Skip to content

Latest commit

 

History

History
99 lines (54 loc) · 5.48 KB

cln0bk635000709jxed7c9o5o.md

File metadata and controls

99 lines (54 loc) · 5.48 KB
Raw
title datePublished cuid slug ogImage tags
How Terraform state lock works?
Tue Sep 26 2023 12:54:16 GMT+0000 (Coordinated Universal Time)
cln0bk635000709jxed7c9o5o
how-terraform-state-lock-works
aws, dynamodb, terraform, state-management, s3-bucket

Hola!! 🙋🏻‍♂️

𝗧𝗼𝗽𝗶𝗰 — State Lock Mechanism ⚙️
𝗦𝗲𝗿𝗶𝗲𝘀 — “Do you know” 💡

Here we will not discuss the setup of state management in terraform. There are quite a few amazing blogs out there on this topic and here is a comprehensive one 👇

https://teamoptimizers.hashnode.dev/terraform-state-management

State Locking Mechanism with S3 and DynamoDb

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1695727608891/5a7c9514-d582-4336-b4ed-82c361d5a675.png align="left")

Prerequisites -

What are — State Management, Remote Backend & State Locking?

In this blog, we will see how exactly state locking happens. What kind of data gets stored in DynamoDB?

To illustrate this process, consider the following scenario with two projects: “project-1” and “project-2.” Both projects have their Terraform configurations, including main.tf and variables.tf files with the same backend.

Execution Sequence:

  1. Project-1: We initiate terraform apply from "project-1," which includes making infrastructure changes.

  2. State Lock Acquired: While “project-1” is running, it acquires a state lock to ensure exclusive access to its state.

    ![](https://miro.medium.com/v2/resize:fit:1400/0*9rfMm2Cz1Sduq7w0.png align="left")

  3. When we run terraform apply, the first thing it does is start acquiring state lock. So that no other developer can make the changes at the same time.

    ![](https://miro.medium.com/v2/resize:fit:1400/0*5L5Eo5zbDQmdugr-.png align="left")

  4. We will stop here to intentionally create the situation in order to understand the process.

  5. Project-2: Meanwhile, we start a terraform plan in "project-2" for their own set of infrastructure modifications.

    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1695670531450/c43d7a16-da82-4ffa-a7ba-ad2e3bd06a58.png align="center")

  6. Lock Request by Project-2: “Project-2” attempts to acquire a state lock but encounters an “Error acquiring the state lock” because it cannot proceed until the lock held by “project-1” is released.

  7. DynamoDB Table: Let’s see what actual data is getting stored in dynamoDB during the process.

    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1695671023611/2a4435c0-f2df-413a-9170-8fed6ba5e71c.png align="center")

    The first item contains this

    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1695671145900/894e4fbe-ea5e-462b-b7f7-896ae867927c.png align="center")

    This LockID: Digest (key) contains a checksum or hash (as you can see the value above☝️) of the state file content. It ensures that only one Terraform instance can change the state at a time (to prevent conflicts and race conditions).

    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1695671529957/78c33d3a-9aa1-42d1-982a-36a1346ba098.png align="center")

  8. Project-1 Completion: Once “project-1” completes its apply operation, it releases the state lock, allowing “project-2” to proceed with its terraform plan and, subsequently, apply its changes.

    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1695671868402/56f1f0c2-6ed1-4309-a739-835437caa758.png align="center")

    You will get this message at the end.

    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1695671938178/2f8c1d34-2a82-4122-8f5c-28c45e39875a.png align="center")

    Now run terraform plan in project-2

    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1695672108199/c2e24699-f995-411a-994c-4e2727b35c1f.png align="center")

    First, as we know, it will acquire a state lock and as of now, there is no state lock in use so this will get locked. Then it will execute the command without getting any error and release the lock after the execution as you can see above.☝️

    Let’s check the dynamoDB table once again.

    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1695672334242/df512b27-ff29-4bab-9beb-9aa30c3a0605.png align="center")

    As we can see, it will automatically delete the second item containing the locked state's metadata as there is no lock state in use. Only the hash value will be shown.

  9. S3 Bucket: This will contain the traditional terraform state .tfstate file. Developers can update this without conflicts and drifts using state locking.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1695672565055/599a17cf-d640-4a8d-b2cf-5d804a34b7c7.png align="center")

Bonus Tip: 💡

It is highly recommended that you enable Bucket Versioning while creating an S3 bucket to allow for state recovery in the case of accidental deletions and human error.

Thanks for reading our blog. Feel free to hit me up for any AWS/DevOps/Open Source-related discussions.

Manoj Kumar — LinkedIn.

Poonam Pawar — LinkedIn