terraform-provider-aws icon indicating copy to clipboard operation
terraform-provider-aws copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

[Bug]: backend configuration argument "role_arn" given on the command line is not expected for the selected backend type.

Open jkampfwealthbox opened this issue 11 months ago • 6 comments
trafficstars

Terraform Core Version

1.10

AWS Provider Version

5.0

Affected Resource(s)

Running a Terraform init for a s3 backend using assumed roles.

terraform init -backend-config=bucket=mybucket -backend-config=key=mykey.tfstate -backend-config=dynamodb_table=terraform-locks -backend-config=role_arn=arn:aws:iam::XXX:role/terraform-gh-permissions-manager-XXX-state-role -backend-config=region=us-east-1 -no-color -input=false

Expected Behavior

The Terraform init comand works and uses the assumed role specified by the -backend-config=role_arn argument.

Actual Behavior

`Error: Invalid backend configuration argument

The backend configuration argument "role_arn" given on the command line is not expected for the selected backend type.`

Relevant Error/Panic Output Snippet

`Error: Invalid backend configuration argument

The backend configuration argument "role_arn" given on the command line is
not expected for the selected backend type.`

Terraform Configuration Files

`terraform {

backend "s3" { }

required_providers { aws = { source = "hashicorp/aws" version = "~> 5.0" } } } `

Steps to Reproduce

Using Terraform 1.10:

terraform init -backend-config=bucket=mybucket -backend-config=key=mykey.tfstate -backend-config=dynamodb_table=terraform-locks -backend-config=role_arn=arn:aws:iam::XXX:role/terraform-gh-permissions-manager-XXX-state-role -backend-config=region=us-east-1 -no-color -input=false

Debug Output

2024-12-02T23:12:30.770Z [INFO] Terraform version: 1.10.0 2024-12-02T23:12:30.770Z [DEBUG] using github.com/hashicorp/go-tfe v1.70.0 2024-12-02T23:12:30.770Z [DEBUG] using github.com/hashicorp/hcl/v2 v2.23.0 2024-12-02T23:12:30.770Z [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.1 2024-12-02T23:12:30.770Z [DEBUG] using github.com/zclconf/go-cty v1.15.1-0.20241111215639-63279be090d7 2024-12-02T23:12:30.770Z [INFO] Go runtime version: go1.23.3 2024-12-02T23:12:30.770Z [INFO] CLI args: []string{"terraform", "init", "-backend-config=bucket=my-bucket", "-backend-config=key=AWS_ACCOUNT/github-aws-permissions-manager/crm-infra.tfstate", "-backend-config=dynamodb_table=terraform-locks", "-backend-config=role_arn=arn:aws:iam::XXX:role/terraform-gh-permissions-manager-AWS_ACCOUNT-state-role", "-backend-config=region=us-east-1", "-no-color", "-input=false"} 2024-12-02T23:12:30.770Z [DEBUG] Attempting to open CLI config file: /home/runner/.terraformrc 2024-12-02T23:12:30.770Z [DEBUG] File doesn't exist, but doesn't need to. Ignoring. 2024-12-02T23:12:30.770Z [DEBUG] ignoring non-existing provider search directory terraform.d/plugins 2024-12-02T23:12:30.770Z [DEBUG] ignoring non-existing provider search directory /home/runner/.terraform.d/plugins 2024-12-02T23:12:30.770Z [DEBUG] ignoring non-existing provider search directory /home/runner/.local/share/terraform/plugins 2024-12-02T23:12:30.770Z [DEBUG] ignoring non-existing provider search directory /usr/local/share/terraform/plugins 2024-12-02T23:12:30.770Z [DEBUG] ignoring non-existing provider search directory /usr/share/terraform/plugins 2024-12-02T23:12:30.771Z [INFO] CLI command args: []string{"init", "-backend-config=bucket=my-bucket", "-backend-config=key=AWS_ACCOUNT/github-aws-permissions-manager/crm-infra.tfstate", "-backend-config=dynamodb_table=terraform-locks", "-backend-config=role_arn=arn:aws:iam::XXX:role/terraform-gh-permissions-manager-AWS_ACCOUNT-state-role", "-backend-config=region=us-east-1", "-no-color", "-input=false"}

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

jkampfwealthbox avatar Dec 02 '24 23:12 jkampfwealthbox

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

github-actions[bot] avatar Dec 02 '24 23:12 github-actions[bot]

We've had the same error

╷
│ Error: Invalid backend configuration argument
│ 
│ The backend configuration argument "role_arn" given on the command line is
│ not expected for the selected backend type.
╵

FrancescaRodricks avatar Dec 03 '24 12:12 FrancescaRodricks

We've had the same error

╷
│ Error: Invalid backend configuration argument
│ 
│ The backend configuration argument "role_arn" given on the command line is
│ not expected for the selected backend type.
╵

I have a work around where I am forcing the use of the 1.9.8 version of Terraform and not going to the latest (currently 1.10)

jkampfwealthbox avatar Dec 03 '24 15:12 jkampfwealthbox

Terraform 1.10.0 deprecated some assume role attributes and now requires the assume_role block. Reference: https://github.com/hashicorp/terraform/pull/35721

ghost avatar Dec 03 '24 22:12 ghost

Terraform 1.10.0 deprecated some assume role attributes and now requires the assume_role block. Reference: hashicorp/terraform#35721

Yes I saw that. However there is no guidance or documentation as to how to accomplish this now.

jkampfwealthbox avatar Dec 04 '24 16:12 jkampfwealthbox

Found an article on what the correct syntax is : https://github.com/hashicorp/terraform/issues/27579#issuecomment-1781090234

In short I changed: -backend-config="role_arn=${REMOTE_ROLE}" to: -backend-config="assume_role={role_arn=\"${REMOTE_ROLE}\"}"

and I was able to do a terraform init with versions 1.9.8 and 1.10.1

RMooijweer avatar Dec 05 '24 10:12 RMooijweer

Hi all 👋 Thank you for taking the time to raise this and for the additional discussion. Issues with the S3 backend should be reported to the Terraform Core repository, as backends are handled by Terraform itself, rather than via providers such as the AWS Provider. With that in mind, and since it looks like the correct answer has already been mentioned, I'm going to close this issue.

justinretzolk avatar Jan 24 '25 17:01 justinretzolk

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

github-actions[bot] avatar Jan 24 '25 17:01 github-actions[bot]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Feb 24 '25 02:02 github-actions[bot]