From e83c777b44aaaedfd12e8a8e104b408daf0fe656 Mon Sep 17 00:00:00 2001 From: sjat Date: Sun, 14 Jun 2026 16:15:23 +0200 Subject: [PATCH] docs(friction): TF child-module required_providers gotcha (caught by live init) Co-Authored-By: Claude Opus 4.8 (1M context) --- docs/FRICTION.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/FRICTION.md b/docs/FRICTION.md index 7a188bd..b6db6d9 100644 --- a/docs/FRICTION.md +++ b/docs/FRICTION.md @@ -21,6 +21,16 @@ earning its keep. _(append new raw signals here; the next kaizen review consumes them)_ +- `[gotcha]` **Terraform child modules need their own `required_providers` for + non-hashicorp providers** (2026-06-14): `terraform init` for the `offsite` env failed — + the `hetzner_vm` module used `hcloud_*` resources with no `required_providers` block, so + TF inferred `hashicorp/hcloud` (nonexistent). The `proxmox_vm` module had the **identical + latent bug**, never caught because Proxmox TF was never `init`ed. Both the terraform-MCP + schema check and the final review subagent missed it; only `make tf-init/plan` on ubongo + caught it. Reinforces the M1 signal that **live/real execution catches what static review + can't** — now for Terraform. → always give a TF module its own `versions.tf` with + `required_providers`; treat "reviewed but never run" as a structural blind spot. + - `[gotcha]` **`item.values` in a loop sends the dict's `.values()` METHOD, not the key** (2026-06-14): the `public_dns` role looped over records that have a `values:` key and used `{{ item.values }}` in the `gandi_livedns` task. Jinja attribute access