S3Backend now supports S3-native state locking
through a new useLockfile field, so you no longer need a DynamoDB table to
lock Terraform state stored in S3.
What changed
New useLockfile field
Set useLockfile: true on the S3Backend configuration to enable
S3-native locking. Terraform (or OpenTofu) writes a lock file next to your
state object — at <key>.tflock — for the duration of each operation and
removes it when the operation finishes. No additional infrastructure is
required.
cdktn operations needs s3:GetObject,
s3:PutObject, and s3:DeleteObject permissions on the lock file path.
Declare the runtime versions your project supports in the
targetVersions
field of cdktf.json so that synthesis validates native locking against the
versions you target. The default targets predate useLockfile, so raise the
floor to ">=1.10.0" for each product you support.dynamodbTable is deprecated
The dynamodbTable field — which points the S3 backend at a DynamoDB table
for locking — is now deprecated in favor of useLockfile. It still works for
backwards compatibility, but Terraform deprecated the underlying
dynamodb_table argument starting with v1.11 and may remove DynamoDB-based
locking in a future release.
Migrating existing projects
You can move from DynamoDB to S3-native locking without leaving state unprotected by enabling both for a single run:- Add
useLockfile: truewhile keepingdynamodbTable. - Run
cdktn deploy(orcdktn diff) once to reconfigure the backend. - Remove
dynamodbTable, then delete the DynamoDB table.