This includes sections on the introduction of S3 native state locking and the removal of deprecated root level attributes related to role assumption which have been replaced by the `assume_role` block.
Moved blocks now respect reserved keywords such as `local`, `each`, `self` etc. when parsing resource addresses.
Configurations that reference resources with type names that match top level blocks and
keywords from moved blocks will need to prepend the reference identifier with `resource.`.
## S3 Backend
### S3 Native State Locking
The S3 backend now supports S3 native state locking as an opt-in, experimental feature.
An S3 lock can be used alongside a DynamoDB lock, or independently.
When both locking mechanisms are configured, a lock must be successfully acquired from both locations before subsequent operations will proceed.
To opt-in to S3 native state locking, set `use_lockfile` to `true`.
```terraform
terraform {
backend "s3" {
# additional configuration omitted for brevity
use_lockfile = true
}
}
```
With S3 locking enabled, a lock file will be placed in the same location as the state file.
The lock file will be named identically to the state file, but with a `.tflock` extension.
**S3 bucket policies and IAM policies attached to the calling principal may need to be adjusted to include permissions for the new lock file.**
In a future minor version of Terraform the experimental label will be removed from the `use_lockfile` attribute and attributes related to DynamoDB based locking will be deprecated.
### Root Assume Role Attribute Removal
Several root level attributes related to IAM role assumption which were previously deprecated have been removed.
Each removed field has an analogous field inside the [`assume_role` block](https://developer.hashicorp.com/terraform/language/backend/s3#assume-role-configuration) which should be used instead.
Jared Baker
2 years ago
committed by
GitHub