Terraform's .terraform.lock.hcl file records provider package checksums to ensure security and consistency across different systems. A checksum mismatch occurs when the provider binary being installed doesn't match the recorded checksum, typically due to platform differences or provider version changes.
The checksum mismatch error is a security feature in Terraform that verifies the integrity of downloaded provider packages. When you run terraform init, Terraform downloads provider binaries and compares them against checksums recorded in your .terraform.lock.hcl file. If the checksums don't match, Terraform refuses to proceed to prevent installation of corrupted or unauthorized packages. This most commonly occurs when your lock file was created on a different platform (e.g., macOS) but you're now trying to init on another platform (e.g., Linux), because each platform has a different provider binary with a different checksum.
Check that your project has a .terraform.lock.hcl file. This file should be committed to your version control system. If it doesn't exist or was accidentally deleted, regenerate it by running terraform init.
Run the terraform providers lock command with flags for all platforms your team uses. For example, to support macOS (Intel), macOS (ARM), and Linux:
terraform providers lock -platform=darwin_amd64 -platform=darwin_arm64 -platform=linux_amd64 -platform=linux_arm64This command updates your .terraform.lock.hcl to include checksums for all specified platforms. After running this, commit the updated lock file to version control.
If terraform providers lock isn't available or you need to update to newer provider versions, use terraform init -upgrade. This tells Terraform to ignore the existing lock file, download the latest compatible versions matching your constraints, and generate a new lock file with fresh checksums:
terraform init -upgradeAfter running this, always commit the updated .terraform.lock.hcl file to ensure your team has the same versions.
After updating the lock file using either method above, commit it to version control:
git add .terraform.lock.hcl
git commit -m 'Update Terraform lock file checksums for multi-platform support'
git pushEnsuring all team members work with the same lock file prevents future checksum mismatches.
On the machine or CI/CD system where you encountered the error, clean and reinitialize:
rm -rf .terraform/
terraform initThis clears any cached provider binaries and verifies that the new lock file works correctly.
Only use this approach if the above steps don't resolve the issue, and only in controlled environments where you fully understand the implications. Deleting the lock file removes version pinning safeguards:
rm .terraform.lock.hcl
rm -rf .terraform/
terraform initThis regenerates the lock file from scratch, but you lose the benefit of deterministic provider versions.
Platform Considerations: Modern Terraform supports multi-platform lock files. When you run terraform providers lock with multiple -platform flags, it records checksums for all specified architectures in a single .terraform.lock.hcl file. This is the recommended approach for teams working across different operating systems.
Automation Best Practices: In CI/CD pipelines, always commit the lock file to version control and run terraform init without -upgrade to ensure deterministic deployments. Reserve -upgrade for controlled upgrades where you explicitly want newer provider versions.
Provider Mirror Sources: If you use private provider mirrors or registries, ensure the lock file's checksums match those mirrors. Some organizations use terraform providers lock -platform=... to explicitly validate that their mirror contains the correct provider packages.
Version Constraints: The lock file locks specific provider versions, not just major.minor versions. When you update provider version constraints in your configuration (e.g., from ~> 3.2 to ~> 4.0), you must regenerate the lock file. Always review lock file changes in git diffs before committing.
Error: Error rendering template: template not found
How to fix "template not found" error in Terraform
Error: Error generating private key
How to fix 'Error generating private key' in Terraform
Error creating Kubernetes Service: field is immutable
How to fix "field is immutable" errors in Terraform
Error: Error creating local file: open: permission denied
How to fix "Error creating local file: permission denied" in Terraform
Error: line endings have changed from CRLF to LF
Line endings have changed from CRLF to LF in Terraform