feat: Re-download terraform binary if it appears to be invalid.

[lukemassa]

what

Run terraform -version after installing/checking for the install of terraform.

why

If the terraform binary is invalid an any way, for example it was built for the wrong arch, we now immediately detect that, and attempt to delete the file and retrigger the download, in the hopes the new version will work. If the second version also fails, we simply fail (which is also an improvement over the previous code, because before an error about architecture would be buried and confusing, see #5670)

I believe that running terraform version or tofu version should be very fast and safe. However if it turns out this has any risk of false positives or performance issues, it's probably not worth doing.

tests

I built an incompatible binary of terraform locally, and put it where the cache would pick it up, then it correctly deleted the old version and downloaded a new one.

{"level":"warn","ts":"2026-05-07T17:27:21.584-0400","caller":"tfclient/terraform_client.go:509","msg":"Terraform binary /Users/lmassa/.atlantis/bin/terraform1.9.8 appears to be invalid, attempting to re-download","json":{},"stacktrace":"github.com/runatlantis/atlantis/server/core/terraform/tfclient.ensureVersion\n\t/Users/lmassa/atlantis/server/core/terraform/tfclient/terraform_client.go:509\ngithub.com/runatlantis/atlantis/server/core/terraform/tfclient.NewClientWithDefaultVersion.func1\n\t/Users/lmassa/atlantis/server/core/terraform/tfclient/terraform_client.go:140"}
{"level":"info","ts":"2026-05-07T17:27:21.585-0400","caller":"tfclient/terraform_client.go:573","msg":"could not find terraform version 1.9.8 in PATH or /Users/lmassa/.atlantis/bin","json":{}}
{"level":"info","ts":"2026-05-07T17:27:21.585-0400","caller":"tfclient/terraform_client.go:575","msg":"downloading terraform version 1.9.8 from download URL https://releases.hashicorp.com","json":{}}
...
{"level":"info","ts":"2026-05-07T17:27:34.888-0400","caller":"tfclient/terraform_client.go:583","msg":"Downloaded terraform 1.9.8 to /Users/lmassa/.atlantis/bin/terraform1.9.8","json":{}}

references

Closes: #5670

[Copilot]

Pull request overview

Adds a post-install validation step for Terraform/OpenTofu binaries by executing <binary> version after locating/downloading a requested version, aiming to surface invalid/wrong-arch binaries earlier (per #5670).

Changes:

• Refactors binary resolution into a new helper (findOrDownloadVersionBinaryPath).
• Updates ensureVersion to execute the resolved binary with version and fail early if it can’t run.
• Disables Terraform checkpoint checks during this validation via CHECKPOINT_DISABLE=1.