From 4dba20ec2b60c43d2a978555f61a9482daf100ed Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Wed, 27 Aug 2025 16:21:44 -0400
Subject: [PATCH] add locking support to the -write policy

---
 terraform-state/policy.tf | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/terraform-state/policy.tf b/terraform-state/policy.tf
index dc1c30d..0630290 100644
--- a/terraform-state/policy.tf
+++ b/terraform-state/policy.tf
@@ -58,7 +58,6 @@ data "aws_iam_policy_document" "tfstate" {
   }
 
   # https://developer.hashicorp.com/terraform/language/backend/s3
-
   statement {
     sid       = "TFRemoteStateLocking"
     effect    = "Allow"
@@ -175,6 +174,17 @@ data "aws_iam_policy_document" "tfstate_write" {
     ]
     resources = ["${aws_s3_bucket.tfstate.arn}/*"]
   }
+  # https://developer.hashicorp.com/terraform/language/backend/s3
+  statement {
+    sid       = "TFRemoteStateLocking"
+    effect    = "Allow"
+    resources = ["${aws_s3_bucket.tfstate.arn}/*.tflock"]
+    actions = [
+      #      "s3:GetObject",
+      #      "s3:PutObject"
+      "s3:DeleteObject"
+    ]
+  }
   statement {
     sid    = "TFRemoteStateDDB"
     effect = "Allow"