Unlocking State Locks
Overview
Occasionally, OpenTofu/Terraform state locks may remain in place if the process holding the lock does not release it properly. This can occur due to unexpected failures, such as crashes or premature termination of jobs.
When this occurs, jobs will fail after a timeout with Error: Error acquiring the state lock, and will not succeed until the lock is manually removed.
You might have a default lock timeout in your root.hcl file that looks like this:
terraform {
extra_arguments "retry_lock" {
commands = get_terraform_commands_that_need_locking()
arguments = ["-lock-timeout=10m"]
}
}
Unlocking Unit State
When a unit lock is held, the lock can be manually removed with the unlock unit workflow. This is a convenience workflow for running the OpenTofu/Terraform force-unlock command. The workflow requires the following inputs:
Lock ID
The Lock ID can be found in the logs where a job has failed to acquire the state lock.
Lock ID
In this example the ID is ca9c97f1-6315-c0d1-56ef-efb8c8996e8c.
Unit Path
The Unit Path is the relative path to the directory containing your terragrunt.hcl file where the lock is being held.
In the above example the Unit Path is acme/us-east-1/storage/s3bucket1.
Stack Path
Optional: When a Unit within a Stack is locked, Pipelines requires the Stack Path to generate the stack before running force-unlock in the Unit.
- GitHub
- GitLab
- From the Actions Tab, select Pipelines Unlock from the list of workflows on the left.
- Select the Run workflow dropdown on the right
- Enter the Lock ID and Unit Path values into the dropdown
- Select Run workflow
GitHub Unlock Unit Workflow
- From the Pipelines tab select New Pipeline
- Select the
pipelines_workflowInput and change the Value tounlock-unitfrom the dropdown - Enter the Lock ID and Unit Path into the
pipelines_unlock_unit_lock_idandpipelines_unlock_unit_pathinputs - Select New pipeline
GitLab Unlock Unit Workflow
Unlocking All State
The Unlock All workflow currently only unlocks AWS DynamoDB locks. It does this by attempting to delete the entire terraform-locks table in each region.
In the event that many locks are being held, and it is difficult to obtain the Lock IDs, an Unlock All workflow exists to forcibly remove all locks. Run this workflow with caution.
- GitHub
- GitLab
- From the Actions Tab, select Pipelines Unlock from the list of workflows on the left.
- Select the Run workflow dropdown on the right
- Tick the checkbox to forcibly reset all locks
- Select Run workflow
GitHub Unlock All Workflow
- From the Pipelines tab select New Pipeline
- Select the
pipelines_workflowInput and change the Value tounlock-allfrom the dropdown - Select New pipeline
GitLab Unlock All Workflow