How to fix Error: Failed to refresh state in Terraform

First, determine if an active state lock is blocking operations. Use:

terraform state list

If this command also fails with a lock error, you have a stale lock. List state locks in your backend:

For S3 backend with DynamoDB locking:

aws dynamodb scan --table-name terraform-lock

For Azure Blob Storage:
Log into the Azure Portal, navigate to the Storage Account and Blob Container containing your state, and check the blob's properties for an active lease.

If you confirm a stale lock, proceed to Step 3. If no lock exists, move to Step 2.

Ensure your backend credentials and connectivity are correct before attempting recovery.

For S3 backend:

aws s3 ls s3://your-bucket/path/to/terraform.tfstate

For Azure Blob Storage:

az storage blob exists --account-name youraccount --container-name yourcontainer --name terraform.tfstate

For Terraform Cloud:

curl -H "Authorization: Bearer $TFE_TOKEN" \
  https://app.terraform.io/api/v2/state-versions

If connectivity fails, verify:
- AWS credentials are set (check aws sts get-caller-identity)
- Azure credentials are set (az account show)
- Terraform Cloud API token is valid (echo $TFE_TOKEN)
- Network allows outbound HTTPS connections
- Backend configuration in Terraform code is correct

If Step 1 confirmed a stale lock and Step 2 confirmed backend connectivity, unlock the state:

terraform force-unlock <LOCK_ID>

Replace <LOCK_ID> with the lock ID from the state lock table (from Step 1).

For S3/DynamoDB:

# Get the lock ID from DynamoDB
LOCK_ID=$(aws dynamodb scan --table-name terraform-lock \
  --query 'Items[0].ID.S' --output text)

terraform force-unlock $LOCK_ID

For Azure:
In the Azure Portal, navigate to the blob properties and use the "Break lease" button to release the lock.

After unlocking, attempt the operation again:

terraform refresh

Once basic connectivity is restored, use refresh-only mode to identify what state differences exist without applying changes:

terraform plan -refresh-only

This command will:
- Attempt to fetch current state
- Compare with your Terraform code
- Show what has changed in your infrastructure
- NOT apply any changes

Review the output carefully. If resources appear as destroyed that shouldn't be, this indicates resources were deleted outside Terraform (see Step 5).

If the plan succeeds, apply the refresh to update your local state:

terraform apply -refresh-only

If refresh-only mode shows resources that no longer exist in the cloud (marked for removal), you have two options:

Option A: Remove them from state (if deletion was intentional):

terraform state rm 'aws_instance.example'

This removes the resource from Terraform's tracking without destroying it in the cloud.

Option B: Import the resource back (if it still exists but state is confused):

terraform import aws_instance.example i-1234567890abcdef0

Option C: Restore the resource in the cloud (if it was deleted but should exist):
Manually recreate the resource using the cloud provider's console or CLI, then:

terraform import <resource_type>.<name> <resource_id>

After state corrections, try the refresh again:

terraform refresh

If the issue is temporary (backend slowness, eventual consistency in S3), use the -lock-timeout flag to give Terraform more time:

terraform plan -lock-timeout=10m

For operations that consistently timeout, increase the timeout:

terraform apply -lock-timeout=20m

Wait 1-2 minutes if using S3 backend (S3 eventual consistency), then retry:

sleep 120
terraform plan

If problems persist after these steps, escalate to backend service support (HashiCorp Terraform Cloud, AWS, Azure, etc.) with the full error logs:

TF_LOG=DEBUG terraform plan 2>&1 | tee terraform-debug.log