Struggling to figure out why my GitHub Actions workflow, which is designed to run terraform plan on pull requests and terraform apply only on merges to the main branch, keeps failing with a state drift error. I am building a custom CLI tool using Typer to manage our Genesys Cloud org configurations via the CX as Code Terraform provider, and the CI/CD integration is the final piece. The workflow uses a remote backend for state storage, but when a PR is merged, the subsequent apply job detects that the state file has been modified by the plan job in a way that conflicts with the expected clean state. The error log shows a 409 Conflict when trying to lock the state, suggesting that the plan step is writing to the state file instead of just reading it, or perhaps the lock isn’t being released properly. I have verified that the TERRAFORM_STATE_LOCK environment variable is set correctly, but the issue persists. Here is the relevant snippet from my ci.yml file:
- name: Terraform Plan
run: terraform plan -out=tfplan -input=false
env:
GC_API_KEY: ${{ secrets.GC_API_KEY }}
GC_API_SECRET: ${{ secrets.GC_API_SECRET }}
- name: Terraform Apply
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
run: terraform apply -auto-approve tfplan
The plan step succeeds, but the apply step fails because the state file seems to be in an inconsistent state. I suspect the issue might be related to how the Terraform provider handles remote state locking in a CI environment, or perhaps I am missing a step to ensure the state is locked exclusively during the plan phase. I have tried adding terraform force-unlock before the apply step, but that feels like a hacky workaround. Is there a best practice for managing state locks in a multi-stage CI/CD pipeline for Genesys Cloud configurations? I want to ensure that the state file remains consistent and that the apply step can safely execute without encountering state drift or lock conflicts. Any insights on how to properly configure the Terraform backend and environment variables to prevent this issue would be greatly appreciated. I have been debugging this for hours and am starting to pull my hair out. The timezone difference with the support team is also making it difficult to get real-time assistance, so I am hoping someone here has faced a similar issue. Thank you in advance for your help.