Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop dynamodb requirements for S3 locks #34920

Open
dimoschi opened this issue Apr 1, 2024 · 2 comments
Open

Drop dynamodb requirements for S3 locks #34920

dimoschi opened this issue Apr 1, 2024 · 2 comments
Labels
backend/s3 enhancement

Comments

@dimoschi
Copy link

dimoschi commented Apr 1, 2024

Terraform Version

Terraform v1.7.5
on darwin_arm64

Use Cases

  • S3 for state management is one of the strongest alternatives to remote, however a dynamodb is required for state locking, which increases complexity, although not by much.

Attempted Solutions

Based on the current implementation of S3 there isn't an alternate solution.

Proposal

AWS S3 nowadays comes with an object lock mechanism, which could be utilized instead of relying to DynamoDB to lock the state. Per AWS docs (https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html#object-lock-legal-holds) the object lock uses WORM, that can be applied on demand (legal hold), which would prevent multiple runs from altering the state.

References
@dimoschi dimoschi added enhancement new new issue not yet triaged labels Apr 1, 2024
@dimoschi dimoschi changed the title Drop dynamodb requirements for Drop dynamodb requirements for S3 locks Apr 1, 2024
@apparentlymart
Copy link
Member

Thanks for sharing this, @dimoschi.

These new S3 features seem more motivated by legal/compliance than by being a synchronization mechanism, so I think we'll need to study more closely to find out what consistency guarantees it provides, but I agree that this does seem like an interesting alternative to using DynamoDB.

The S3 backend is maintained by the AWS provider team rather than by the Terraform Core team, so I'm going to label this to make it visible to them for consideration.

In the meantime, if you or anyone else has references to specific information about what consistency guarantees S3 offers for object lock -- for example, is it safe to assume that the lock is in effect for all clients as soon as the API server responds? -- that could help with determining whether this feature is sufficient to meet Terraform's needs for workspace state locking.

Thanks again!

@apparentlymart apparentlymart added backend/s3 and removed new new issue not yet triaged labels Apr 1, 2024
@bschaatsbergen
Copy link
Member

bschaatsbergen commented Apr 18, 2024
edited

Taking a quick look at the S3 Object locking documentation, it appears that it's only accessible on buckets with versioning enabled.

Object Lock works only in buckets that have S3 Versioning enabled.

Source: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html

And unfortunately we are not able to rely on the read-after-write consistency for locking too.

Amazon S3 does not support object locking for concurrent writers. If two PUT requests are simultaneously made to the same key, the request with the latest timestamp wins. If this is an issue, you must build an object-locking mechanism into your application.

Source: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html#ConsistencyModel

Also, I'm not sure if using object locking is a neat solution for this - it would have to be used in 'governance' mode, and you're required to specify a lock duration... which you then have to remove afterward.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backend/s3 enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@apparentlymart @dimoschi @bschaatsbergen