Failed to unlock state: lock ID does not match existing lock ID

Introduction

Problem

Unable to unlock remote backend Workspace using the Terraform CLI.

Prerequisites

• Terraform Cloud
• Terraform Enterprise (All versions).

Cause

When running terraform from the CLI using a remote backend on TFC or TFE is not possible to unlock a Workspace by using the CLI. This happens by default as unlocking remote backend workspaces from the CLI is not supported.

Example:

Failed to unlock state: lock ID "f51f0d55-84a8-cfae-6217-e3e0046397c1" does not match existing lock ID

Overview of possible solutions (if applicable)

Solutions:

• Login to the TFC/TFE UI. Select the Organization where the Workspace resides then click on the Workspace that is locked. Click on the Settings drop down menu then click on Locking. Click on the button labeled "Unlock Workspace Name " and confirm. [ User must have at least "Manage Workspaces" access ]

• Unlock Workspace[s] via the API. Retrieve the workspace ID. If performing the actions on TFC the hostname defaults to https://app.terraform.io .

  curl --header "Authorization: Bearer $TOKEN" --header "Content-Type: application/vnd.api+json" https://$TFE_HOSTNAME/api/v2/organizations/$YOUR_ORG/workspaces/$YOUR_WORKSPACE|jq -r '.data.id'

• Unlock your workspace using the ID retrieved in the previous step.

  curl --header "Authorization: Bearer $TOKEN" --header "Content-Type: application/vnd.api+json" --request POST https://$TFE_HOSTNAME/api/v2/workspaces/$WORKSPACE_ID/actions/unlock
  

• If unlocking the Workspace using the previous options is not successful we can use the Rails Console . [ TFE Only ] Login to the Terraform Enterprise instance via SSH or alternative that provides shell access. Access the Rails Console by using this command with a user with docker access. Note: On older Terraform Enterprise installations, the container name is ptfe_atlas. docker exec -ti tfe-atlas /usr/bin/init.sh /app/scripts/wait-for-token -- bash -ic 'cd /app && bin/rails c' Once the Rails Console has loaded run the following commands to unlock your workspace:  

• ws = Workspace.find_by(name: "workspace_name") 
  ws.unlock! 
  ws.save

Outcome

On success the padlock to the left of the Workspace name on the TFC/TFE UI will disappear and User should be able to trigger a run from the CLI.

Additional Information

• How to Access the Terraform Enterprise Rails Console.

• Create a local TFE Administrator through the Rails Console.
• Restoring Site-Admin Access when No Accounts have Access.