Don't rewrite constraints in terraform lock file

[z0rc]

How are you running Renovate?

Self-hosted

If you're self-hosting Renovate, tell us what version of Renovate you run.

Latest from https://gitlab.com/renovate-bot/renovate-runner

Please select which platform you are using if self-hosting.

GitLab self-hosted

If you're self-hosting Renovate, tell us what version of the platform you run.

GitLab 14.10

Was this something which used to work for you, and then stopped?

I never saw this working

Describe the bug

Split from https://github.com/renovatebot/renovate/issues/13692#issuecomment-1020502570

With "rangeStrategy": "update-lockfile" Renovate rewrites constraints field, and logic is different from what terraform does with this field. This causes problem when actually working with code, like running terraform init will rewrite this field. terraform init used really often, when changing modules, or running pre-commit hooks.

Relevant debug logs

Logs

{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"Setting current branch to master","time":"2022-05-14T10:39:41.052Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","branchName":"master","latestCommitDate":"2022-05-13T14:41:13+00:00","msg":"latest commit","time":"2022-05-14T10:39:41.106Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"getBranchPr(feature/renovate-aws-4.x-lockfile)","time":"2022-05-14T10:39:41.123Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"findPr(feature/renovate-aws-4.x-lockfile, undefined, open)","time":"2022-05-14T10:39:41.124Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"getPr(216)","time":"2022-05-14T10:39:41.124Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"getMR(216)","time":"2022-05-14T10:39:41.124Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"branchExists=true","time":"2022-05-14T10:39:41.126Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"dependencyDashboardCheck=undefined","time":"2022-05-14T10:39:41.126Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"PR rebase requested=false","time":"2022-05-14T10:39:41.127Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"Checking if PR has been edited","time":"2022-05-14T10:39:41.127Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","branchName":"feature/renovate-aws-4.x-lockfile","msg":"Branch has not been modified","time":"2022-05-14T10:39:41.142Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"Found existing branch PR","time":"2022-05-14T10:39:41.142Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"Checking schedule(at any time, null)","time":"2022-05-14T10:39:41.142Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"No schedule defined","time":"2022-05-14T10:39:41.142Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"Branch already exists","time":"2022-05-14T10:39:41.142Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"getBranchPr(feature/renovate-aws-4.x-lockfile)","time":"2022-05-14T10:39:41.142Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"findPr(feature/renovate-aws-4.x-lockfile, undefined, open)","time":"2022-05-14T10:39:41.142Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"getPr(216)","time":"2022-05-14T10:39:41.142Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"getMR(216)","time":"2022-05-14T10:39:41.142Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","isStale":false,"currentBranch":"master","currentBranchSha":"64451537984f0bb2aa3f27078c329de60e052351","msg":"isBranchStale=false","time":"2022-05-14T10:39:41.159Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"Branch is up-to-date","time":"2022-05-14T10:39:41.159Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"isBranchConflicted(master, feature/renovate-aws-4.x-lockfile)","time":"2022-05-14T10:39:41.159Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"Branch does not need rebasing","time":"2022-05-14T10:39:41.475Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"Using reuseExistingBranch: true","time":"2022-05-14T10:39:41.475Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"manager.getUpdatedPackageFiles() reuseExistinbranch=true","time":"2022-05-14T10:39:41.475Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","manager":"terraform","msg":"isLockFileUpdate without updateLockedDependency","time":"2022-05-14T10:39:41.494Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"terraform.updateArtifacts(infra/terraform.tf)","time":"2022-05-14T10:39:41.494Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"Updated 1 package files","time":"2022-05-14T10:39:41.500Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","updatedArtifacts":["infra/.terraform.lock.hcl"],"msg":"Updated 1 lock files","time":"2022-05-14T10:39:41.500Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"Ensuring comment \"⚠ Artifact update problem\" in #216 is removed","time":"2022-05-14T10:39:41.501Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"Getting comments for #216","time":"2022-05-14T10:39:41.501Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"Found 35 comments","time":"2022-05-14T10:39:41.868Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"2 file(s) to commit","time":"2022-05-14T10:39:41.868Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"Preparing files for committing to branch feature/renovate-aws-4.x-lockfile","time":"2022-05-14T10:39:41.868Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","deletedFiles":[],"ignoredFiles":[],"result":{"author":null,"branch":"feature/renovate-aws-4.x-lockfile","commit":"764f122b91817ac55001c302669cb8c9b85f65f5","root":false,"summary":{"changes":1,"insertions":13,"deletions":0}},"msg":"git commit","time":"2022-05-14T10:39:42.135Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"Pushing branch feature/renovate-aws-4.x-lockfile","time":"2022-05-14T10:39:42.166Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","result":{"pushed":[],"ref":{"local":"refs/remotes/origin/feature/renovate-aws-4.x-lockfile"},"remoteMessages":{"all":["View merge request for feature/renovate-aws-4.x-lockfile:","https://gitlab.hjoy.net/devops/k8s-platform/-/merge_requests/216"]}},"msg":"git push","time":"2022-05-14T10:39:42.618Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":30,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","commitSha":"764f122b91817ac55001c302669cb8c9b85f65f5","msg":"Branch updated","time":"2022-05-14T10:39:42.619Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"Checking if we can automerge branch","time":"2022-05-14T10:39:42.619Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"mergeStatus=no automerge","time":"2022-05-14T10:39:42.619Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"Ensuring PR","time":"2022-05-14T10:39:42.619Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"There are 0 errors and 0 warnings","time":"2022-05-14T10:39:42.619Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"getBranchPr(feature/renovate-aws-4.x-lockfile)","time":"2022-05-14T10:39:42.619Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"findPr(feature/renovate-aws-4.x-lockfile, undefined, open)","time":"2022-05-14T10:39:42.619Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"getPr(216)","time":"2022-05-14T10:39:42.619Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"getMR(216)","time":"2022-05-14T10:39:42.619Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"Found existing PR","time":"2022-05-14T10:39:42.622Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"Processing existing PR","time":"2022-05-14T10:39:42.636Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"Merge Request #216 does not need updating","time":"2022-05-14T10:39:42.643Z","v":0}
{"name":"renovate","hostname":"runner-ynyyaj6-project-403-concurrent-0jlldf","pid":14,"level":20,"logContext":"s1YcmrcxycX0RjcSOdMiq","repository":"devops/k8s-platform","branch":"feature/renovate-aws-4.x-lockfile","msg":"PR is not configured for automerge","time":"2022-05-14T10:39:42.643Z","v":0}

Have you created a minimal reproduction repository?

https://github.com/z0rc/renovate-15580

[github-actions]

Hi there,

Get your issue fixed faster by creating a minimal reproduction. This means a repository dedicated to reproducing this issue with the minimal dependencies and config possible.

Before we start working on your issue we need to know exactly what's causing the current behavior. A minimal reproduction helps us with this.

To get started, please read our guide on creating a minimal reproduction.

We may close the issue if you, or someone else, haven't created a minimal reproduction within two weeks. If you need more time, or are stuck, please ask for help or more time in a comment.

Good luck,

The Renovate team

[z0rc]

I don't think there is need for reproduction repository. See https://github.com/renovatebot/renovate/issues/13692#issuecomment-1020835777, this is known behavior.

and then see if the range list causes any problems in practice.

This issue describes how such behavior causes problem in practice.

[viceice]

this needs a reproduction to test and verify current and fixed behavior.

[z0rc]

I don't think this is reproducible with public repository due to

As renovate and pre-commit use the same api user

[z0rc]

Here are extracts from Renovate MR to better understand what is going on.

0. Repo is configured with pre-commit hook, using following configuration

% cat .pre-commit-config.yaml
---
- repo: https://github.com/antonbabenko/pre-commit-terraform
  rev: v1.71.0
  hooks:
  - id: terraform_fmt
  - id: terraform_docs
  - id: terraform_providers_lock
    args:
    - --args=-platform=linux_amd64
    - --args=-platform=darwin_amd64

1. Renovate creates MR with following commit

commit 1d846e7aa3c5501d9aa12cd5280d3d65ec0a9220
Author: Dobby Bot <[email protected]>
Date:   Sun May 15 09:38:54 2022 +0000

    chore: [deps] Update Terraform aws to v4.14.0

diff --git a/infra/.terraform.lock.hcl b/infra/.terraform.lock.hcl
index dc85bd5..0d4e6f5 100644
--- a/infra/.terraform.lock.hcl
+++ b/infra/.terraform.lock.hcl
@@ -2,32 +2,20 @@
 # Manual edits may be lost in future updates.

 provider "registry.terraform.io/hashicorp/aws" {
-  version     = "4.13.0"
-  constraints = ">= 2.0.0, >= 3.38.0, ~> 4.0"
+  version     = "4.14.0"
+  constraints = "~> 4.0"
   hashes = [
-    "h1:3reDkc0ysWUlUFPFL/mLZDlPNODFDMF8s66DEEx4xIY=",
-    "h1:DK3+k7Yxeenw945TqdHD2RBHcgbxpM1Z+Cw5Q4mndKw=",
-    "h1:FQMJshmf3iohSjslJ0OkPFi7INz0K0PWI56jKyCLQcI=",
-    "h1:KrK7yxX49fGeF5S1Vdz2e5rIxuW8+TXwsLie0l5Xgf0=",
-    "h1:aasq4gl/aKUnCyjTEV04JbU3AIEYYE2oMlVHOZune8Q=",
-    "h1:b7cliAICwDxM1MY/zjfla3XYPzWHrCDy2/xjyHgoTmU=",
-    "h1:blbxVCtBm2aUxwTZeQ5JkA79bzV38REgAAzdNlA9te0=",
-    "h1:dgU1nsJHfLnpeKwHFh4QyxzBNOqqSzjWQnrCvlUIkg4=",
-    "h1:g77kJiEjm2fMQqQvt902DTXXjB0VpS1wWMOeesy0m4c=",
-    "h1:wJ9zY+k27og9sc7A9VWVYUIGJQkXiWOd5B0UuQF8mOk=",
-    "h1:z/HYB0bt+xbI6B1ef4PNA35Df5YtpG4SnvmMKjh+ogc=",
-    "zh:215226bc0372077d2ae6dba4e2f08f6361f8e4953d20bc4c682d40fdf5002544",
-    "zh:42777cbdc046181986c0260ea17027ef1364c31d73a57eb0ab539f6e1a3e0780",
-    "zh:78079d2f5fc35f3c43eb2a131cb49c2c77ddd04943bca97080f33355808d39cc",
-    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
-    "zh:9c0404a044eae741f10f3d217dc28658e0f04082963918913b024d3305c11e79",
-    "zh:a1b5a53f60d4f7bff1cc84180fef6205c95b8793741dbc8c0564a6200424ca73",
-    "zh:ba6711064a855ddb55924342b70667e9bed660bde8552dc0bde4b7f8947a2ec4",
-    "zh:d0f77ed514d54f7380d7e1ef585d853f50f1bee381d6abbf3a68429b68de6045",
-    "zh:d5c454d2ac9aed01ae00c477192c93d54c8362357a87684a3171055dcec25f44",
-    "zh:dfd381ed7da945cb85b99df843ee7eab339dd1799fa70d1ad3e94331605aad01",
-    "zh:eb6dc84414714f61b9de0ac190c69f598af9b16d144a44f573df484c06c8d4ef",
-    "zh:f02e79599af3f8f63e4b885c5715be3a4060cbf98eb4bf46d616aa0d9f2b5cd3",
+    "h1:/Z1ZTSgDlAkOIcCwhkS8tT3YJ2x5/GmlicS9vq0jEJU=",
+    "h1:LsJOSk/ASMgecG2gNee5kZ+RLAXpG3pEE2NDv2SwzPg=",
+    "h1:MKddyG65c++8KMc7NM6kUVxPap8/UPH3S8FXd17CPUI=",
+    "h1:RqBO9RnwTLRLqBtFdzeBq/2WxFqZMaHUfKcUbK5dpZ8=",
+    "h1:bGBaP7gBAs8ow/atwraBfOby+2b0WW7YU1Qc0VtI4Ts=",
+    "h1:jTt95u25A6LCDwJpMCvChnVi33+hEyL/CxBNrB2Oytk=",
+    "h1:ouBz6K65xxHfaP6I+5oXYCvilGNsC5Qn8Dy5JAqlqBU=",
+    "h1:tAlEAj2fSHlbnAZlHwJB6aDIVT0By1Za7WEleGf12hQ=",
+    "h1:ulMeMXxXkPHud/g7rb7D3egoPEy4ijUQUPvAtC+sDlA=",
+    "h1:vDWK646jifftne/t5mmgcapLOrsm79MSHDH2icW+3uE=",
+    "h1:wJ1F5KqM9XLQqotZ82YFQywpN4pwtVFR35uc5ckqGKw=",
   ]
 }

2. Pre-commit logic in gitlab CI checks the MR via running pre-commit run --all-files and adding commit to MR with diff after pre-commit run

commit 65a9233dea8d4c98a85785da1e620bf5682e09d9 (HEAD -> feature/renovate-aws-4.x-lockfile, origin/feature/renovate-aws-4.x-lockfile)
Author: Dobby Bot <[email protected]>
Date:   Sun May 15 09:40:15 2022 +0000

    Apply pre-commit changes

diff --git a/infra/.terraform.lock.hcl b/infra/.terraform.lock.hcl
index 0d4e6f5..f589393 100644
--- a/infra/.terraform.lock.hcl
+++ b/infra/.terraform.lock.hcl
@@ -3,7 +3,7 @@

 provider "registry.terraform.io/hashicorp/aws" {
   version     = "4.14.0"
-  constraints = "~> 4.0"
+  constraints = ">= 2.0.0, >= 3.38.0, ~> 4.0"
   hashes = [
     "h1:/Z1ZTSgDlAkOIcCwhkS8tT3YJ2x5/GmlicS9vq0jEJU=",
     "h1:LsJOSk/ASMgecG2gNee5kZ+RLAXpG3pEE2NDv2SwzPg=",
@@ -16,6 +16,18 @@ provider "registry.terraform.io/hashicorp/aws" {
     "h1:ulMeMXxXkPHud/g7rb7D3egoPEy4ijUQUPvAtC+sDlA=",
     "h1:vDWK646jifftne/t5mmgcapLOrsm79MSHDH2icW+3uE=",
     "h1:wJ1F5KqM9XLQqotZ82YFQywpN4pwtVFR35uc5ckqGKw=",
+    "zh:00d03c06e6a7f8ccf8a5a8e03d71842ebe75c9bf4a94112429cf457ae50e9ec4",
+    "zh:1dc73df493294451a8a5bf80575d083958b8e33051f5a37764dcfd6264e0fd37",
+    "zh:4427e14bf3e1e0879f44edcf81a7091c67f7dd3c0b4a842f70ab2c5108452108",
+    "zh:4c9d8e627881207354020bcc2c6fede891d85a1893ee1a60c96e96f26bb792a7",
+    "zh:69c1dd3e8d1cfe85529d201ac6390df5e28bc353cf340b1ec3c5981d696f6373",
+    "zh:76df2d46384d7bf3c10e799145ee16c829f5bbf9218896aab4a73ec57dae0e90",
+    "zh:863ce9721e6d1f8554d77541545b6081e2afb1f38cb0c73a0491e58235ed588e",
+    "zh:9a8184398f83781623b2257361a1c038fb0eeb8361bb4714d1897f2479398b49",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:bbf27af267e5a77780ccc83b2f79e75f47ce7b8ed4f864b34baad01cbf2f54fb",
+    "zh:f31cfa54f3951d4623a25712964724a57f491ab17b3944802d55072768b41043",
+    "zh:fe17dfac4954873faf340088949e2434058f6f6b2f228fe3e349527f1ecde92d",
   ]
 }

diff --git a/infra/README.md b/infra/README.md
index 1d9acf1..0e68b50 100644
--- a/infra/README.md
+++ b/infra/README.md
@@ -15,7 +15,7 @@

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.13.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.14.0 |
 | <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.11.0 |
 | <a name="provider_vault"></a> [vault](#provider\_vault) | 3.5.0 |

This results in MR with two commits.

We're using same API user for renovate and pre-commit automation to not drain GitLab licensed user seats with automation users. As renovate and pre-commit make commits under the same git author, I assume that renovate treats whole MR as its own. On next iteration renovate rebases the MR leaving only first commit, so pre-commit automation does second commit again, and cycle continues until MR is merged.

[rarkins]

Independently of this topic, this is why we recommend Renovate gets a dedicated user and is not shared with other bots

[rarkins]

If you change the git author for either bot then you might avoid the flip flopping

[z0rc]

@rarkins We'll try to look into switching renovate to another user. Though I'm afraid it won't be easy, AFAIU switching to new API user will orphan all existing MRs but will create exact same ones under new user. Is there any way on renovate side to close or migrate MRs at this situation?

[github-actions]

When a bug has been marked as needing a reproduction, it means nobody can work on it until one is provided. In cases where no reproduction is possible, or the issue creator does not have the time to reproduce, we unfortunately need to close such issues as they are non-actionable and serve no benefit by remaining open. This issue will be closed after 7 days of inactivity.

[z0rc]

Rewrite of constraints field in terraform lock file is known behavior of renovate bot. This ticket is about this behavior, as it's considered incorrect because it causes issue down the road with regular terraform operations.

[github-actions]

When a bug has been marked as needing a reproduction, it means nobody can work on it until one is provided. In cases where no reproduction is possible, or the issue creator does not have the time to reproduce, we unfortunately need to close such issues as they are non-actionable and serve no benefit by remaining open. This issue will be closed after 7 days of inactivity.

[z0rc]

Not stale.

[rarkins]

@z0rc something which will make this issue less likely to be resolved is that two different topics have been mixed together:

• How/what Renovate updates in terraform files
• How things behave if you have two bots with same username pushing to same PR

I recommend that you update the original description and then hide all unrelated/off-topic comments so that we can get back to the original discussion. And of course a reproduction is still required, just for the terraform constraints part.

[github-actions]

When a bug has been marked as needing a reproduction, it means nobody can work on it until one is provided. In cases where no reproduction is possible, or the issue creator does not have the time to reproduce, we unfortunately need to close such issues as they are non-actionable and serve no benefit by remaining open. This issue will be closed after 7 days of inactivity.

[z0rc]

@rarkins done.

[hskrtich]

I am also running into this issue. I am using the cloud hosted renovate bot and its updating the constraints value in the lock file to an invalid format for terraform.

Can this get worked on?

[johnywas]

Same here with self hosted Renovate and self hosted Gitlab.
Having this:

terraform {
  required_version = ">= 0.13.4"
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = ">= 3.0"
    }
  }
}

Renovate PR to update terraform lockfile leads to:

provider "registry.terraform.io/hashicorp/google" {
  version     = "4.66.0"
  constraints = ">= 3.0"
  hashes = [
    "h1:5nXbUI6p3+MB0p/fhBXSzpwOUY4zkhqqwhnhJEYR07g=",
    "h1:CdjxpTV2ZZlCyJJMjQbrIysFBL1mVEpu6rtRIAlJELs=",
    "h1:XkZvUaH5h/qVxcov8ffH3YUwmskAe/6xkKIwsp35/T0=",
    "h1:aUKSdXehj2tc0tnK+FMniQ+ekPQwneGDrdS1ziWHkqE=",
    "h1:hWdFHWdIyfSPBDm1XwEMsHl3k5CqoAzNiwgZj839Gtk=",
    "h1:ha9Gq9th/P4LBxJuTF+g7Hm0/a+XLT8HVCXfEDEGxBw=",
    "h1:pGIFZyCdEXc8PECJgZaXyXItG0XDwj14NXWINYVvYnQ=",
    "h1:rN7iHu/t+Xps0D4RUM2ZkgLdXAY6ftey+o/5osP9jKE=",
    "h1:swReK2MenK3Djny0VLjCD7AAIXo1ikgpwwHmELM8Z/w=",
    "h1:vrcGaRJuaHbPMlX9+5GHjJz/p+nllL9tPCQ93b7eExU=",
    "h1:ykmsArGX1/JTEbqMMUXA9s1H+IdtXnKanl5dh4YsaXo=",
  ]
}

Then terraform init fails with:

$ terraform init
Initializing the backend...
╷
│ Error: failed to read dependency lock file: Invalid provider version constraints: The recorded version constraints for provider registry.terraform.io/hashicorp/google-beta must be written in normalized form: ">= 3.0.0".

Terraform init completes successfully with the following lockfile:

provider "registry.terraform.io/hashicorp/google" {
  version     = "4.66.0"
  constraints = ">= 3.0.0"
  hashes = [
    "h1:5nXbUI6p3+MB0p/fhBXSzpwOUY4zkhqqwhnhJEYR07g=",
    "h1:CdjxpTV2ZZlCyJJMjQbrIysFBL1mVEpu6rtRIAlJELs=",
    "h1:XkZvUaH5h/qVxcov8ffH3YUwmskAe/6xkKIwsp35/T0=",
    "h1:aUKSdXehj2tc0tnK+FMniQ+ekPQwneGDrdS1ziWHkqE=",
    "h1:hWdFHWdIyfSPBDm1XwEMsHl3k5CqoAzNiwgZj839Gtk=",
    "h1:ha9Gq9th/P4LBxJuTF+g7Hm0/a+XLT8HVCXfEDEGxBw=",
    "h1:pGIFZyCdEXc8PECJgZaXyXItG0XDwj14NXWINYVvYnQ=",
    "h1:rN7iHu/t+Xps0D4RUM2ZkgLdXAY6ftey+o/5osP9jKE=",
    "h1:swReK2MenK3Djny0VLjCD7AAIXo1ikgpwwHmELM8Z/w=",
    "h1:vrcGaRJuaHbPMlX9+5GHjJz/p+nllL9tPCQ93b7eExU=",
    "h1:ykmsArGX1/JTEbqMMUXA9s1H+IdtXnKanl5dh4YsaXo=",
  ]
}

Any feedback or suggestion is greatly appreciated.

[saez0pub]

Renovate uses the required_providers.*.version to guess what to write in the lockfile, that's a bug.
It is not only tied to the required_providers block but also to modules we are using.
While someone finds how to make renovate to stop rewriting the constraints in lockfile, use a valid lockfile constraint in required_providers.
Example this patch prevents renovate to produce a non valid constraint:

   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 3.50"
+      version = ">= 3.50.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 3.50"
+      version = ">= 3.50.0"
     }
   }
 }

[pascal-hofmann]

I think this and #21062 are the same issue. In #21062 there also is a minimal reproduction repository:

repo
working state pre-update: commit (check)
onboarding PR: DavidS-ovm/renovate-tf-repro#1
failing PR: DavidS-ovm/renovate-tf-repro#2