Terraform Init -get-plugins=false does not fail as expect in 0.13.x and beyond.

[straubt1]

Terraform Version

0.13.5 and 0.14.0

Terraform Configuration Files

terraform {
  required_providers {
    aws = {}
  }
}

Expected Behavior

When running terraform init -get-plugins=false on a clean directory (i.e. there is no .terraform folder), it is expected that the command returns an error.

Per the documentation:

-get-plugins=false — Skips plugin installation. Terraform will use plugins installed in the user plugins directory, and any plugins already installed for the current working directory. If the installed plugins aren't sufficient for the configuration, init fails.

Actual Behavior

In Terraform 0.12.29 this works as expected, however in Terraform 0.13.5 and 0.14.0, the plugins (i.e. "providers") are downloaded anyway, seemingly ignoring the flag.

0.12.29

$ terraform -v
Terraform v0.12.29

$ terraform init -get-plugins=false

Initializing the backend...

Successfully configured the backend "remote"! Terraform will automatically
use this backend unless the backend configuration changes.

Initializing provider plugins...

Missing required providers.

The following provider constraints are not met by the currently-installed
provider plugins:

* aws (any version)

Terraform can automatically download and install plugins to meet the given
constraints, but this step was skipped due to the use of -get-plugins=false
and/or -plugin-dir on the command line.

If automatic installation is not possible or desirable in your environment,
you may manually install plugins by downloading a suitable distribution package
and placing the plugin's executable file in one of the directories given in
by -plugin-dir on the command line, or in the following directory if custom
plugin directories are not set:
    terraform.d/plugins/darwin_amd64


Error: missing provider "aws"

0.13.5

$ terraform -v
Terraform v0.13.5

$ terraform init -get-plugins=false

Initializing the backend...

Initializing provider plugins...
- Finding latest version of hashicorp/aws...
- Installing hashicorp/aws v3.19.0...
- Installed hashicorp/aws v3.19.0 (signed by HashiCorp)

The following providers do not have any version constraints in configuration,
so the latest version was installed.

To prevent automatic upgrades to new major versions that may contain breaking
changes, we recommend adding version constraints in a required_providers block
in your configuration, with the constraint strings suggested below.

* hashicorp/aws: version = "~> 3.19.0"

Terraform has been successfully initialized!

0.14.0

$ terraform -v
Terraform v0.14.0

$ terraform init -get-plugins=false

Initializing the backend...

Initializing provider plugins...
- Finding latest version of hashicorp/aws...
- Installing hashicorp/aws v3.19.0...
- Installed hashicorp/aws v3.19.0 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Steps to Reproduce

Create a main.tf:

terraform {
  required_providers {
    aws = {}
  }
}

Ensure .terraform folder is not present:

rm -rf .terraform

Run init with the ignore plugins flag:

terraform init -get-plugins=false 

[pselle]

I confirmed that get-plugins is no longer used in the init code to skip plugin installation. If you provide one or more -plugin-dirs options, this will result in the behavior you're looking for (while limiting the search to those directories).

Conceptually, in the context of the new installer, plugins are always "installed" -- something that the current docs don't clarify. I think from you raising this issue, you expect the get-plugins flag to skip installing from the registry (and install only from default local sources). To ensure that we design an appropriate solution to this issue, would you mind sharing your use case/when you use -get-plugins=false?

You might also find writing a custom provider_installation block helpful in the meantime as well, as an additional stopgap.

[straubt1]

The use case is specifically for running Terraform from an airgapped environment where providers are already available within the build agent host on disk.

In TF 0.12 using this flag, we can quickly fail and not request providers from the public registry since outbound traffic is blocked, and most importantly get a meaningful error message if the local cache is missing a desired provider.

Overall this is more of a consistency problem as we migrate code/process from 0.12 and beyond (expecting similar results).

[pselle]

@straubt1 Thanks for the clarification! After discussing with the core team, it seems like this behavior (specifying to only search certain directories/registries) should be covered by being explicit in provider_installation blocks or -plugin-dirs, and we could resolve this inconsistency by removing the documented behavior (that no longer works 0.13+, and is confusingly worded) of -get-plugins.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.