Problem
When migrating state from an existing backend to Terraform Cloud/Enterprise, the operation fails while attempting to acquire a lock with resource
not found.
remote backend:
$ terraform init -migrate-state
Initializing the backend...
Terraform detected that the backend type changed from "azurerm" to "remote".
╷
│ Error: Error acquiring the state lock
│
│ Error message: resource not found
│
│ Terraform acquires a state lock to protect the state from being written
│ by multiple users at the same time. Please resolve the issue above and try
│ again. For most commands, you can disable locking with the "-lock=false"
│ flag, but this is not recommended.
╵
Terraform >= v1.1 with cloud block:
$ terraform init
Initializing Terraform Cloud...
Migrating from backend "azurerm" to Terraform Cloud.
Do you wish to proceed?
As part of migrating to Terraform Cloud, Terraform can optionally copy your
current workspace state to the configured Terraform Cloud workspace.
Answer "yes" to copy the latest state snapshot to the configured
Terraform Cloud workspace.
Answer "no" to ignore the existing state and just activate the configured
Terraform Cloud workspace with its existing state, if any.
Should Terraform migrate your existing state?
Enter a value: yes
╷
│ Error: Error acquiring the state lock
│
│ Error message: resource not found
│
│ Terraform acquires a state lock to protect the state from being written
│ by multiple users at the same time. Please resolve the issue above and try
│ again. For most commands, you can disable locking with the "-lock=false"
│ flag, but this is not recommended.
╵
Cause
This can occur when the authenticated Terraform Cloud/Enterprise user lacks sufficient permissions to lock workspaces, as the target workspace must be locked while state is being uploaded. While this might be perceived as an issue acquiring a lock on the existing backend, performing the operation with trace logging enabled should display response details from the backend's API to confirm if the lock was acquired on its state. See the example below, which shows a successful Lease Blob request the azurerm backend:
$ TF_LOG=trace terraform init
...
2023-05-16T09:59:28.191-0400 [DEBUG] Azure Backend Response for https://tfstatet5y9z.blob.core.windows.net/tfstate/prod.terraform.tfstate?comp=lease:
HTTP/1.1 201 Created
...
Solution
Locking a workspace requires at least one of the following team memberships in the Terraform Cloud/Enterprise organization:
- the owners team
- teams with "Manage all workspaces" and/or “Manage all projects” organization permissions
- teams with “Project Admin” project permissions
Re-authenticate with terraform login, this time authenticating as a user with sufficient access, or add the authenticated user to a team which meets the requirements above. If the Terraform Cloud/Enterprise token is set in the token argument of the backend/cloud block, sourced through the TF_TOKEN_<hostname>environment variable, or sourced through the credentials block in the CLI configuration file; replace it with one owned by a user or team with the required permissions.