Terraform: Error acquiring the state lock: ConditionalCheckFailedException

I got the following error during a terraform plan which occured in my pipeline:

Error: Error locking state: Error acquiring the state lock: ConditionalCheckFailedException: The conditional request failed
Lock Info:
ID:        9db590f1-b6fe-c5f2-2678-8804f089deba
Path:      ...
Operation: OperationTypePlan
Who:       ...
Version:   0.12.25
Created:   2020-05-29 12:52:25.690864752 +0000 UTC
Info:      
Terraform acquires a state lock to protect the state from being written
by multiple users at the same time. Please resolve the issue above and try
again. For most commands, you can disable locking with the "-lock=false"
flag, but this is not recommended.

It is weird because I'm sure there is no other concurrent plan. Is there a way to deal with this? How should I remove this lock?

Cause of Error

This error usually appears when one process fails running terraform plan or terraform apply. For example if your network connection interrupts or the process is terminated before finishing. Then Terraform "thinks" that this process is still working on the infrastructure and blocks other processes from working with the same infrastructure and state at the same time in order to avoid conflicts.

As stated in the error message, you should make sure that there is really no other process still running (e.g. from another developer or from some build-automation). If you force-unlock in such a situation you might screw up your terraform state, making it hard to recover.

Resolution

If there is no other process still running: run this command

terraform force-unlock 9db590f1-b6fe-c5f2-2678-8804f089deba

(where the numerical id should be replace by the one mentioned in the error message)

if you are not sure if there is another process running and you are worried that you might make things worse, I would recommend waiting for some time (like 1h), try again, then try again after maybe 30 min. If the error still persists it is likely that there really is no other process and it's safe to unlock as described above

It looks like the lock persist after the previous pipeline. I had to remove it using the following command in order to remove it:

terraform force-unlock -force 9db590f1-b6fe-c5f2-2678-8804f089deba

Or to relaunch the plan with the following option -lock=false

terraform plan -lock=false ...

Even I had the same issue and tried with different command terraform force-unlock -force and terraform force-unlock but didn't worked for me. a quick workaround for the problem is kill that particular process id and run again.

ps aux | grep terraform and sudo kill -9 <process_id>

If terraform force-unlock is giving below error: "Local state cannot be unlocked by another process" then open the running process and kill the process to remove the lock. for Windows: open task manager and search for terraform console process For Linux: grep for terraform process and kill the terraform console process using kill -9

For anyone running into this issue when running Terraform against AWS, make sure you're running against the expected profile. I ran into this issue today and realised that I needed to switch my profile:

$ export AWS_PROFILE=another_one

GCP: In my case the issue is resolved after changing permission to "Storage Object Admin" in Google cloud storage.

It was AWS CLI session issue with me, I relogged in by using gimme-aws-creds command from command prompt and then tried. It worked.

I've run through the same issue in AWS and our pipele. We are transitioning to git-actions. Our terraform is using dynamodb as its lockstate persistence and s3 to hold the actual terraform statefile. When I looked at the lock state in the dynamodb, the md5 digest column is empty and the key did not indicate and -md5, just a normal .

Note: Do not try this if you are not familiar with Terraform State File.

What I did is I cloned the said lockstate and renamed to -md5. Look at my s3 statefile for the hashkey and copy it over to the digest column in dynamo table. Rename the old lockstate to a different key so that it wont be searched up.

That's it for me.

Again, this may not work for everybody but this worked for me.

I got the state lock error because I was missing s3:DeleteObject and dynamodb:DeleteItem permissions.

I had get and put permissions, but not delete. So my CircleCI IAM user could check for locks and add locks, but couldn't remove locks when it was done updating state. (Maybe I had watched tutorials that used remote state but didn't use state locking.)

These steps fixed the issue:

1. Run terraform force-unlock <error message lock ID> (I got this step from Falk Tandetzky and veben's answers)
2. Allow "s3:DeleteObject" permission for the resource "arn:aws:s3:::mybucket/path/to/my/key"
3. Allow "dynamodb:DeleteItem" permission for the resource "arn:aws:dynamodb:*:*:table/mytable"

All the permissions, with examples, are listed in the Terraform S3 backend documentation:

https://www.terraform.io/language/settings/backends/s3