feat(provisioner): warn when .terraform.lock.hcl is modified during init (coder#20451)

Fixes: coder#20451

Author: mtojek

provisioner/terraform/executor.go

@@ -6,6 +6,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"hash/crc32"
 	"io"
 	"os"
 	"os/exec"
@@ -220,6 +221,10 @@ func (e *executor) init(ctx, killCtx context.Context, logr logSink) error {
 	e.mut.Lock()
 	defer e.mut.Unlock()
 
+	// Record lock file checksum before init
+	lockFilePath := filepath.Join(e.workdir, ".terraform.lock.hcl")
+	preInitChecksum := checksumFileCRC32(ctx, e.logger, lockFilePath)
+
 	outWriter, doneOut := logWriter(logr, proto.LogLevel_DEBUG)
 	errWriter, doneErr := logWriter(logr, proto.LogLevel_ERROR)
 	defer func() {
@@ -246,7 +251,30 @@ func (e *executor) init(ctx, killCtx context.Context, logr logSink) error {
 			return &textFileBusyError{exitErr: exitErr, stderr: errBuf.b.String()}
 		}
 	}
-	return err
+	if err != nil {
+		return err
+	}
+
+	// Check if lock file was modified
+	postInitChecksum := checksumFileCRC32(ctx, e.logger, lockFilePath)
+	if preInitChecksum != 0 && postInitChecksum != 0 && preInitChecksum != postInitChecksum {
+		e.logger.Warn(ctx, fmt.Sprintf(".terraform.lock.hcl was modified during init. This means provider hashes "+
+			"are missing for the current platform (%s_%s). Update the lock file with:\n\n"+
+			"  terraform providers lock -platform=linux_amd64 -platform=linux_arm64 "+
+			"-platform=darwin_amd64 -platform=darwin_arm64 -platform=windows_amd64\n",
+			runtime.GOOS, runtime.GOARCH),
+		)
+	}
+	return nil
+}
+
+func checksumFileCRC32(ctx context.Context, logger slog.Logger, path string) uint32 {
+	content, err := os.ReadFile(path)
+	if err != nil {
+		logger.Debug(ctx, "file %s does not exist or can't be read, skip checksum calculation")
+		return 0
+	}
+	return crc32.ChecksumIEEE(content)
 }
 
 func getPlanFilePath(workdir string) string {

provisioner/terraform/executor_internal_test.go

@@ -2,12 +2,14 @@ package terraform
 
 import (
 	"encoding/json"
+	"os"
 	"testing"
 
 	tfjson "github.com/hashicorp/terraform-json"
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/coder/v2/provisionersdk/proto"
+	"github.com/coder/coder/v2/testutil"
 )
 
 type mockLogger struct {
@@ -171,3 +173,46 @@ func TestOnlyDataResources(t *testing.T) {
 		})
 	}
 }
+
+func TestChecksumFileCRC32(t *testing.T) {
+	t.Parallel()
+
+	t.Run("file exists", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		logger := testutil.Logger(t)
+
+		tmpfile, err := os.CreateTemp("", "lockfile-*.hcl")
+		require.NoError(t, err)
+		defer os.Remove(tmpfile.Name())
+
+		content := []byte("provider \"aws\" { version = \"5.0.0\" }")
+		_, err = tmpfile.Write(content)
+		require.NoError(t, err)
+		tmpfile.Close()
+
+		// Calculate checksum - expected value for this specific content
+		expectedChecksum := uint32(0x08f39f51)
+		checksum := checksumFileCRC32(ctx, logger, tmpfile.Name())
+		require.Equal(t, expectedChecksum, checksum)
+
+		// Modify file
+		err = os.WriteFile(tmpfile.Name(), []byte("modified content"), 0o600)
+		require.NoError(t, err)
+
+		// Checksum should be different
+		modifiedChecksum := checksumFileCRC32(ctx, logger, tmpfile.Name())
+		require.NotEqual(t, expectedChecksum, modifiedChecksum)
+	})
+
+	t.Run("file does not exist", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		logger := testutil.Logger(t)
+
+		checksum := checksumFileCRC32(ctx, logger, "/nonexistent/file.hcl")
+		require.Zero(t, checksum)
+	})
+}