State Locking with S3 Without DynamoDB in Terraform

Introduction

When using Terraform in a team environment, ensuring that multiple people don’t modify the state simultaneously is crucial. Typically, Terraform provides state locking via Amazon S3 and DynamoDB. However, some users might prefer not to use DynamoDB due to cost, complexity, or organizational constraints. This blog explores how to implement state locking using S3 alone, discussing its benefits, limitations, and possible workarounds.

Why Terraform State Locking?

State locking prevents concurrent modifications to the Terraform state, which can lead to corruption and inconsistencies. Without locking, multiple users applying changes simultaneously can overwrite each other’s updates, leading to an unpredictable infrastructure state.

Default Approach: S3 + DynamoDB

The recommended approach for state locking with AWS is:

S3: Stores the Terraform state file.
DynamoDB: Provides locking to prevent concurrent operations.

DynamoDB achieves this by storing a lock item that prevents another operation from proceeding until the first one is completed.

Using S3 Without DynamoDB

Recent Announcement

Terraform has recently introduced native state locking in S3, removing the need for DynamoDB. This enhancement simplifies the setup, reduces costs, and eliminates the need for additional AWS services. Now, teams can leverage S3 for both state storage and locking without relying on external databases.

Enabling S3 Native Locking

To enable S3’s built-in locking, simply set use_lockfile to true in your backend configuration.

Before: Using DynamoDB for Locking

terraform {

  backend "s3" {

    bucket         = "your-terraform-state-bucket"

    key            = "path/to/your/statefile.tfstate"

    region         = "us-east-1"

    dynamodb_table = "your-dynamodb-lock-table"  # Current state lock

    encrypt        = true

  }

}

terraform {

backend "s3" {

bucket = "your-terraform-state-bucket"

key = "path/to/your/statefile.tfstate"

region = "us-east-1"

dynamodb_table = "your-dynamodb-lock-table" # Current state lock

encrypt = true

}

After: Switching to S3 Native Locking

terraform {

  backend "s3" {

    bucket       = "your-terraform-state-bucket"

    key          = "path/to/your/statefile.tfstate"

    region       = "us-east-1"

    encrypt      = true

<strong>    use_lockfile = true</strong>  # S3 native locking

  }

}

terraform {

backend "s3" {

bucket = "your-terraform-state-bucket"

key = "path/to/your/statefile.tfstate"

region = "us-east-1"

encrypt = true

<strong> use_lockfile = true</strong> # S3 native locking

}

Enhance Your Productivity with Microsoft Copilot

Effortless Integration
AI-Powered Assistance

Get Started Now

How It Works

With S3 locking enabled, Terraform creates a lock file in the same location as the state file. This lock file shares the same name as the state file but has a “.tflock” extension. Depending on your setup, you may need to update S3 bucket policies and IAM permissions to accommodate the new lock file.

Example Configuration

Example 1: Deploying an EC2 Instance

terraform {

  backend "s3" {

    bucket       = "ct-bucket-2025"

    key          = "cloudthat/terraform.tfstate"

    region       = "us-east-1"

    encrypt      = true

    use_lockfile = true  # S3 native locking

  }

}




variable "region" {

  type    = string

  default = "us-east-1"

}




resource "aws_instance" "example_instance" {

  ami           = "ami-12345678"

  instance_type = "t2.micro"




  tags = {

    Name = "cloudthat-ec2-1"

  }

}

terraform {

backend "s3" {

bucket = "ct-bucket-2025"

key = "cloudthat/terraform.tfstate"

region = "us-east-1"

encrypt = true

use_lockfile = true # S3 native locking

}

variable "region" {

type = string

default = "us-east-1"

}

resource "aws_instance" "example_instance" {

ami = "ami-12345678"

instance_type = "t2.micro"

tags = {

Name = "cloudthat-ec2-1"

}

Create the configuration files.

Initialize the directory with terraform init.

Run the terraform plan command to view the plan.

Run the terraform apply command to create the resources.

Check the Statefile and the lockfile in the S3 bucket.

When you try to perform or run the terraform commands simultaneously, you will the get the message “Error acquiring the state lock”. Which means the state lock is enabled without the use of DynamoDB.

Example 2: Creating an S3 Bucket with State Locking

terraform {

  backend "s3" {

    bucket       = "ct-bucket-2025"

    key          = "cloudthat/terraform.tfstate"

    region       = "us-east-1"

    encrypt      = true

    use_lockfile = true  # S3 native locking

  }

}

resource "aws_s3_bucket" "ct_dev_bucket" {

  bucket = "ct-terraform-state-bucket"

  acl    = "private"

}

resource "aws_s3_bucket_versioning" "example_versioning" {

  bucket = aws_s3_bucket. ct_dev_bucket.id

  versioning_configuration {

    status = "Enabled"

  }

}

terraform {

backend "s3" {

bucket = "ct-bucket-2025"

key = "cloudthat/terraform.tfstate"

region = "us-east-1"

encrypt = true

use_lockfile = true # S3 native locking

}

resource "aws_s3_bucket" "ct_dev_bucket" {

bucket = "ct-terraform-state-bucket"

acl = "private"

}

resource "aws_s3_bucket_versioning" "example_versioning" {

bucket = aws_s3_bucket. ct_dev_bucket.id

versioning_configuration {

status = "Enabled"

}

Write the configuration files.

Initialize the directory with terraform init

Run the terraform plan command to see the plan.

Run the terraform apply command to execute the changes.

Check the S3 bucket for the state file and the lock file.

When you try to perform or run the terraform commands simultaneously, you will the get the message “Error acquiring the state lock”. Which means the state lock is enabled without the use of dynamodb.

Conclusion

With the introduction of S3 native state locking, terraform users can now avoid the additional complexity and cost of using DynamoDB. This simplifies the infrastructure while ensuring safe and reliable state management. If you’re currently using DynamoDB, consider migrating to the new S3-based locking mechanism to take advantage of this feature.

Become an Azure Expert in Just 2 Months with Industry-Certified Trainers

Career-Boosting Skills
Hands-on Labs
Flexible Learning

Enroll Now

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront, Amazon OpenSearch, AWS DMS and many more.