feat(lib): add useLockfile to S3BackendConfig

[parthweprom]

Description

Terraform 1.10 (Dec 2024) deprecated the S3 backend's dynamodb_table argument
in favor of use_lockfile = true, which enables S3-native state locking via a
<key>.tflock object in the state bucket. S3BackendConfig was forked from
CDKTF before this feature existed, so the typed prop was missing — users had to
fall back to escape hatches to set it.

This PR adds an optional useLockfile?: boolean field to S3BackendConfig.
It's a pure pass-through to the rendered backend JSON (no validation,
no interaction with dynamodbTable), so users can combine or migrate at their
own pace. Defaults to false to preserve existing behavior.

Requires Terraform CLI ≥ 1.10 at apply time; documented in the JSDoc.

Checklist

• I have updated the PR title to match CDKTN's style guide
• I have run the linter on my code locally
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation if applicable
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[so0k]

Given this is moving into past fork territory, we should consider using version validators such as

cdk-terrain/packages/cdktn/src/importable-resource.ts

Lines 26 to 32 in 178ea7f

	super(scope, name, config.terraformResourceType);
	this.node.addValidation(
	new ValidateTerraformVersion(
	">=1.5",
	`Import blocks are only supported for Terraform >=1.5. Please upgrade your Terraform version.`,
	),
	);

would require a conditional validation on the config object having this set in the constructor

https://github.com/parthweprom/cdk-terrain/blob/9c320b409b81eb71b54a7b264985e8dd5bc40ede/packages/cdktn/src/backends/s3-backend.ts#L17

[so0k]

confirmed support is in both OpenTofu and Terraform, both on version 1.10+

https://cani.tf/

we should probably maintain our own version of cani.tf in the code (work for another PR)

[jsteinich]

I agree that having a validation is good to add. I could definitely seeing increasing the minimum supported version in the near future, but not sure we would go all the way to 1.10 in the first jump.

[jsteinich]

I agree that having a validation is good to add. I could definitely seeing increasing the minimum supported version in the near future, but not sure we would go all the way to 1.10 in the first jump.

[jsteinich]

Probably worth a test with false as well.

[sakul-learning]

Created #237 as a base PR for Terraform/OpenTofu feature-version validation.

It adds:

• deterministic CLI product detection from the first line of plain version output (Terraform v... vs OpenTofu v...)
• ValidateTerraformFeatureVersion, which models feature -> terraform|opentofu -> semver constraint

This should let this PR depend on/reuse the validator instead of encoding the version/product detection in the S3 backend change itself. For useLockfile, the downstream validation would be:

new ValidateTerraformFeatureVersion("S3 native state locking", {
  terraform: ">=1.10.0",
  opentofu: ">=1.10.0",
});

If future features land in Terraform/OpenTofu at different versions, the same validator supports different constraints per CLI product.