Skip to main content

Delete terraform state lock

In the build pipeline, you will sometimes see errors like this:

Command: cd namespaces/live-1.cloud-platform.service.justice.gov.uk/jason-lab/resources; terraform apply -auto-approve failed.

Error: Error locking state: Error acquiring the state lock: ConditionalCheckFailedException: The conditional request failed
    status code: 400, request id: 8F9C5H04HLD0TVN4V0PQIRRMFBVV4KQNSO5AEMVJF66Q9ASUAAJG

If you see repeated failures trying to acquire the lock on the same namespace, it probably means the lock record has been left in place by mistake, because a previous run failed to release the lock when it should have.

To fix this, you need to delete the lock record.

Command-line method

Save this code as a script.

delete-state-lock.sh

#!/bin/bash

set -euo pipefail

NAMESPACE=$1

PREFIX=cloud-platform-terraform-state/cloud-platform-environments

for key in "${PREFIX}/live-1.cloud-platform.service.justice.gov.uk/${NAMESPACE}/terraform.tfstate-md5" "${PREFIX}/live-1.cloud-platform.service.justice.gov.uk/${NAMESPACE}/terraform.tfstate"; do
  json='{"LockID":{"S":"'${key}'"}}'

  aws dynamodb delete-item \
    --region eu-west-1 \
    --table-name cloud-platform-environments-terraform-lock \
    --key $json
done

Invoke it like this:

./delete-state-lock.sh hmpps-book-video-link-prod

AWS Console method

  1. Go to the dynamodb page of the AWS web console (NB: the relevant table is in the eu-west-1 region)
  2. Click on the cloud-platform-environments-terraform-lock table, and then the Items tab
  3. Click Add filter
  4. Enter LockID as the filter attribute, and change String, = to String, contains as the filter criteria
  5. Enter the namespace name as the string value to match, and click Start search

When you find the relevant lock records, delete them. Terraform will recreate any missing records the next time it tries to acquire the lock for that terraform state file.

Terraform command

To force unlock, you can run this terraform command using the LockID

terraform force-unlock <LockID>
This page was last reviewed on 24 May 2024. It needs to be reviewed again on 24 November 2024 by the page owner #cloud-platform .
This page was set to be reviewed before 24 November 2024 by the page owner #cloud-platform. This might mean the content is out of date.