Skip to content

Diagnostic Questions

Before revealing the investigation path:

  1. terraform force-unlock fails with ConditionalCheckFailedException. This usually means the lock ID does not match. But in this case, the lock ID is correct. What else could cause a ConditionalCheckFailedException from DynamoDB?

  2. You try to delete the lock item directly via the AWS CLI and get ProvisionedThroughputExceededException. The table has 5 WCU and only 1 item. What does this tell you about the table's current workload?

  3. CloudWatch shows 1500+ write capacity units consumed per 5-minute period against a 5 WCU table. How do you identify which IAM principal is making these requests?

  4. A load test is using the Terraform state lock table as a coordination store. Why is the fix categorized as an observability change (monitoring/alerting) rather than just a cloud resource change (separate tables)?

  5. What IAM and resource-level controls would prevent an unauthorized workload from using a Terraform state lock table? How would you make this table tamper-proof?