feat: ✨ Add support for assume-role block in S3 backend for Terraform

[erikpaasonen]

Proposed changes

Adds support for the assume_role = {} block that is the current syntax for assuming a role for an S3 backend in Terraform.

Issues for these changes

#73

Types of changes

• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Refactor (changes to code, which do not change application behavior)

Checklist

• I have filled out this PR template
• I have read the CONTRIBUTING doc
• I have added automated tests that prove my fix is effective or that my feature works
• I have added necessary documentation (README.md, CHANGELOG.md, etc. - if appropriate)

Dependencies and Blockers

Relevant Links

Further comments

Note: this will break compatibility with Terraform v1.1 and below. (The assume-role block was added in v1.2.) For reference, the current version of Terraform is 1.9.

[CLAassistant]

All committers have signed the CLA.

[erikpaasonen]

All tests passing locally for me.

[mmraz]

Dead assignment to roleArn as it's local scope ends at the close of line 374. We always want the interpolated value anyhow.

Suggested change

	if interpolatedRoleArn != roleArn {
	roleArn = interpolatedRoleArn
	b["assume_role"] = fmt.Sprintf("{\"role_arn\"=\"%s\"}", roleArn)
	}
	if interpolatedRoleArn != roleArn {
	b["assume_role"] = fmt.Sprintf("{\"role_arn\"=\"%s\"}", interpolatedRoleArn)
	}

[erikpaasonen]

if this suggestion is taken, then line 373 will log the wrong i.e. non-interpolated value. the suggestion is the way I originally coded it.

line 370 is what preserves the correct value outside the local scope, and that is being set correctly. so this is really just semantics of how to also log the chosen value (since we want the log entry regardless of the if condition on line 369).

[mmraz]

Dead assignment of bucket. Scope ends at line 387.

Suggested change

bucket = interpolatedBucket

[erikpaasonen]

ditto previous comment; the var bucket is logged before the local scope ends.

[mmraz]

Dead assignment of bucket. Scope ends at line 400.

Suggested change

bucket = interpolatedBucket

[erikpaasonen]

ditto previous comment; the var bucket is logged before the local scope ends.

[mmraz]

Dead assignment of prefix. Scope ends at line 413

Suggested change

prefix = interpolatedPrefix

[erikpaasonen]

ditto previous comment; the var prefix is logged before the local scope ends.

[mmraz]

This test is passing, but only because the paramater happens to have the same name for its key at both the deprecated depth and the newer, nested depth. The mock backend uses the deprecated syntax but never tests the newer syntax. It also appears that the parser is not extracting the role arn value from a specific depth during initial ingestion. The regex catches and parses both cases of a role_arn value at

runiac/plugins/terraform/terraform.go

Lines 113 to 119 in 2a60147

	// RoleArn
	rRegex, _ := regexp.Compile(`role_arn\s*=\s*"(.+)"`)
	roleMatch := rRegex.FindStringSubmatch(s)
	if len(roleMatch) > 0 {
	backend.S3RoleArn = roleMatch[1]
	}

I would suggest mocking both the deprecated syntax and the newer assume_role block as separate tests to validate behavior when encountering either one. This is also more likely to catch regressions for either case if they diverge in the future.

[mmraz]

The mock input is only using the deprecated syntax without interpolation. It does not validate the newer backend.assume_role.role_arn syntax.