How to Lock Terraform State with S3 bucket in DynamoDB.

This lab will show you how to lock your Terraform state file in DynamoDB.

What is state and why is it important in Terraform?

Remote State:

“With remote state, Terraform writes the state data to a remote data store, which can then be shared between all members of a team.”

State Lock:

“State locking happens automatically on all operations that could write state. You won’t see any message that it is happening. If state locking fails, Terraform will not continue. You can disable state locking for most commands with the -lock flag but it is not recommended.”

NOTE: This lab assumes you already have downloaded Terraform and have an AWS account. If not here are a couple links to do so.

Terraform:
https://www.terraform.io/downloads.html

AWS:
https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/

Step 1:

Mkdir creates a new woking directory in terraform.

Step 2:

Touch command creates new files in your working directory.

Step 3: Creating our S3 in Terraform.

Copy and Paste this Terraform configuration into your source editor. However, you will need to choose a different name for your bucket!

provider "aws" {
shared_credentials_file = "~/.aws/credentials"
region = "us-east-1"
}

resource "aws_s3_bucket" "tf_course" {

bucket = "hella-buckets"
acl = "private"
}
Verify your bucket has been create in your S3 AWS console.

Step 4: Setting up our S3 Backend.

Copy and paste this configuration in your source code editor in your backend.tf file.

terraform {
backend "s3" {
encrypt = true bucket = "hella-buckets"
dynamodb_table = "terraform-state-lock-dynamo"
key = "terraform.tfstate"
region = "us-east-1"
}
}

Step 5: Creating our DynamoDB Table.

Copy and paste this configuration in your source code editor in your dynamo.tf file.

resource "aws_dynamodb_table" "dynamodb-terraform-state-lock" {
name = "terraform-state-lock-dynamo"
hash_key = "LockID"
read_capacity = 20
write_capacity = 20

attribute {
name = "LockID"
type = "S"
}
}

What is DynamoDB?

Step 6: Let’s put it all together now.

Step 7: Problem Solving State Lock Error.

“If supported by your backend, Terraform will lock your state for all operations that could write state. This prevents others from acquiring the lock and potentially corrupting your state.

State locking happens automatically on all operations that could write state. You won’t see any message that it is happening. If state locking fails, Terraform will not continue.”

Use the following command to move forward with your apply.

terraform apply -lock=false

Step 8: Verifying and Testing our state lock with DynamoDB.

Check your Dynamo DB table.

Also, notice under Items in DynamoDB we got the .tfstate file on Dynamodb with a Lock string. This will lock the .tfstate file to restrict multiple users’ access at a time for the same service location.

The final test is trying to destroy our terraform files. If we have a state lock terraform destroy will not be able to deploy with out access to the state lock. I mean it’s kind of the whole point of the project right?

terraform destroy
You should receive this message when trying to destroy.

Junior DevOps Engineer