terraform icon indicating copy to clipboard operation
terraform copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Backend s3 new `assume_role` argument change, `role_arn` was previously not required

Open tonglil opened this issue 9 months ago • 1 comments

Terraform Version

1.8.3

Affected Pages

https://developer.hashicorp.com/terraform/language/settings/backends/s3#assume-role-configuration

What is the docs issue?

role_arn use to be optional, but is now made required when updating to the new nested syntax.

role_arn - (Required) Amazon Resource Name (ARN) of the IAM Role to assume.

role_arn - (Optional) Amazon Resource Name (ARN) of the IAM Role to assume. Use assume_role.role_arn instead.

Why is this so, when it use to be possible to just specify session_name? How do I migrate from the deprecated parameter without knowing the role_arn to specify?

session_name - (Optional) Session name to use when assuming the role. Use assume_role.session_name instead.

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.
╷
│ Warning: Deprecated Parameters
│ 
│   with data.terraform_remote_state.baseline,
│   on backend.tf line 13, in data "terraform_remote_state" "baseline":
│   13: data "terraform_remote_state" "baseline" {
│ 
│ The following parameters have been deprecated. Replace them as follows:
│   * session_name -> assume_role.session_name
│ 
│ 
│ (and 2 more similar warnings elsewhere)

Proposal

Allow role_arn to be optional in the nested argument format.

References

  • https://github.com/hashicorp/terraform/issues/33994
  • https://github.com/hashicorp/terraform/issues/30495
  • Change made in https://github.com/hashicorp/terraform/pull/33625/files

tonglil avatar May 09 '24 03:05 tonglil

Thanks for this request!

crw avatar May 09 '24 16:05 crw

Hi @tonglil

I'm not clear, but it sounds from your description like you had session_name set but did not have role_arn set, is that correct? If you're not assuming a role, session_name is ignored. If you are assuming a role, the role_arn is required.

If that is the case, you should remove session_name from your backend configuration.

If not, can you please share your existing backend configuration?

gdavison avatar Jul 12 '24 20:07 gdavison

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Jan 03 '25 02:01 github-actions[bot]