Brain Phrye

code cooking diy fiction personal photos politics reviews tools 


Terraform and dynamodb

[ Listen to article ]

This post is mainly a reminder to myself, but if you work with terraform and AWS it might help you too.

Say you decide to completely reset a terraform project. All AWS resources had been deleted outside of terraform and now you just need to delete the state file in s3 so you can start all over.

aws s3 rm s3://tf-bucket/state/bounce-project.tfstate

This is based on this terraform backend config:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
terraform {
  backend "s3" {
    profile        = "personal"
    encrypt        = true
    bucket         = "tf-bucket"
    region         = "eu-west-1"
    dynamodb_table = "tf-bucket-state-lock"
    key            = "bounce-project.tfstate"
  }
}

Now you take your clean setup and run terraform init and get something like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Error refreshing state: state data in S3 does not have the expected content.

This may be caused by unusually long delays in S3 processing a previous state
update.  Please wait for a minute or two and try again. If this problem
persists, and neither S3 nor DynamoDB are experiencing an outage, you may need
to manually verify the remote state and update the Digest value stored in the
DynamoDB table to the following value:

Ruh-roh. There’s something in dynamodb you need but how the heck do you query dynamodb? And what do you query?

Well, the short answer is this:

1
2
aws dynamodb get-item --table-name tf-bucket-state-lock \
  --key '{ "LockID": { "S": "tf-bucket/bounce-project.tfstate-md5"

And then to delete it, you do this:

1
2
aws dynamodb delete-item --table-name tf-bucket-state-lock \
  --key '{ "LockID": { "S": "tf-bucket/bounce-project.tfstate-md5"

The value of LockID is made up of <bucket>/<key>-md5 with bucket and key being from the backend "s3" stanza of the terraform backend config. Stored with that is an expected md5 digest of the terraform state file.

To get a full view of the table just run aws dynamodb scan --table-name tf-bucket-state-lock and it will dump all the values.