Share via

Getting error (Inconsistent dependency lock file) while terraform apply with Github actions pipeline

Satish B 110 Reputation points
2026-02-08T05:22:49.5733333+00:00

Hi Team,

Getting error (Inconsistent dependency lock file) while terraform apply with Github actions pipeline.

Getting below error.while running terraform apply using github actions with terraform

Run terraform apply -auto-approve tfplan

Acquiring state lock. This may take a few moments...

Releasing state lock. This may take a few moments...

Error: Inconsistent dependency lock file

│ The given plan file was created with a different set of external dependency

│ selections than the current configuration. A saved plan can be applied only

│ to the same configuration it was created from.

│ Create a new plan from the updated configuration.

Error: Terraform exited with code 1.

Error: Process completed with exit code 1.

  • Work flow File : name: Deploy-Hub-01 on: push: 
    branches: ["main"]

paths:

  - Azure_Landing_Zone/Hub/**
    workflow_dispatch: permissions: id-token: write contents: read env: WORKING_DIR: Azure_Landing_Zone/Hub jobs:

    =========================

    PLAN

    =========================

    plan: 
    name: Terraform Plan (Hub)

runs-on: ubuntu-latest

outputs:

  commit_sha: ${{ steps.get_sha.outputs.sha }}

env:

  ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}

  ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_HUB_SUBSCRIPTION_ID }}

  ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}

  ARM_USE_OIDC: true

steps:

  - name: Checkout Code

    uses: actions/checkout@v4

  - name: Capture Commit SHA

    id: get_sha

    run: echo "sha=${GITHUB_SHA}" >> $GITHUB_OUTPUT

  - name: Azure Login (OIDC)

    uses: azure/login@v2

    with:

      client-id: ${{ secrets.AZURE_CLIENT_ID }}

      tenant-id: ${{ secrets.AZURE_TENANT_ID }}

      subscription-id: ${{ secrets.AZURE_HUB_SUBSCRIPTION_ID }}

  - name: Setup Terraform (pin version)

    uses: hashicorp/setup-terraform@v3

    with:

      terraform_version: 1.13.4

  - name: Terraform Init 

    run: terraform init -upgrade=false

    working-directory: ${{ env.WORKING_DIR }}

  # Ensure Linux provider checksums exist

  - name: Provider lock for Linux runner

    run: |

      terraform providers lock \

        -platform=linux_amd64 \

        -platform=linux_arm64

    working-directory: ${{ env.WORKING_DIR }}

  # Plan

  - name: Terraform Plan

    run: terraform plan -out=tfplan

    working-directory: ${{ env.WORKING_DIR }}

  # Upload plan + lockfile

  - name: Upload Plan Bundle

    uses: actions/upload-artifact@v4

    with:

      name: hub-plan-bundle

      path: |

        ${{ env.WORKING_DIR }}/tfplan

        ${{ env.WORKING_DIR }}/.terraform.lock.hcl

    ---------- PLAN Notifications ----------

    notify_plan_success: 
    needs: plan

if: success()

runs-on: ubuntu-latest

steps:

  - name: Teams Plan Success

    run: |

      curl -H "Content-Type: application/json" \

           -d "{\"text\": \"*Hub Pipeline:* Terraform PLAN succeeded.\"}" \

           ${{ secrets.TEAMS_WEBHOOK_URL }}
    notify_plan_failure: 
    needs: plan

if: failure()

runs-on: ubuntu-latest

steps:

  - name: Teams Plan Failure

    run: |

      curl -H "Content-Type: application/json" \

           -d "{\"text\": \"*Hub Pipeline:* Terraform PLAN failed! Check logs.\"}" \

           ${{ secrets.TEAMS_WEBHOOK_URL }}

    =========================

    APPLY

    =========================

    apply: 
    name: Terraform Apply (Hub)

needs: plan

runs-on: ubuntu-latest



# <<< MANUAL APPROVAL VIA GITHUB ENVIRONMENT >>>

environment: hub-apply

env:

  ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}

  ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_HUB_SUBSCRIPTION_ID }}

  ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}

  ARM_USE_OIDC: true

  WORKING_DIR: Azure_Landing_Zone/Hub

steps:

  - name: Checkout Code 

    uses: actions/checkout@v4

    with:

      ref: ${{ needs.plan.outputs.commit_sha }}

  - name: Azure Login (OIDC)

    uses: azure/login@v2

    with:

      client-id: ${{ secrets.AZURE_CLIENT_ID }}

      tenant-id: ${{ secrets.AZURE_TENANT_ID }}

      subscription-id: ${{ secrets.AZURE_HUB_SUBSCRIPTION_ID }}

  - name: Setup Terraform (pin version)

    uses: hashicorp/setup-terraform@v3

    with:

      terraform_version: 1.13.4

  # Bring down plan + lockfile

  - name: Download Plan Bundle

    uses: actions/download-artifact@v4

    with:

      name: hub-plan-bundle

      path: ${{ env.WORKING_DIR }}

  #  First init to install MODULES and prepare the working dir

  #  (do NOT use -lockfile=readonly here, we just need modules installed)

  - name: Terraform Init (install modules/providers per current lockfile)

    run: terraform init -upgrade=false -input=false

    working-directory: ${{ env.WORKING_DIR }}

  #  Add Linux checksums into the lockfile if they are missing

  #  (this does NOT change provider versions; just adds checksum entries)

  - name: Ensure lockfile contains Linux checksums

    run: terraform providers lock -platform=linux_amd64

    working-directory: ${{ env.WORKING_DIR }}

  # Init with existing backend + enforce lockfile

  #- name: Terraform Init 

  #  run: terraform init -upgrade=false -input=false

  #  working-directory: ${{ env.WORKING_DIR }}

  # Apply from saved plan (backend safe)

  - name: Terraform Apply (remote state)

    run: terraform apply -auto-approve tfplan

    working-directory: ${{ env.WORKING_DIR }}

    ---------- APPLY Notifications ----------

    notify_apply_success: 
    needs: apply

if: success()

runs-on: ubuntu-latest

steps:

  - name: Teams Apply Success

    run: |

      curl -H "Content-Type: application/json" \

           -d "{\"text\": \"*Hub Pipeline:* Terraform APPLY succeeded!\"}" \

           ${{ secrets.TEAMS_WEBHOOK_URL }}
    notify_apply_failure: 
    needs: apply

if: failure()

runs-on: ubuntu-latest

steps:

  - name: Teams Apply Failure

    run: |

      curl -H "Content-Type: application/json" \

           -d "{\"text\": \"*Hub Pipeline:* Terraform APPLY failed! Check logs immediately.\"}" \

           ${{ secrets.TEAMS_WEBHOOK_URL }}
Azure DevOps

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siddhesh Desai 4,025 Reputation points Microsoft External Staff Moderator
    2026-02-09T20:19:11.6233333+00:00

    Hi @Satish B

    Thank you for reaching out to Microsoft Q&A.

    The “Inconsistent dependency lock file” error occurs because Terraform enforces strict consistency between the configuration used during the plan phase and the one used during the apply phase. When a saved plan (tfplan) is created, Terraform embeds the selected provider versions and their checksums (from .terraform.lock.hcl) directly into that plan file. During terraform apply tfplan, Terraform verifies that the current working directory uses exactly the same provider selections and lock file as were present when the plan was generated. In your GitHub Actions workflow, the lock file is being modified after the plan is created (by running terraform providers lock again in the apply job). This causes a mismatch between the dependency selections stored inside the plan and the lock file present at apply time. As a result, Terraform intentionally fails to prevent applying infrastructure changes with a potentially different set of providers, which could lead to unpredictable or unsafe behavior.

    Refer below points to resolve this issue or as a workaround

    1. Do not modify .terraform.lock.hcl between Plan and Apply

    Once terraform plan -out=tfplan is executed, the lock file must remain unchanged until terraform apply tfplan completes.

    Remove any terraform providers lock or terraform init -upgrade commands from the apply job.

    Ensure that the same .terraform.lock.hcl used during the plan phase is present and untouched during apply.

    2. Commit the provider lock file to version control (Recommended approach)

    The best practice is to generate the lock file once and commit it to the repository.

    Generate the lock file (locally or in a controlled CI step):

    terraform providers lock -platform=linux_amd64 -platform=linux_arm64

    Commit .terraform.lock.hcl to Git.

    In CI/CD, run only:

    terraform init -upgrade=false
terraform plan -out=tfplan
terraform apply tfplan

    This guarantees consistent provider versions across all pipeline runs and environments.

    3. If you cannot commit the lock file, treat it as an immutable artifact

    If organizational constraints prevent committing .terraform.lock.hcl, then:

    Generate the lock file once during the plan job.

    Upload it as an artifact along with tfplan.

    In the apply job, download and use the same lock file without regenerating or modifying it.

    Any regeneration of the lock file after the plan phase will cause the same inconsistency error.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.