Unable to unlock remote backend Workspace using the Terraform CLI.
Prerequisites (if applicable)
- Terraform Cloud
- Terraform Enterprise (All versions).
- When running terraform from the CLI using a remote backend on TFC or TFE is not possible to unlock a Workspace by using the CLI. This happens by default as unlocking remote backend workspaces from the CLI is not supported.
[For Example: Failed to unlock state: lock ID "f51f0d55-84a8-cfae-6217-e3e0046397c1" does not match existing lock ID]
Overview of possible solutions (if applicable)
Login to the TFC/TFE UI. Select the Organization where the Workspace resides then click on the Workspace that is locked. Click on the Settings drop down menu then click on Locking. Click on the button labeled "Unlock Workspace Name " and confirm. [ User must have at least "Manage Workspaces" access ]
Unlock Workspace[s] via the API. Retrieve the workspace ID. If performing the actions on TFC the hostname defaults to https://app.terraform.io .
curl --header "Authorization: Bearer $TOKEN" --header "Content-Type: application/vnd.api+json" https://$TFE_HOSTNAME/api/v2/organizations/$YOUR_ORG/workspaces/$YOUR_WORKSPACE|jq -r '.data.id'
Unlock your workspace using the ID retrieved in the previous step.
curl --header "Authorization: Bearer $TOKEN" --header "Content-Type: application/vnd.api+json" --request POST https://$TFE_HOSTNAME/api/v2/workspaces/$WORKSPACE_ID/actions/unlock
- If unlocking the Workspace using the previous options is not successful we can use the Rails Console . [ TFE Only ] Login to the Terraform Enterprise instance via SSH or alternative that provides shell access. Access the Rails Console by using this command with a user with docker access.
docker exec -ti ptfe_atlas /usr/bin/init.sh /app/scripts/wait-for-token -- bash -ic 'cd /app && bin/rails c'Once the Rails Console has loaded run the following commands to unlock your workspace:
ws = Workspace.find_by(name: "workspace_name")
On success the padlock to the left of the Workspace name on the TFC/TFE UI will disappear and User should be able to trigger a run from the CLI.