Terraform: Error acquiring the state lock: ConditionalCheckFailedException
TerraformGitlab CiTerraform Problem Overview
I got the following error during a terraform plan
which occured in my pipeline:
Error: Error locking state: Error acquiring the state lock: ConditionalCheckFailedException: The conditional request failed
Lock Info:
ID: 9db590f1-b6fe-c5f2-2678-8804f089deba
Path: ...
Operation: OperationTypePlan
Who: ...
Version: 0.12.25
Created: 2020-05-29 12:52:25.690864752 +0000 UTC
Info:
Terraform acquires a state lock to protect the state from being written
by multiple users at the same time. Please resolve the issue above and try
again. For most commands, you can disable locking with the "-lock=false"
flag, but this is not recommended.
It is weird because I'm sure there is no other concurrent plan. Is there a way to deal with this? How should I remove this lock?
Terraform Solutions
Solution 1 - Terraform
Cause of Error
This error usually appears when one process fails running terraform plan
or terraform apply
. For example if your network connection interrupts or the process is terminated before finishing. Then Terraform "thinks" that this process is still working on the infrastructure and blocks other processes from working with the same infrastructure and state at the same time in order to avoid conflicts.
As stated in the error message, you should make sure that there is really no other process still running (e.g. from another developer or from some build-automation). If you force-unlock in such a situation you might screw up your terraform state, making it hard to recover.
Resolution
If there is no other process still running: run this command
terraform force-unlock 9db590f1-b6fe-c5f2-2678-8804f089deba
(where the numerical id should be replace by the one mentioned in the error message)
if you are not sure if there is another process running and you are worried that you might make things worse, I would recommend waiting for some time (like 1h), try again, then try again after maybe 30 min. If the error still persists it is likely that there really is no other process and it's safe to unlock as described above
Solution 2 - Terraform
It looks like the lock persist after the previous pipeline. I had to remove it using the following command in order to remove it:
terraform force-unlock -force 9db590f1-b6fe-c5f2-2678-8804f089deba
Or to relaunch the plan with the following option -lock=false
terraform plan -lock=false ...
Solution 3 - Terraform
Even I had the same issue and tried with different command
terraform force-unlock -force kill that particular process id and run again
.
ps aux | grep terraform
and sudo kill -9 <process_id>
Solution 4 - Terraform
If terraform force-unlock
Solution 5 - Terraform
For anyone running into this issue when running Terraform against AWS, make sure you're running against the expected profile. I ran into this issue today and realised that I needed to switch my profile:
$ export AWS_PROFILE=another_one
Solution 6 - Terraform
GCP: In my case the issue is resolved after changing permission to "Storage Object Admin" in Google cloud storage.
Solution 7 - Terraform
It was AWS CLI session issue with me, I relogged in by using gimme-aws-creds
command from command prompt and then tried. It worked.
Solution 8 - Terraform
I've run through the same issue in AWS and our pipele. We are transitioning to git-actions. Our terraform is using dynamodb as its lockstate persistence and s3 to hold the actual terraform statefile. When I looked at the lock state in the dynamodb, the md5 digest column is empty and the key did not indicate and
Note: Do not try this if you are not familiar with Terraform State File.
What I did is I cloned the said lockstate and renamed to
That's it for me.
Again, this may not work for everybody but this worked for me.
Solution 9 - Terraform
I got the state lock error because I was missing s3:DeleteObject
and dynamodb:DeleteItem
permissions.
I had get and put permissions, but not delete. So my CircleCI IAM user could check for locks and add locks, but couldn't remove locks when it was done updating state. (Maybe I had watched tutorials that used remote state but didn't use state locking.)
These steps fixed the issue:
- Run
terraform force-unlock <error message lock ID>
(I got this step fromFalk Tandetzky
andveben
's answers) - Allow
"s3:DeleteObject"
permission for the resource"arn:aws:s3:::mybucket/path/to/my/key"
- Allow
"dynamodb:DeleteItem"
permission for the resource"arn:aws:dynamodb:*:*:table/mytable"
All the permissions, with examples, are listed in the Terraform S3 backend documentation: