Introduction
Problem
Unable to unlock remote backend Workspace using the Terraform CLI.
Prerequisites
- Terraform Cloud(TFC)
- Terraform Enterprise (TFE).
Cause
When running terraform using a remote backend on TFC or TFE is not possible to unlock a Workspace by using the CLI. This is the default behavior as unlocking remote backend workspaces from the CLI is not supported.
Example:
Failed to unlock state: lock ID "f51f0d55-84a8-cfae-6217-e3e0046397c1" does not match existing lock ID
Overview of possible solutions
Solutions:
-
Login to the TFC/TFE web UI. Select the Organization where the Workspace resides then click on the Workspace that is locked. Click on the Settings drop down menu then click on Locking. Click on the button labeled "Unlock Workspace_Name" and confirm. [ User must have at least "Manage Workspaces" access ]
-
Unlock Workspace[s] via the API. Retrieve the workspace ID. If performing the actions on TFC the hostname defaults to https://app.terraform.io .
curl --header "Authorization: Bearer $TOKEN" --header "Content-Type: application/vnd.api+json" https://$TFE_HOSTNAME/api/v2/organizations/$YOUR_ORG/workspaces/$YOUR_WORKSPACE|jq -r '.data.id'
-
Unlock your workspace using the ID retrieved in the previous step.
curl --header "Authorization: Bearer $TOKEN" --header "Content-Type: application/vnd.api+json" --request POST https://$TFE_HOSTNAME/api/v2/workspaces/$WORKSPACE_ID/actions/unlock
- If unlocking the Workspace using the previous options is not successful use the Rails Console . [ TFE Only ] Login to the Terraform Enterprise instance via SSH. Note: On older Terraform Enterprise installations, the container name is
ptfe_atlas
. Launch the Rails Consoledocker exec -ti tfe-atlas /usr/bin/init.sh /app/scripts/wait-for-token -- bash -ic 'cd /app && bin/rails c'
Once the Rails Console has loaded run the following commands to unlock your workspace: -
ws = Workspace.find_by(name: "workspace_name")
ws.unlock!
ws.save
Outcome
On success the padlock to the left of the Workspace name on the TFC/TFE UI will disappear and User should be able to trigger a run from the CLI.