chore: Add docs and fix testdata

config/v2/resolvers.go

@@ -810,20 +810,36 @@ func resolveGenericProvider(
 	if p.Enabled != nil {
 		enabled = *p.Enabled
 	}
+	// special assume role config block handling
+	assumeRoleBlock := make(map[string]string)
+	setAssumeRoleBlock := false
 	for key, value := range p.Config {
 		if value == nil {
 			delete(config, key)
 		} else {
-			// specially for AWS associate assume role
-			if key == "assume_role" {
-				tmp := fmt.Sprintf("arn:aws:iam::%s:role/%s", *awsConfig.AccountID, value)
-				config["assume_role"] = map[string]string{"role_arn": tmp}
-				config["region"] = *awsConfig.Region
-			} else {
+			switch key {
+			case "assume_role":
+				setAssumeRoleBlock = true
+				// build assume_role_block
+				// ref: https://registry.terraform.io/providers/hashicorp/awscc/latest/docs#assume-role
+				// ValidateAWSProvider should ensure AccountID is not nil
+				assumeRoleBlock["role_arn"] = fmt.Sprintf("arn:aws:iam::%s:role/%s", *awsConfig.AccountID, value)
+			// TODO: is it ok that these are ignored unless `assume_role` key is defined?
+			case "session_name":
+				fallthrough
+			case "external_id":
+				assumeRoleBlock[key] = value.(string)
+			default:
 				config[key] = value
 			}
 		}
 	}
+	if setAssumeRoleBlock {
+		// inherit resolved awsConfig region and accountID
+		// TODO: handle additionalRegions/additionalProvider configuration?
+		config["region"] = *awsConfig.Region
+		config["assume_role"] = assumeRoleBlock
+	}
 	return source, customProvider, version, enabled
 }
 

testdata/generic_providers_yaml/fogg.yml

@@ -48,7 +48,8 @@ envs:
         custom_provider: false
         config:
           baz_token: prod_token_arn
-          aws_assume_role: "TerraformExecutionRole"
+          assume_role: "TerraformExecutionRole"
+          session_name: "foo"
     components:
       network: {}
   stg: