Terraform error acquiring the state lock - Исправление ошибок и поиск оптимальных решений проблем

I got the following error during a terraform plan which occured in my pipeline:

Error: Error locking state: Error acquiring the state lock: ConditionalCheckFailedException: The conditional request failed
Lock Info:
ID:        9db590f1-b6fe-c5f2-2678-8804f089deba
Path:      ...
Operation: OperationTypePlan
Who:       ...
Version:   0.12.25
Created:   2020-05-29 12:52:25.690864752 +0000 UTC
Info:      
Terraform acquires a state lock to protect the state from being written
by multiple users at the same time. Please resolve the issue above and try
again. For most commands, you can disable locking with the "-lock=false"
flag, but this is not recommended.

It is weird because I’m sure there is no other concurrent plan.
Is there a way to deal with this? How should I remove this lock?

asked Jun 4, 2020 at 8:11

Cause of Error

This error usually appears when one process fails running terraform plan or terraform apply. For example if your network connection interrupts or the process is terminated before finishing. Then Terraform «thinks» that this process is still working on the infrastructure and blocks other processes from working with the same infrastructure and state at the same time in order to avoid conflicts.

As stated in the error message, you should make sure that there is really no other process still running (e.g. from another developer or from some build-automation). If you force-unlock in such a situation you might screw up your terraform state, making it hard to recover.

Resolution

If there is no other process still running: run this command

terraform force-unlock 9db590f1-b6fe-c5f2-2678-8804f089deba

(where the numerical id should be replace by the one mentioned in the error message)

if you are not sure if there is another process running and you are worried that you might make things worse, I would recommend waiting for some time (like 1h), try again, then try again after maybe 30 min. If the error still persists it is likely that there really is no other process and it’s safe to unlock as described above

answered Jun 8, 2020 at 8:48

Falk TandetzkyFalk Tandetzky

4,4262 gold badges14 silver badges26 bronze badges

It looks like the lock persist after the previous pipeline. I had to remove it using the following command in order to remove it:

terraform force-unlock -force 9db590f1-b6fe-c5f2-2678-8804f089deba

Or to relaunch the plan with the following option -lock=false

terraform plan -lock=false ...

answered Jun 4, 2020 at 8:24

vebenveben

17.8k14 gold badges62 silver badges78 bronze badges

Even I had the same issue and tried with different command
terraform force-unlock -force and terraform force-unlock <process_id> but didn’t worked for me. a quick workaround for the problem is kill that particular process id and run again.

ps aux | grep terraform and sudo kill -9 <process_id>

Dharman♦

29.3k21 gold badges80 silver badges131 bronze badges

answered Jul 8, 2021 at 0:51

I ran into the same issue when i was using terraform with S3 and dynamodb backend

Reason : i forcefully terminate apply process that actually prevents me to aquire the lock again

Solution : when it gets fail it return an ID with the ID we can unlock forcefully

terraform force-unlock -force 6638e010-8fb0-46cf-966d-21e806602f3a

answered Sep 8, 2022 at 9:58

If terraform force-unlock is giving below error:
«Local state cannot be unlocked by another process»
then
open the running process and kill the process to remove the lock.
for Windows: open task manager and search for terraform console process
For Linux: grep for terraform process and kill the terraform console process using kill -9

answered Jan 25, 2021 at 20:01

For anyone running into this issue when running Terraform against AWS, make sure you’re running against the expected profile. I ran into this issue today and realised that I needed to switch my profile:

$ export AWS_PROFILE=another_one

answered Jun 3, 2021 at 12:15

RobRob

96111 silver badges27 bronze badges

I got the state lock error because I was missing s3:DeleteObject and dynamodb:DeleteItem permissions.

I had get and put permissions, but not delete. So my CircleCI IAM user could check for locks and add locks, but couldn’t remove locks when it was done updating state. (Maybe I had watched tutorials that used remote state but didn’t use state locking.)

These steps fixed the issue:

Run terraform force-unlock <error message lock ID> (I got this step from Falk Tandetzky and veben‘s answers)
Allow "s3:DeleteObject" permission for the resource "arn:aws:s3:::mybucket/path/to/my/key"
Allow "dynamodb:DeleteItem" permission for the resource "arn:aws:dynamodb:*:*:table/mytable"

All the permissions, with examples, are listed in the Terraform S3 backend documentation:

https://www.terraform.io/language/settings/backends/s3

answered Mar 1, 2022 at 2:15

GCP: In my case the issue is resolved after changing permission to «Storage Object Admin» in Google cloud storage.

answered Jul 3, 2021 at 12:23

It was AWS CLI session issue with me, I relogged in by using gimme-aws-creds command from command prompt and then tried. It worked.

m4n0

28.7k26 gold badges74 silver badges89 bronze badges

answered Aug 17, 2021 at 8:55

I’ve run through the same issue in AWS and our pipele. We are transitioning to git-actions. Our terraform is using dynamodb as its lockstate persistence and s3 to hold the actual terraform statefile. When I looked at the lock state in the dynamodb, the md5 digest column is empty and the key did not indicate and -md5, just a normal .

Note: Do not try this if you are not familiar with Terraform State File.

What I did is I cloned the said lockstate and renamed to -md5. Look at my s3 statefile for the hashkey and copy it over to the digest column in dynamo table. Rename the old lockstate to a different key so that it wont be searched up.

That’s it for me.

Again, this may not work for everybody but this worked for me.

answered Jan 13, 2022 at 1:19

RodelRodel

1276 bronze badges

When using the -lock=false on any cloud provider should be done with caution. As using it means you’re removing the safeguard put in place to prevent conflict especially if you’re working in a team.

The usual cause of state lock errors is either a or some terraform processes that are currently ongoing. For example, the terraform console is currently active and a plan or apply is being executed at the same time.

Try listing the terraform processes currently active and kill them

answered Nov 9, 2022 at 4:34

Источник

If you have been handed the Acquiring state lock error message about ConditionalCheckFailedException: The conditional request then you have 2 options for fixing it!

The error looks something like this:

Acquiring state lock. This may take a few moments...
╷
│ Error: Error acquiring the state lock
│ 
│ Error message: ConditionalCheckFailedException: The conditional request
│ failed
│ Lock Info:
│   ID:        3324a6cb-7401-3194-d650-fxxxxxx3864
│   Path:      xxxx-terraformstate-nonprod/env:/xxxx/terraform.tfstate
│   Operation: OperationTypeApply
│   Who:       [email protected]
│   Version:   1.0.4
│   Created:   2021-11-29 21:00:37.652114035 +0000 UTC
│   Info:
│ 
│ Terraform acquires a state lock to protect the state from being written
│ by multiple users at the same time. Please resolve the issue above and try
│ again. For most commands, you can disable locking with the "-lock=false"
│ flag, but this is not recommended.

There are 3 possible ways to fix this

In short, you want to delete the lock associated. This is achieved by forcing an unlock.

Option 1: Force Unlock – Recommended

You can force unlock the state using the following:

terraform force-unlock -force 3324a6cb-7401-3194-d650-fxxxxxx3864

Option 2: Relaunch the Plan

You can run the plan again with a -lock=false as following:

terraform plan -lock=false ...

Option 3: Make sure you use the right profile!

Sometimes everything seems correct, but it turns out you are using a different profile!

AWS_PROFILE=some_other_profile

Force Unlock still not working?

Sometimes you can get another error when trying to force unlock this:
Failed to unlock state: failed to retrieve lock info: unexpected end of JSON input

This usually means that you are in the wrong workspace.

View all workspaces available: terraform workspace list

Switch to a workspace: terraform workspace select <>

Now you can try and force unlock again.

If you were successful, then you will get the following message:

Terraform state has been successfully unlocked!

The state has been unlocked, and Terraform commands should now be able to
obtain a new lock on the remote state.

Источник

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave «+1» or «me too» comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Affected Resource(s)

Terraform v0.11.7

provider.aws v1.19.0
provider.random v0.1.0
provider.template v0.1.1

aws_XXXXX

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

/*
terraform
*/

terraform {
required_version = «>= 0.11.7»

backend «s3» {
bucket = «terraform-state-non-prd»
key = «nonprd/com/api.tfstate»
region = «us-east-1»
encrypt = «true»
acl = «bucket-owner-full-control»
dynamodb_table = «terraform-state-lock-non-prd»
}
}

/*
provider aws
*/

provider «aws» {
version = «~>1.19.0»
region = «${var.aws_region}»
}

/*
provider random
*/
provider «random» {
version = «~>0.1.0»
}

/*
provider template
*/
provider «template» {
version = «~>0.1.1»
}

Debug Output

Panic Output

Expected Behavior

Actual Behavior

Initializing the backend…
Backend configuration changed!

Terraform has detected that the configuration specified for the backend
has changed. Terraform will now check for existing state in the backends.

Acquiring state lock. This may take a few moments…
Error locking source state: Error acquiring the state lock: ConditionalCheckFailedException: The conditional request failed
status code: 400, request id: 038OGQSKTQS56R8UUREQ1H1RTBVV4KQNSO5AEMVJF6
6Q9ASUAAJG
Lock Info:
ID: 12103daf-700f-da6d-b772-8daecd96eefc
Path: terraform-state-non-prd/nonprd/com/api.tfstate
Operation: OperationTypePlan
Who: COMPANYuser_id
Version: 0.11.7
Created: 2018-05-23 18:26:41.9308391 +0000 UTC
Info:

Terraform acquires a state lock to protect the state from being written by multiple users at the same time. Please resolve the issue above and try again. For most commands, you can disable locking with the «-lock=false» flag, but this is not recommended.

//aws dynamodb table

Item{2}

InfoString: {«ID»:»df9e88a3-3c6e-61f6-5aac-aca87bbc2601″,»Operation»:»OperationTypePlan»,»Info»:»»,»Who»:»COMPANY\user@id»,»Version»:»0.11.7″,»Created»:»2018-05-23T16:29:20.0607225Z»,»Path»:»terraform-state-non-prd/nonprd/com/api.tfstate»}

LockIDString: terraform-state-non-prd/nonprd/com/out.tfstate

Steps to Reproduce

terraform apply
terraform init
terraform plan

Important Factoids

References

#0000

Источник