Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Regression of S3 backend configuration partial configuration for version 1.10.0 #36198

Open
olahouze opened this issue Dec 11, 2024 · 4 comments
Labels
backend/s3 bug cli new new issue not yet triaged

Comments

@olahouze
Copy link

Terraform Version

1.10.0

Terraform Configuration Files

terraform {
  backend "s3" {
    # ...
  }
}

Debug Output

Error: Missing attribute separator

│ on -backend-config="assume_role={role_arn=arn:xxxxxx}" line 1:
│ (source code not available)

│ Expected a newline or comma to mark the beginning of the next attribute.

Expected Behavior

I use the “partial configuration” system in cli to supply parameters to my backend dynamically during terraform init.

This system only takes into account key/value pairs in cli mode (https://developer.hashicorp.com/terraform/language/backend#command-line-key-value-pairs)

Since the latest version of terraform, when I use an S3 as my backend, I have to specify the following parameters for assumes roles

terraform {
  backend "s3" {
  ...
    assume_role = {
          role_arn = “arn:xxxx”
        }
  }
}

The old way of working with only the “role_arn” field is no longer supported.

The cli backend configuration should be able to take in charge key/value pairs whose vlue is an object (in this case, a map).

Actual Behavior

I can therefore no longer dynamically provide the role to be used for my cli backend

Steps to Reproduce

terraform init --backend-config="key=xxx" -backend-config="assume_role={role_arn=arn:xxxx}"

Additional Context

No response

References

No response

@olahouze olahouze added bug new new issue not yet triaged labels Dec 11, 2024
@crw crw added the backend/s3 label Dec 11, 2024
@crw
Copy link
Contributor

crw commented Dec 11, 2024

Thanks for this report, I am assuming it has to do with the changes listed in the upgrade guide: https://developer.hashicorp.com/terraform/language/upgrade-guides#root-assume-role-attribute-removal

You may also want to upgrade to 1.10.2, as the two releases have had some important bug fixes, however, that should not impact this issue here.

@gdavison
Copy link
Contributor

Thanks for reporting this, @olahouze. This was a planned change to centralize all parameters for assuming a role under assume_role. Did you get any deprecation warnings when using just role_arn? If not, that's a bug with warnings being passed from state backends to the user.

Based on the error message you're getting in 1.10,

Expected a newline or comma to mark the beginning of the next attribute

there's a bug with handing object values passed on the command line.

@gdavison
Copy link
Contributor

As a temporary workaround, you might be able to do something like

terraform {
  backend "s3" {
  ...
    assume_role = {
          role_arn = var.assume_role_arn
        }
  }
}

variable "assume_role_arn" {
  type = string
}

If you only assume a role in some cases, you could do something like

terraform {
  backend "s3" {
  ...
  dynamic "assume_role" {
    for_each = var.assume_role_arn[*]
    content {
      role_arn = assume_role.value
    }
  }
}

variable "assume_role_arn" {
  type     = string
  nullable = true
}

@gdavison gdavison added the cli label Dec 12, 2024
@jhourque
Copy link

jhourque commented Jan 3, 2025

Hi @gdavison, thanks for your help.
I had the same issue but your temporary workaround can't be used if backend is set through command line.

Hopefully, @olahouze was not far from the solution.
This command line works well for me with version 1.10.3:
terraform init --backend-config="key=xxx" -backend-config="assume_role={role_arn="arn:xxxx"}"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backend/s3 bug cli new new issue not yet triaged
Projects
None yet
Development

No branches or pull requests

4 participants