Failed to unlock state: lock ID does not match existing lock ID

Introduction

Problem

Unable to unlock remote backend Workspace using the Terraform CLI.

Prerequisites

• Terraform Cloud(TFC)
• Terraform Enterprise (TFE).

Cause

When running terraform using a remote backend on TFC or TFE is not possible to unlock a Workspace by using the CLI. This is the default behavior as unlocking remote backend workspaces from the CLI is not supported.

Example:

Failed to unlock state: lock ID "f51f0d55-84a8-cfae-6217-e3e0046397c1" does not match existing lock ID

Overview of possible solutions

Solutions:

• Login to the TFC/TFE web UI. Select the Organization where the Workspace resides then click on the Workspace that is locked. Click on the Settings drop down menu then click on Locking. Click on the button labeled "Unlock Workspace_Name" and confirm. [ User must have at least "Manage Workspaces" access ]

• Unlock Workspace[s] via the API. Retrieve the workspace ID. If performing the actions on TFC the hostname defaults to https://app.terraform.io .

  curl --header "Authorization: Bearer $TOKEN" --header "Content-Type: application/vnd.api+json" https://$TFE_HOSTNAME/api/v2/organizations/$YOUR_ORG/workspaces/$YOUR_WORKSPACE|jq -r '.data.id'

• Unlock your workspace using the ID retrieved in the previous step.

  curl --header "Authorization: Bearer $TOKEN" --header "Content-Type: application/vnd.api+json" --request POST https://$TFE_HOSTNAME/api/v2/workspaces/$WORKSPACE_ID/actions/unlock
  

• If unlocking the Workspace using the previous options is not successful use the Rails Console . [ TFE Only ] Login to the Terraform Enterprise instance via SSH. Note: On older Terraform Enterprise installations, the container name is ptfe_atlas. Launch the Rails Console docker exec -ti tfe-atlas /usr/bin/init.sh /app/scripts/wait-for-token -- bash -ic 'cd /app && bin/rails c' Once the Rails Console has loaded run the following commands to unlock your workspace:  

• ws = Workspace.find_by(name: "workspace_name") 
  ws.unlock! 
  ws.save

Outcome

On success the padlock to the left of the Workspace name on the TFC/TFE UI will disappear and User should be able to trigger a run from the CLI.

Additional Information

• How to Access the Terraform Enterprise Rails Console.

• Create a local TFE Administrator through the Rails Console.
• Restoring Site-Admin Access when No Accounts have Access.