Terraform 1.6.0 - Backend s3 new assume_role argument example is incorrect

[xfournet]

Terraform Version

Terraform v1.6.0
on windows_amd64

Affected Pages

https://developer.hashicorp.com/terraform/language/settings/backends/s3

What is the docs issue?

The example

terraform {
  backend "s3" {
    bucket = "terraform-state-prod"
    key    = "network/terraform.tfstate"
    region = "us-east-1"
    assume_role {
      role_arn = "arn:aws:iam::PRODUCTION-ACCOUNT-ID:role/Terraform"
    }
  }
}

doesn't work:

> terraform init
Initializing the backend...

│ Error: Unsupported block type
│
│   on test.tf line 71, in terraform:
│   71:     assume_role {
│
│ Blocks of type "assume_role" are not expected here. Did you mean to define argument "assume_role"? If so, use the equals sign to assign it a value.

Proposal

assume_role is implemented as an argument (it is also described as an argument in the documentation), not a block, so the example must be changed to add an = after assume_role

terraform {
  backend "s3" {
    bucket = "terraform-state-prod"
    key    = "network/terraform.tfstate"
    region = "us-east-1"
    assume_role = {
      role_arn = "arn:aws:iam::PRODUCTION-ACCOUNT-ID:role/Terraform"
    }
  }
}

References

See #30495

Note that the choice to use an argument instead a block is not consistent with the aws provider which use a block for assume_role. So it can be really confusing while the objective of #30495 was to avoid discrepancy between the aws provider and the s3 backend.
Even in #30495 description, the intention was to add assume_role as a block, not an argument.

In the light of theses elements i wonder if the implementation with an argument is volunteer or a mistake ?

[xfournet]

Ref also #33630

[DownWithThisSortOfThing]

I can confirm that this is also happen on apple m1 arm/64 too so don't think it's limited to just windows....

I have the same issue with the same steps to reproduce as above.

[kneufeld-pbp]

@gdavison A pipeline will most likely use assume_role, although, in local development, this tends to be less so; does this mean we now have to comment out the assume_role block during local development, or can this block be dynamic?

[jar-b]

Hi @xfournet - thanks for reporting this! I've updated the documentation in #34047 and we'll backport the change to 1.6.

To provide more context on why these are attributes instead of blocks:

With the Terraform protocol v6, the preferred representation of single objects is as an attribute. The AWS provider continues to support older versions of Terraform, and to do so requires supporting v5 of the Terraform protocol, where single objects are represented as blocks (specifically as a list with a maximum of 1 item). While the discrepancy is not ideal, representing this new backend argument as an attribute follows latest standards and leaves room for us to eventually make a similar change in the AWS provider argument once support for the v5 protocol is no longer a hard requirement.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.