Menu
What is the Google Cloud Platform mechanism for locking state file when using Terraform?
Something like DynamoDB on AWS...
thanks
287
asked Nov 21 '18 13:11
If supported by your backend, Terraform will lock your state for all operations that could write state. This prevents others from acquiring the lock and potentially corrupting your state. State locking happens automatically on all operations that could write state.
Change the backend configuration Make sure to update the BUCKET_NAME to match the name of your new Cloud Storage bucket. Run terraform init to configure your Terraform backend. Terraform detects that you already have a state file locally and prompts you to copy it to the new Cloud Storage bucket. Enter yes .
Try Terraform on Google Cloud tutorials, courses, and self-paced training from Google Cloud Skills Boost . In this lab, you install Terraform and create a VM instance using Terraform. In this lab, you write infrastructure as code with Terraform.
Terraform Remote Backend — AWS S3 and DynamoDB DynamoDB supports state locking and consistency checking. A single DynamoDB table can be used to lock multiple remote state files.
Google Cloud Platform like most of the remote backends natively supports locking. AWS doesn't support locking natively via S3 but it does as you mentioned via DynamoDB.
To run terraform apply, Terraform will automatically acquire a lock; if someone else is already running apply, they will already have the lock, and you will have to wait.
You can run apply with the -lock-timeout=<TIME> parameter to tell Terraform to wait up to TIME for a lock to be released (e.g., -lock-timeout=10m will wait for 10 minutes).
81
gcs backend implements Terraform state locking by using a special lock file with .tflock extension. This file is placed next to the Terraform state itself for the period of Terraform state operation. For example, if the state file is located at path
gs://BUCKET/PREFIX/WORKSPACE.tfstate
then the corresponding lock file will be located at path
gs://BUCKET/PREFIX/WORKSPACE.tflock
Source: hashicorp/terraform
The atomicity of locking is guaranteed by using the GCS feature called Precondition. Terraform itself makes use of DoesNotExist condition of GCP Go SDK which in turn uses the GCS Precondition. Underneath, this adds this HTTP header x-goog-if-generation-match: 0 to the GCS copy request.
According to GCS documentation:
When a
Matchprecondition uses the value 0 instead of a generation number, the request only succeeds if there are no live objects in the Cloud Storage bucket with the name specified in the request.
Which is exactly what is needed for Terraform state locking.
22
answered Sep 23 '22 15:09
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With