From 3789e2908cb22178227c1ef3ae7424df06c41eb7 Mon Sep 17 00:00:00 2001
From: Vincent De Smet <vindes@handshakes.com.sg>
Date: Tue, 21 May 2024 12:41:02 +0700
Subject: [PATCH] chore: Add docs and fix testdata

---
 config/v2/resolvers.go                        | 28 +++++++++++++++----
 testdata/generic_providers_yaml/fogg.yml      |  3 +-
 .../terraform/envs/prd/network/fogg.tf        |  8 ++++--
 3 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/config/v2/resolvers.go b/config/v2/resolvers.go
index ec40dacc0..a241da8a3 100644
--- a/config/v2/resolvers.go
+++ b/config/v2/resolvers.go
@@ -810,20 +810,36 @@ func resolveGenericProvider(
 	if p.Enabled != nil {
 		enabled = *p.Enabled
 	}
+	// special assume role config block handling
+	assumeRoleBlock := make(map[string]string)
+	setAssumeRoleBlock := false
 	for key, value := range p.Config {
 		if value == nil {
 			delete(config, key)
 		} else {
-			// specially for AWS associate assume role
-			if key == "assume_role" {
-				tmp := fmt.Sprintf("arn:aws:iam::%s:role/%s", *awsConfig.AccountID, value)
-				config["assume_role"] = map[string]string{"role_arn": tmp}
-				config["region"] = *awsConfig.Region
-			} else {
+			switch key {
+			case "assume_role":
+				setAssumeRoleBlock = true
+				// build assume_role_block
+				// ref: https://registry.terraform.io/providers/hashicorp/awscc/latest/docs#assume-role
+				// ValidateAWSProvider should ensure AccountID is not nil
+				assumeRoleBlock["role_arn"] = fmt.Sprintf("arn:aws:iam::%s:role/%s", *awsConfig.AccountID, value)
+			// TODO: is it ok that these are ignored unless `assume_role` key is defined?
+			case "session_name":
+				fallthrough
+			case "external_id":
+				assumeRoleBlock[key] = value.(string)
+			default:
 				config[key] = value
 			}
 		}
 	}
+	if setAssumeRoleBlock {
+		// inherit resolved awsConfig region and accountID
+		// TODO: handle additionalRegions/additionalProvider configuration?
+		config["region"] = *awsConfig.Region
+		config["assume_role"] = assumeRoleBlock
+	}
 	return source, customProvider, version, enabled
 }
 
diff --git a/testdata/generic_providers_yaml/fogg.yml b/testdata/generic_providers_yaml/fogg.yml
index 3a61ded2b..230b3f1c9 100644
--- a/testdata/generic_providers_yaml/fogg.yml
+++ b/testdata/generic_providers_yaml/fogg.yml
@@ -48,7 +48,8 @@ envs:
         custom_provider: false
         config:
           baz_token: prod_token_arn
-          aws_assume_role: "TerraformExecutionRole"
+          assume_role: "TerraformExecutionRole"
+          session_name: "foo"
     components:
       network: {}
   stg:
diff --git a/testdata/generic_providers_yaml/terraform/envs/prd/network/fogg.tf b/testdata/generic_providers_yaml/terraform/envs/prd/network/fogg.tf
index 578d3e395..5bfd87200 100644
--- a/testdata/generic_providers_yaml/terraform/envs/prd/network/fogg.tf
+++ b/testdata/generic_providers_yaml/terraform/envs/prd/network/fogg.tf
@@ -20,8 +20,12 @@ provider "sops" {}
 provider "bar" {
 }
 provider "baz" {
-  aws_assume_role = "TerraformExecutionRole"
-  baz_token       = "prod_token_arn"
+  assume_role = {
+    role_arn     = "arn:aws:iam::0000000000000000:role/TerraformExecutionRole"
+    session_name = "foo"
+  }
+  baz_token = "prod_token_arn"
+  region    = "ap-southeast-1"
 }
 provider "foo" {
   foo_host = "prod"