From d6f1a1b7365a281e4aeb484b054f168f63f9d33d Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Wed, 27 Aug 2025 15:50:09 -0400
Subject: [PATCH] add s3:DeleteObject for *.tflock to enable lockign in 1.9.x

---
 CHANGELOG.md              |  1 +
 terraform-state/policy.tf | 13 +++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 41e49f0..1f9f629 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -420,3 +420,4 @@
 * 2.12.3 -- 2025-08-27
   - terraform-state
     - remove role creation for application_mode
+    - add s3:DeleteObject for *.tflock to enable lockign in 1.9.x
diff --git a/terraform-state/policy.tf b/terraform-state/policy.tf
index a66a1fd..dc1c30d 100644
--- a/terraform-state/policy.tf
+++ b/terraform-state/policy.tf
@@ -57,6 +57,19 @@ data "aws_iam_policy_document" "tfstate" {
     ]
   }
 
+  # https://developer.hashicorp.com/terraform/language/backend/s3
+
+  statement {
+    sid       = "TFRemoteStateLocking"
+    effect    = "Allow"
+    resources = ["${aws_s3_bucket.tfstate.arn}/*.tflock"]
+    actions = [
+      #      "s3:GetObject",
+      #      "s3:PutObject"
+      "s3:DeleteObject"
+    ]
+  }
+
   statement {
     sid       = "TFRemoteStateDDB"
     effect    = "Allow"