In general, I love using the terraform registry, but was thinking about if a module owner can publish a version of the same package twice, IE. a version upgrade without a version change.
I am a little weary of using packages from sources that I cannot completely control, and could not find direct guidance on the terraform docs to say that each published code change, forces a version upgrade automatically, or if that's left to the package (module) manager to do manually?
I would hate to be put in a position where there are un-noticed functionality or security changes introduced by a terraform module change, without a version change to signal them. Is that possible to do?
The official Terraform Registry, and Terraform module registries in general, do not actually directly host any modules. Instead, they act as an index of module packages published elsewhere, adding the metadata such as version numbers which a direct module source wouldn't be able to provide.
For the official Terraform Registry in particular, at the time I'm writing this it requires that each module versions refers to a tag in a GitHub repository. When Terraform installs a module from that registry, the registry presents a set of available versions and Terraform chooses the newest one which meets your version constraints.
Terraform then asks the registry where to obtain the package for that version, and Terraform Registry will always return a pointer to the corresponding tag in a GitHub repository, which Terraform will then fetch and extract locally.
The registry itself has no awareness of the contents of that tag, so anyone who can control that GitHub repository could potentially change which commit that tag refers to, and therefore change the content of that module package without either Terraform Registry or Terraform itself being able to detect that.
Therefore you cannot rely on Terraform Registry alone to protect against the remote module package being modified. It is only by convention that Git tags are immutable once they are initially published; there is no technical blocker in the protocol to prevent deleting a tag and creating a new tag with the same name but referring to a different commit.