Upgrading Terraform State Locking with AWS S Bucket

By /

Listen to this Post

With recent releases of Terraform, you no longer need to use DynamoDB tables for state locking if you’re using AWS S3 as your state file storage. Terraform now supports native state locking using S3, simplifying your Infrastructure as Code (IaC) workflow.

Read the full article here: Upgrading Terraform State Locking with AWS S3 Bucket

You Should Know:

Migrating from DynamoDB to S3 State Locking

If you’re currently using DynamoDB for Terraform state locking, follow these steps to migrate to S3-based locking:

1. Update Terraform Configuration

Modify your `backend.tf` to remove DynamoDB references:

terraform {
backend "s3" {
bucket = "your-terraform-state-bucket"
key = "terraform.tfstate"
region = "us-east-1"
encrypt = true
dynamodb_table = ""  Remove or comment this line
}
}

2. Verify Terraform Version

Ensure you’re using Terraform v1.3 or later:

terraform version

3. Reinitialize Terraform

Run:

terraform init -reconfigure

4. Test Locking Mechanism

Simulate concurrent state access to verify locking:

terraform apply -lock=true

Key AWS CLI Commands for S3 State Management

  • Check S3 Bucket Configuration: 
    aws s3api get-bucket-versioning --bucket your-terraform-state-bucket
  • Enable Bucket Encryption: 
    aws s3api put-bucket-encryption --bucket your-terraform-state-bucket --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'
  • Audit S3 Access Logs: 
    aws s3api get-bucket-logging --bucket your-terraform-state-bucket

Terraform Commands for State Operations

  • Force-Unlock State (Emergency): 
    terraform force-unlock LOCK_ID
  • List State Files: 
    aws s3 ls s3://your-terraform-state-bucket --recursive
  • Destroy and Rebuild Backend: 
    terraform destroy && terraform init

What Undercode Say

Terraform’s native S3 state locking eliminates DynamoDB dependencies, reducing complexity and costs. However, ensure:
– Versioning is enabled on your S3 bucket to recover accidental deletions.
– IAM policies restrict access to the state bucket: 

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "",
"Action": "s3:",
"Resource": "arn:aws:s3:::your-terraform-state-bucket/",
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "false"}}
}
]
}

– Monitor S3 API calls via AWS CloudTrail: 

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=PutObject --region us-east-1

For hybrid setups, consider Terragrunt for advanced state management. Always test locking mechanisms in a staging environment before production rollout.

Expected Output:

  • Successful migration from DynamoDB to S3 state locking.
  • Verified state operations via `terraform apply` and terraform plan.
  • Auditable S3 access logs and enforced encryption.

References:

Reported By: Darryl Ruggles – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: