diff --git a/pkgs/applications/networking/cluster/terraform-providers/update-all-providers b/pkgs/applications/networking/cluster/terraform-providers/update-all-providers
index 052c56742c5f..46f0ce1be561 100755
--- a/pkgs/applications/networking/cluster/terraform-providers/update-all-providers
+++ b/pkgs/applications/networking/cluster/terraform-providers/update-all-providers
@@ -1,5 +1,5 @@
 #!/usr/bin/env nix-shell
-#! nix-shell -i bash -p jq
+#! nix-shell -I nixpkgs=../../../../.. -i bash -p jq
 # shellcheck shell=bash
 
 # Update all providers which have specified provider source address
@@ -14,9 +14,9 @@ providers=$(
 )
 
 echo "Will update providers:"
-echo "$providers"
+echo "${providers}"
 
-for provider in $providers; do
-  echo "Updating $provider"
-  ./update-provider "$provider"
+for provider in ${providers}; do
+  echo "Updating ${provider}"
+  ./update-provider "${provider}"
 done
diff --git a/pkgs/applications/networking/cluster/terraform-providers/update-provider b/pkgs/applications/networking/cluster/terraform-providers/update-provider
index 03d92452ebc2..47206914f7a9 100755
--- a/pkgs/applications/networking/cluster/terraform-providers/update-provider
+++ b/pkgs/applications/networking/cluster/terraform-providers/update-provider
@@ -1,5 +1,5 @@
 #!/usr/bin/env nix-shell
-#! nix-shell -I nixpkgs=../../../../.. -i bash -p coreutils curl jq moreutils nix
+#! nix-shell -I nixpkgs=../../../../.. -i bash -p coreutils curl jq moreutils nix nix-prefetch
 # shellcheck shell=bash
 # vim: ft=sh
 #
@@ -7,6 +7,7 @@
 # provider source address.
 #
 set -euo pipefail
+shopt -s inherit_errexit
 
 show_usage() {
   cat <<DOC
@@ -57,36 +58,37 @@ while [[ $# -gt 0 ]]; do
     shift 2
     ;;
   *)
-    if [[ -n "$provider" ]]; then
-      echo "ERROR: provider name was passed two times: '$provider' and '$1'"
+    if [[ -n ${provider} ]]; then
+      echo "ERROR: provider name was passed two times: '${provider}' and '$1'"
       echo "Use --help for more info"
       exit 1
     fi
     provider=$1
     shift
+    ;;
   esac
 done
 
-if [[ -z "$provider" ]]; then
+if [[ -z ${provider} ]]; then
   echo "ERROR: No providers specified!"
   echo
   show_usage
   exit 1
 fi
 
-provider_name=$(basename "$provider")
+provider_name=$(basename "${provider}")
 
 # Usage: read_attr <key>
 read_attr() {
-  jq -r ".\"$provider_name\".\"$1\"" providers.json
+  jq -r ".\"${provider_name}\".\"$1\"" providers.json
 }
 
 # Usage: update_attr <key> <value>
 update_attr() {
-  if [[ "$2" == "null" ]]; then
-    jq -S ".\"$provider_name\".\"$1\" = null" providers.json | sponge providers.json
+  if [[ $2 == "null" ]]; then
+    jq -S ".\"${provider_name}\".\"$1\" = null" providers.json | sponge providers.json
   else
-    jq -S ".\"$provider_name\".\"$1\" = \"$2\"" providers.json | sponge providers.json
+    jq -S ".\"${provider_name}\".\"$1\" = \"$2\"" providers.json | sponge providers.json
   fi
 }
 
@@ -96,23 +98,23 @@ prefetch_github() {
   local owner=$1
   local repo=$2
   local rev=$3
-  nix-prefetch-url --unpack "https://github.com/$owner/$repo/archive/$rev.tar.gz"
+  nix-prefetch-url --unpack "https://github.com/${owner}/${repo}/archive/${rev}.tar.gz"
 }
 
 old_source_address="$(read_attr provider-source-address)"
 old_vendor_sha256=$(read_attr vendorSha256)
 old_version=$(read_attr version)
 
-if [[ $provider =~ ^[^/]+/[^/]+$ ]]; then
-  source_address=registry.terraform.io/$provider
+if [[ ${provider} =~ ^[^/]+/[^/]+$ ]]; then
+  source_address=registry.terraform.io/${provider}
 else
-  source_address=$old_source_address
+  source_address=${old_source_address}
 fi
-if [[ "$source_address" == "null" ]]; then
-  echo "Could not find the source address for provider: $provider"
+if [[ ${source_address} == "null" ]]; then
+  echo "Could not find the source address for provider: ${provider}"
   exit 1
 fi
-update_attr "provider-source-address" "$source_address"
+update_attr "provider-source-address" "${source_address}"
 
 # The provider source address (used inside Terraform `required_providers` block) is
 # used to compute the registry API endpoint
@@ -122,58 +124,43 @@ update_attr "provider-source-address" "$source_address"
 # registry.terraform.io/v1/providers/hashicorp/aws (provider URL for the JSON API)
 registry_response=$(curl -s https://"${source_address/\///v1/providers/}")
 
-version="$(jq -r '.version' <<< "$registry_response")"
-if [[ "$old_version" = "$version" && "$force" != 1 && -z "$vendorSha256" && "$old_vendor_sha256" != "$vendorSha256" ]]; then
-  echo "$provider_name is already at version $version"
+version="$(jq -r '.version' <<<"${registry_response}")"
+if [[ ${old_version} == "${version}" && ${force} != 1 && -z ${vendorSha256} && ${old_vendor_sha256} != "${vendorSha256}" ]]; then
+  echo "${provider_name} is already at version ${version}"
   exit
 fi
-update_attr version "$version"
+update_attr version "${version}"
 
-provider_source_url="$(jq -r '.source' <<< "$registry_response")"
+provider_source_url="$(jq -r '.source' <<<"${registry_response}")"
 
-org="$(echo "$provider_source_url" | cut -d '/' -f 4)"
-update_attr owner "$org"
-repo="$(echo "$provider_source_url" | cut -d '/' -f 5)"
-update_attr repo "$repo"
-rev="$(jq -r '.tag' <<< "$registry_response")"
-update_attr rev "$rev"
-sha256=$(prefetch_github "$org" "$repo" "$rev")
-update_attr sha256 "$sha256"
+org="$(echo "${provider_source_url}" | cut -d '/' -f 4)"
+update_attr owner "${org}"
+repo="$(echo "${provider_source_url}" | cut -d '/' -f 5)"
+update_attr repo "${repo}"
+rev="$(jq -r '.tag' <<<"${registry_response}")"
+update_attr rev "${rev}"
+sha256=$(prefetch_github "${org}" "${repo}" "${rev}")
+update_attr sha256 "${sha256}"
 
 repo_root=$(git rev-parse --show-toplevel)
 
-if [[ -z "$vendorSha256" ]]; then
-  if [[ "$old_vendor_sha256" == null ]]; then
+if [[ -z ${vendorSha256} ]]; then
+  if [[ ${old_vendor_sha256} == null ]]; then
     vendorSha256=null
-  elif [[ -n "$old_vendor_sha256" || "$vendor" = 1 ]]; then
+  elif [[ -n ${old_vendor_sha256} || ${vendor} == 1 ]]; then
     echo "=== Calculating vendorSha256 ==="
-    update_attr vendorSha256 "0000000000000000000000000000000000000000000000000000000000000000"
-    # Hackish way to find out the desired sha256. First build, then extract the
-    # error message from the logs.
-    set +e
-    nix-build --no-out-link "$repo_root" -A "terraform-providers.$provider_name.go-modules" 2>vendor_log.txt
-    set -e
-    logs=$(< vendor_log.txt)
-    if ! [[ $logs =~ got:\ +([^\ ]+) ]]; then
-      echo "ERROR: could not find new hash in output:"
-      cat vendor_log.txt
-      rm -f vendor_log.txt
-      exit 1
-    fi
-    rm -f vendor_log.txt
-    # trim the results in case it they have a sha256: prefix or contain more than one line
-    vendorSha256=$(echo "${BASH_REMATCH[1]#sha256:}" | head -n 1)
+    vendorSha256=$(nix-prefetch "{ sha256 }: (import ../../../../.. {}).terraform-providers.${provider_name}.go-modules.overrideAttrs (_: { vendorSha256 = sha256; })")
     # Deal with nix unstable
-    if [[ $vendorSha256 = sha256-* ]]; then
-      vendorSha256=$(nix --extra-experimental-features nix-command hash to-base32 "$vendorSha256")
+    if [[ ${vendorSha256} == sha256-* ]]; then
+      vendorSha256=$(nix --extra-experimental-features nix-command hash to-base32 "${vendorSha256}")
     fi
   fi
 fi
 
-if [[ -n "$vendorSha256" ]]; then
-  update_attr vendorSha256 "$vendorSha256"
+if [[ -n ${vendorSha256} ]]; then
+  update_attr vendorSha256 "${vendorSha256}"
 fi
 
 # Check that the provider builds
-echo "=== Building terraform-providers.$provider_name ==="
-nix-build "$repo_root" -A "terraform-providers.$provider_name"
+echo "=== Building terraform-providers.${provider_name} ==="
+nix-build --no-out-link "${repo_root}" -A "terraform-providers.${provider_name}"