role_arn breaking changes

[pkoneru7]

role_arn in the s3 backend configuration is causing failed runs with Terraform Validate & Plan

Error: Unsupported argument

on backend.tf line 13, in terraform:

13: role_arn = "arn:aws:iam::***:role/AFTrole"

An argument named "role_arn" is not expected here.

Error: Process completed with exit code 1.

[micbegin]

This issue specifically affects Terraform versions 1.10 and higher when used with AFT. To prevent the ct-aft-account-request pipeline from breaking, update the role_arn argument in the backend.jinja file of the aft-account-request repository.

To implement the solution replace the existing configuration with the following:

backend "s3" {
    region         = "{{ region }}"
    bucket         = "{{ bucket }}"
    key            = "{{ key }}"
    dynamodb_table = "{{ dynamodb_table }}"
    encrypt        = "true"
    kms_key_id     = "{{ kms_key_id }}"
    assume_role    = {
      role_arn    = "{{ aft_admin_role_arn }}"
    }
  }

The files backend.jinja in version 1.13.3 of the repository lack code to prevent an unspecified issue during clean installations using Terraform 1.10. Additionally, the README file and Control Tower documentation does not mention requirements for upgrading existing installations to Terraform 1.10. The affected files are:

• https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/1.13.3/sources/aft-customizations-repos/aft-account-request/terraform/backend.jinja
• https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/1.13.3/sources/aft-customizations-repos/aft-account-provisioning-customizations/terraform/backend.jinja
• https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/1.13.3/sources/aft-customizations-repos/aft-global-customizations/terraform/backend.jinja

[pkoneru7]

Terraform v1.5.2
AFT v1.6.4

@micbegin Thank you for the suggestion, We already updated role_arn argument in the backend.jinja file.

However, aft-providers.jinja file has role_arn defined as block as follows:

provider "aws" {
  region = "{{ provider_region }}"
  assume_role {
    role_arn    = "{{ role_arn }}"
  }
  default_tags {
    tags = {
      managed_by                  = "AFT"
    }
  }
}

Code Pipeline is throwing error as usage of argument is not consistent with assume_role block in "aws" provider.

│Error: Unsupported argument
--
  on backend.tf line 7, in terraform:
   7:     assume_role = {
An argument named "assume_role" is not expected here.

[micbegin]

assume_role = {
role_arn = "{{ aft_admin_role_arn }}"
}

The error you shared shows the file backend.tf that is generated from the backend.jinja template, not the aft-providers.jinja template. Could you please share the contents of your backend.jinja file?

[pkoneru7]

backend.jinja file in aft-account-request:

## Auto generated backend.tf ##
## Updated on: {{ timestamp }} ##

{% if tf_distribution_type == "oss" -%}
terraform {
  required_version = ">= 0.15.1"
  backend "s3" {
    assume_role = {
      role_arn  = "{{ aft_admin_role_arn }}"
    }
    region         = "{{ region }}"
    bucket         = "{{ bucket }}"
    key            = "{{ key }}"
    dynamodb_table = "{{ dynamodb_table }}"
    encrypt        = "true"
    kms_key_id     = "{{ kms_key_id }}"
  }
}
{% else -%}
terraform {
    backend "remote" {
        organization = "{{ terraform_org_name }}"
        workspaces {
        name = "{{ terraform_workspace_name }}"
        }
    }
}
{% endif %}

After adding assume_role block, terraform validate check runs fine at workflow level. But this error shows up in ct-aft-account-request code build for AFT Management Prod account.

We only made this change in aft-account-request.

[micbegin]

A version mismatch between Terraform installations likely causes your issue. You reported using Terraform v1.5.2 in #515 (comment). This version may differ from the one used during the validate phase.

[pkoneru7]

Thanks for checking on this. will look into the version part.