Backend s3 new `assume_role` argument change, `role_arn` was previously not required

tonglil commented 2 months ago

Terraform Version

1.8.3

Affected Pages

https://developer.hashicorp.com/terraform/language/settings/backends/s3#assume-role-configuration

What is the docs issue?

role_arn use to be optional, but is now made required when updating to the new nested syntax.

role_arn - (Required) Amazon Resource Name (ARN) of the IAM Role to assume.

role_arn - (Optional) Amazon Resource Name (ARN) of the IAM Role to assume. Use assume_role.role_arn instead.

Why is this so, when it use to be possible to just specify session_name? How do I migrate from the deprecated parameter without knowing the role_arn to specify?

session_name - (Optional) Session name to use when assuming the role. Use assume_role.session_name instead.

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.
╷
│ Warning: Deprecated Parameters
│ 
│   with data.terraform_remote_state.baseline,
│   on backend.tf line 13, in data "terraform_remote_state" "baseline":
│   13: data "terraform_remote_state" "baseline" {
│ 
│ The following parameters have been deprecated. Replace them as follows:
│   * session_name -> assume_role.session_name
│ 
│ 
│ (and 2 more similar warnings elsewhere)

Proposal

Allow role_arn to be optional in the nested argument format.

References

crw commented 2 months ago

Thanks for this request!

gdavison commented 1 week ago

Hi @tonglil

I'm not clear, but it sounds from your description like you had session_name set but did not have role_arn set, is that correct? If you're not assuming a role, session_name is ignored. If you are assuming a role, the role_arn is required.

If that is the case, you should remove session_name from your backend configuration.

If not, can you please share your existing backend configuration?

hashicorp / terraform