails on another (a classic "it works on my machine" problem). The lock file guarantees that everyone is using the same, tested versions.
  • Ensures reproducibility: The lock file makes your infrastructure deployments reproducible. You can always revert to a previous state and know the exact same provider versions will be used, so a new provider release won't surprise you with breaking changes.
  • Enhances collaboration: On a team, committing the lock file to version control (like Git) is a must. It acts as a contract, so every team member and your CI/CD pipeline use the exact same provider and module versions. That prevents drift and makes collaboration a lot smoother.

How to use the Terraform lock file

Using the Terraform lock file is easy because Terraform handles most of the work for you.

  1. Initialize: When you run terraform init for the first time, Terraform will download the providers and modules and create the .terraform.lock.hcl file.
  2. Version control: Commit the .terraform.lock.hcl file to your version control system (e.g., Git). This is the most critical step.
  3. Collaborate: When another team member clones the repository and runs terraform init, Terraform will automatically use the versions specified in the lock file, even if newer versions of the providers are available.

A Terraform lock file is critical for consistency, but it can also cause headaches, especially when you're working as a team or across platforms. Knowing these problems and how to fix them keeps your workflow smooth.

Common issues with Terraform lock files

Checksum mismatch errors

This is arguably the most frequent problem. The error message typically says something like: "the current package… doesn't match any of the checksums previously recorded in the dependency lock file."

  • Cause: This usually happens when the lock file was created on one operating system (e.g., macOS) and then used on a different one (e.g., Linux in a CI/CD pipeline). Provider binaries have different checksums on different platforms, and your lock file might only have the checksum for the platform it was first generated on.
  • Resolution: To fix it, update the lock file so it includes checksums for every platform you'll use. The easiest way is to run terraform providers lock and name the platforms. For example, terraform providers lock -platform=linux_amd64 -platform=darwin_amd64. Then commit the updated lock file to your repository.

Stale lock files

A stale lock file occurs when you've updated the version constraints for a provider in your code (e.g., from ~> 3.0 to ~> 4.0), but the lock file hasn't been updated to reflect the new version.

  • Cause: This happens if you change your provider version constraints but don't run terraform init -upgrade, or you forget to commit the changes to the lock file. Your CI/CD pipeline can then fail because it's trying to use an outdated lock file with a new configuration.
  • Resolution: To update the lock file properly, run terraform init -upgrade. This command tells Terraform to ignore the existing lock file, find the newest provider versions that match your constraints, and write the new selections and checksums into the lock file. Always remember to commit the updated .terraform.lock.hcl file.

Merge conflicts

In a team setting, two developers might independently update provider versions and create a merge conflict in the .terraform.lock.hcl file.

  • Cause: Developer A updates a provider and commits the new lock file. At the same time, Developer B updates a different provider and also commits their changes. When they try to merge, Git detects a conflict because the lock file has been modified in both branches.
  • Resolution: You handle this like any other merge conflict, resolving it by hand in the lock file. The safest approach is to accept both sets of changes so all the provider blocks and their checksums are present. Then run terraform init again to confirm every checksum is still valid and the file is in good shape.

You can prevent most of these issues with good team habits: always commit the lock file, and be deliberate about when and how you upgrade provider versions.

Summary

The Terraform lock file (.terraform.lock.hcl) is a small file that solves a big problem: keeping your Terraform deployments consistent and reproducible. Commit it to version control and everyone on your team, plus your automation, works with the same tested versions of your providers and modules, which gives you more stable and predictable infrastructure. It's a best practice you should always follow.

Lock files pin versions per repository; they don't tell you which provider versions run across your whole estate. At team scale, module and provider reports answer that question. Scalr builds them in, and pricing is free up to 50 runs per month.

About the author
Ryan Feedirector of platform engineering at Scalr
Ryan Fee is the director of platform engineering at Scalr, with over 15 years of experience improving infrastructure experiences at companies large and small.