Logo

dev-resources.site

for different kinds of informations.

Switching to the Terraform S3 Backend with Native State File Locks

Published at
1/8/2025
Categories
aws
terraform
s3
Author
mbacchi
Categories
3 categories in total
aws
open
terraform
open
s3
open
Author
7 person written this
mbacchi
open
Switching to the Terraform S3 Backend with Native State File Locks

Terraform is a flexible, cloud agnostic infrastructure as code (IaC) tool. As it constructs infrastructure resources, it builds a ledger used to track resources that have successfully been created as well as additional metadata (such as id.) Terraform stores this state in a binary formatted file with the extension .tfstate.

What is the Terraform S3 Backend

The Terraform state file described above by default is stored in the same directory as the Terraform infrastructure definition files you wrote. But with this state on your local computer it is vulnerable to being lost or overwritten, and it cannot be shared with or managed by other team members. Using a distributed storage mechanism to store this state file is straightforward with Terraform, and they provide many backend options. For AWS users, the Terraform S3 Backend allows storing this state file in AWS S3.

What is State File Locking

So now we know this state file is stored in distributed object storage (AWS S3,) and more than one user can manage resources within it. But to safely manage this state file, we require a locking mechanism (often called a mutex in computing) that disallows multiple users from attempting to write to it at once. We would have a mess if we allowed more than one user to write to it at the same time, potentially losing the resources that were created and intended to be stored in this state file.

Terraform state locking capability has been available for the S3 backend for quite some time. But unfortunately it has required an additional DynamoDB table to be created that tracked the state file locking status.

Until now.

This DynamoDB table is an extra resource that seemed tangential to the Terraform state backend process and complicated the process of configuring your backend. That requirement has been rendered obsolete with a recent feature that was added to AWS S3, conditional writes.

AWS S3 Conditional Writes

In August, AWS announced the addition of the S3 Conditional Writes feature. This feature of AWS S3 compels S3 clients to check for the existence of an object before writing it, and if it already exists to fail. If the file exists the S3 client returns a 412 Precondition Failed error response.

S3 Conditional Write Support Added in Terraform v1.10

Support for S3 Conditional Writes was added to Terraform release v1.10. (If you want to see some great background and architecture detail from the developer Bruno Schaatsbergen about the implementation look here.)

Thankfully this is completely transparent to the Terraform user (unless it returns an error attempting to lock the state file.)

Configuring the S3 Backend to Use Native State File Locking

The Terraform documentation describes the new configuration parameter use_lockfile to enable S3 state locking. It also currently describes the old DynamoDB method as still available. (It's common for software to support both an old and new related feature for some time until all users can migrate to the new methodology.)

This means you can actually use both locking mechanisms at the same time. But this is both unnecessary overkill, and could lead to confusion and problems. I would recommend that you replace your old DynamoDB locking configuration with S3 state locking immediately. It will be cheaper (without having to pay for an extra DynamoDB table or reads/writes to that table,) and less error prone.

Here's how to change your Terraform backend configuration.

Terraform Configuration Specifics

The old DynamoDB method used a configuration parameter named dynamodb_table.

The new S3 state locking method uses a configuration parameter named use_lockfile.

Both are covered in the current Terraform documentation.

Version Constraints

We also recommend that when you switch to the S3 native state locking method, you set the Terraform configuration parameter required_version to the minimum version that supports S3 native state file locking. If you have users with an earlier version of Terraform, they won't be able to use this feature and will see errors if the use_lockfile parameter is enabled. Setting the required_version to v1.10 at a minumum makes your configuration more resilient and doesn't let someone attempt to create or update resources using an older Terraform version. Think of it as a prerequisite.

This Terraform version constraints configuration is documented here, and looks like this:

  required_version = "~> 1.10"
Enter fullscreen mode Exit fullscreen mode

Sample Configuration

With all this background information about the configuration parameters, here's a sample Terraform configuration with both the old and new parameters present:

provider "aws" {
  region = "us-west-2"
}

terraform {
  backend "s3" {
    encrypt        = true
    bucket         = "tfstate-lock-test-0bhfxn8x1"
    region         = "us-west-2"
    key            = "example/terraform-state-lock-test.tfstate"
    dynamodb_table = "tfstate-lock-test"
    use_lockfile   = true
  }

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.82.2"
    }

  # This sets the version constraint to a minimum of 1.10 for native state file locking support
  required_version = "~> 1.10"
}

Enter fullscreen mode Exit fullscreen mode

In order to switch away from using the old DynamoDB locking method, remove that dynamodb_table configuration parameter.

State File Locking in Action

We now know how to configure Terraform S3 native state file locking, but how does it perform and what will we see if you cannot get the mutex to lock the file?

I've tested both methods and will show you the output from each when state file locking fails.

Error from DynamoDB State File Locking

The old DyamoDB state file locking method would return an error such as the below:

$ terraform apply plan.out 
Acquiring state lock. This may take a few moments...
ā•·
ā”‚ Error: Error acquiring the state lock
ā”‚ 
ā”‚ Error message: operation error DynamoDB: PutItem, https response error StatusCode: 400, RequestID: CP9U4IRC04OBONKIQHM4LUOLLJVV4KQNSO5AEMVJF66Q9ASUAAJG, ConditionalCheckFailedException: The conditional request failed
ā”‚ Lock Info:
ā”‚   ID:        39f64263-4ad8-a563-faf7-f28f8a042a00
ā”‚   Path:      tfstate-lock-test-0bhfxn8x1/example/terraform-state-lock-test.tfstate
ā”‚   Operation: OperationTypeApply
ā”‚   Who:       user@hostname
ā”‚   Version:   1.10.3
ā”‚   Created:   2025-01-08 03:38:13.121564614 +0000 UTC
ā”‚   Info:      
ā”‚ 
ā”‚ 
ā”‚ Terraform acquires a state lock to protect the state from being written
ā”‚ by multiple users at the same time. Please resolve the issue above and try
ā”‚ again. For most commands, you can disable locking with the "-lock=false"
ā”‚ flag, but this is not recommended.

Enter fullscreen mode Exit fullscreen mode

Error from S3 Backend Native State File Locking

The new S3 backend native state file locking method will return an error that looks like this:

$ terraform apply plan2.out
ā•·
ā”‚ Error: Error acquiring the state lock
ā”‚ 
ā”‚ Error message: operation error S3: PutObject, https response error StatusCode: 412, RequestID: N0BGGAFN8V1N2WCQ, HostID: 4G32Xus/86u8CehvNbvzv8NoqiyTvsBWGYBXYK6E8Vn0E4+wom+6Jm6WFVUFSaCE7C1TBP5Vauo=, api error PreconditionFailed: At least one of the pre-conditions you specified did not hold
ā”‚ Lock Info:
ā”‚   ID:        837482e8-441e-9ff6-d30b-333ee83d8fc4
ā”‚   Path:      tfstate-lock-test-0bhfxn8x1/example/terraform-state-lock-test.tfstate
ā”‚   Operation: OperationTypeApply
ā”‚   Who:       user@hostname
ā”‚   Version:   1.10.3
ā”‚   Created:   2025-01-08 03:43:11.691479913 +0000 UTC
ā”‚   Info:      
ā”‚ 
ā”‚ 
ā”‚ Terraform acquires a state lock to protect the state from being written
ā”‚ by multiple users at the same time. Please resolve the issue above and try
ā”‚ again. For most commands, you can disable locking with the "-lock=false"
ā”‚ flag, but this is not recommended.
Enter fullscreen mode Exit fullscreen mode

Dealing with Stale State File Locks

NOTE: After publishing this blog, I was asked whether the terraform force-unlock command still worked. I tested this and can say it does perform as expected with the old S3 DynamoDB state file locking mechanism. Here's an example session showing this:

$ terraform apply plan2.out
ā•·
ā”‚ Error: Error acquiring the state lock
ā”‚ 
ā”‚ Error message: operation error S3: PutObject, https response error StatusCode: 412, RequestID: NGQM2VGSTSDWPCZF, HostID: dzPZArnTy31oVeuVLI8Dm61HXnuL6M3R2tlWFe2suztP0zkh4Bwv/eJFBLqVfitAI40I5BvIeds=, api error PreconditionFailed: At least one of the pre-conditions you specified did not hold
ā”‚ Lock Info:
ā”‚   ID:        bde40e3b-2bfb-f577-fea5-44923c9d5275
ā”‚   Path:      tfstate-lock-test-0bhfxn8x1/example/terraform-state-lock-test.tfstate
ā”‚   Operation: OperationTypeApply
ā”‚   Who:       user@hostname
ā”‚   Version:   1.10.3
ā”‚   Created:   2025-01-08 16:55:35.808464751 +0000 UTC
ā”‚   Info:      
ā”‚ 
ā”‚ 
ā”‚ Terraform acquires a state lock to protect the state from being written
ā”‚ by multiple users at the same time. Please resolve the issue above and try
ā”‚ again. For most commands, you can disable locking with the "-lock=false"
ā”‚ flag, but this is not recommended.
ā•µ
Enter fullscreen mode Exit fullscreen mode

You can remove the lock, but only do this if you know the lock is stale. To do this, first note the lock ID above, then run the force-unlock command:

$ terraform force-unlock bde40e3b-2bfb-f577-fea5-44923c9d5275
Do you really want to force-unlock?
  Terraform will remove the lock on the remote state.
  This will allow local Terraform commands to modify this state, even though it
  may still be in use. Only 'yes' will be accepted to confirm.

  Enter a value: yes

Terraform state has been successfully unlocked!

The state has been unlocked, and Terraform commands should now be able to
obtain a new lock on the remote state.
Enter fullscreen mode Exit fullscreen mode

Delete Your Old DynamoDB Tables

Now that you've switched from using the old Terraform DynamoDB locking to the new S3 native state file locking, you can remove the old DynamoDB table used to track these locks!

Yay, one less resource to manage and be charged by AWS for.

Summary

Hopefully you see the advantage of using the new Terraform S3 backend native state file locking mechanism, and how to configure it for your environment.

Happy Terraforming!

s3 Article's
30 articles in total
Favicon
Building a Weather Data Collection System with AWS S3 and OpenWeather API
Favicon
Comprehensive Guide to Installing AWS CLI, Configuring It, and Downloading S3 Buckets Locally
Favicon
Stream de Arquivo PDF ou Imagem S3 - AWS
Favicon
Efficiently Deleting Millions of Objects in Amazon S3 Using Lifecycle Policy
Favicon
Uploading Files to Amazon S3 in ASP.NET Core with Razor Pages
Favicon
AWS S3 Presigned URLs: Secure and Temporary File Access Made Simple
Favicon
How to implement File uploads in Nodejs: A step by step guide
Favicon
Lee esto antes de implementar S3 y CloudFront usando Terraform.
Favicon
Lee esto antes de implementar S3 y CloudFront usando Terraform.
Favicon
šŸš€ 1. Efficient Video Uploads to AWS S3 with React
Favicon
Full Stack Application Hosting in AWS
Favicon
Building an S3 Static Website with CloudFront Using Terraform
Favicon
Configure IRSA using EKS to access S3 from a POD in terraform
Favicon
Setting up IAM Anywhere using terraform
Favicon
AWS S3 System Design Concepts
Favicon
Creating an S3 Bucket in AWS and generate a pre - signed URL
Favicon
Switching to the Terraform S3 Backend with Native State File Locks
Favicon
Around the World in 15 Buckets
Favicon
My (non-AI) AWS re:Invent 24 picks
Favicon
How to Simulate AWS S3 on Your Local Machine with LocalStack
Favicon
Building Websites with Cursor and AWS.
Favicon
Configuring AWS WAF, CloudFront, and S3 Bucket for Secure Access
Favicon
Buckets? No, S3 buckets
Favicon
Download Video from s3 with Cloudfront, nodejs and react
Favicon
AWS Quick Guide - Amazon S3
Favicon
Fastest and Cheapest Ways to Delete Millions of Files from Amazon S3
Favicon
Using MinIO Server for Local Development: A Smarter Alternative to S3
Favicon
AWS CloudFront vs S3 Cross-Region Replication
Favicon
Comparison of S3 upload feature between Documenso and aws-s3-image-upload example
Favicon
Securing Your AWS EC2 and S3 Communication: Best Practices for Enhanced Security

Featured ones: