Locking of the Terraform state with native S3 locking | By Dhruvin Soni | April 2025
3 mins read

Locking of the Terraform state with native S3 locking | By Dhruvin Soni | April 2025

Pakar PBN0Tagged , , , , , ,


Terraform state locking

State management is one of the most critical aspects of the effective use of terraform in production environments. When several members of the team or CI / CD pipelines try to modify the infrastructure simultaneously, the corruption of state files can occur without appropriate locking mechanisms. Traditionally, AWS users have implemented state locking using a S3 bucket combination for state storage and dynamodb tables for locking. However, AWS has introduced native S3 locking capacities, eliminating the need for a distinct dynamodb table.

This article explores how to implement the native S3 locking in Terraform for AWS environments, its advantages and its important considerations.

Before diving into the implementation, let’s briefly examine why the state locking is essential:

  1. Prevents simultaneous changes: Guarantees that one operation can modify the state at the same time
  2. Prevents corruption of state files: Avoid inconsistent or corrupt state files
  3. Maintains the integrity of infrastructure: Prevents racing conditions that could leave the infrastructure in an unexpected state

Prerequisite

  • AWS account with appropriate authorizations
  • TERRAFORM CLA installed (version 1.6.0 or later recommended)
  • Basic understanding of Terraform and AWS S3

Configuration steps

  1. First, create a S3 bucket to store your Terraform state.
$ BUCKET_NAME="<your bucket name>"
$ REGION="us-east-1"
$ aws s3api create-bucket \
--bucket $BUCKET_NAME \
--region $REGION
$ aws s3api put-bucket-versioning \
--bucket $BUCKET_NAME \
--versioning-configuration Status=Enabled

2. Configure your backend Terraform to use S3 with the native locking:

  • Create a new backend.tf File (or add this block to an existing .TF file). Make sure to fill the name of the bucket!
  • Below, we use the parameter use_lockfile which is an experimental feature that applies using the S3 bucket locking file
terraform {
backend "s3" {
bucket       = <bucket name>
key          = "backend/terraform.tfstate"
region       = "us-east-1"
use_lockfile = true
}
}
  1. Simplified infrastructure: No need to provision and maintain a separate dynamodb table
  2. Cost reduction: Eliminates the costs of use of Dynamodb
  3. Fewer resources to manage: Reduces the number of AWS resources necessary for the management of the Terraform state
  4. Simplified authorizations: IAM policies must only grant access to S3, not to Dynamodb
  1. Activate the bucket version: Always activate the versioning on your S3 bucket to maintain a state file history
  2. Activate encryption: Configure server side encryption for your status files
  3. Configure appropriate IAM authorizations: Restrict access to your state bucket only to authorized users and services
  4. Configure life cycle policies: Implement life cycle policies to manage old versions of state files

The native S3 locking in Terraform for AWS provides a rationalized approach to state locking without the complexity of the management of a distinct dynamodb table. By following the configuration steps and the best practices described in this article, you can implement a robust state locking mechanism which ensures the integrity of your infrastructure while simplifying your AWS resources.

While AWS continues to evolve its services, the adoption of these native capacities can help reduce the complexity and operational general costs in your terraform workflows.

Follow me Liendin

Follow for more stories like this 😁

Before leaving:



Grpahic Designer

Website http:///home/ipx143943/domains/jariadesign.co.uk/public_html

Related Posts