From ca8c26dcfde5f6d048e4b8a0ffeb3889f96e3484 Mon Sep 17 00:00:00 2001
From: Graham Davison <gdavison@hashicorp.com>
Date: Thu, 14 Sep 2023 12:14:09 -0700
Subject: [PATCH 1/3] Adds `source_identity` to `assume_role` biock

---
 internal/backend/remote-state/s3/backend.go   | 28 +++++++----
 .../remote-state/s3/backend_complete_test.go  | 50 ++++++-------------
 .../backend/remote-state/s3/backend_test.go   |  8 ++-
 3 files changed, 41 insertions(+), 45 deletions(-)

diff --git a/internal/backend/remote-state/s3/backend.go b/internal/backend/remote-state/s3/backend.go
index 15e25cd2e8..d826dbaf1b 100644
--- a/internal/backend/remote-state/s3/backend.go
+++ b/internal/backend/remote-state/s3/backend.go
@@ -417,15 +417,22 @@ var assumeRoleSchema = singleNestedAttribute{
 			},
 		},
 
-		// NOT SUPPORTED by `aws-sdk-go-base/v1`
-		// "source_identity": stringAttribute{
-		// 	configschema.Attribute{
-		// 		Type:         cty.String,
-		// 		Optional:     true,
-		// 		Description:  "Source identity specified by the principal assuming the role.",
-		// 		ValidateFunc: validAssumeRoleSourceIdentity,
-		// 	},
-		// },
+		"source_identity": stringAttribute{
+			configschema.Attribute{
+				Type:        cty.String,
+				Optional:    true,
+				Description: "Source identity specified by the principal assuming the role.",
+			},
+			validateString{
+				Validators: []stringValidator{
+					validateStringLenBetween(2, 64),
+					validateStringMatches(
+						regexp.MustCompile(`^[\w+=,.@\-]*$`),
+						`Value can only contain letters, numbers, or the following characters: =,.@-`,
+					),
+				},
+			},
+		},
 
 		"tags": mapAttribute{
 			configschema.Attribute{
@@ -1077,6 +1084,9 @@ func (b *Backend) Configure(obj cty.Value) tfdiags.Diagnostics {
 		if val, ok := stringAttrOk(assumeRole, "session_name"); ok {
 			ar.SessionName = val
 		}
+		if val, ok := stringAttrOk(assumeRole, "source_identity"); ok {
+			ar.SourceIdentity = val
+		}
 		if val, ok := stringMapAttrOk(assumeRole, "tags"); ok {
 			ar.Tags = val
 		}
diff --git a/internal/backend/remote-state/s3/backend_complete_test.go b/internal/backend/remote-state/s3/backend_complete_test.go
index a8d1ec342c..ce513a1b87 100644
--- a/internal/backend/remote-state/s3/backend_complete_test.go
+++ b/internal/backend/remote-state/s3/backend_complete_test.go
@@ -1081,23 +1081,6 @@ aws_secret_access_key = DefaultSharedCredentialsSecretKey
 			),
 		},
 
-		// NOT SUPPORTED: AssumeRoleSourceIdentity
-		// WAS: "config AssumeRoleSourceIdentity"
-		// "with source identity": {
-		// 	config: map[string]any{
-		// 		"access_key":                  servicemocks.MockStaticAccessKey,
-		// 		"secret_key":                  servicemocks.MockStaticSecretKey,
-		// 		"role_arn":                    servicemocks.MockStsAssumeRoleArn,
-		// 		"session_name":                servicemocks.MockStsAssumeRoleSessionName,
-		// 		"assume_role_source_identity": servicemocks.MockStsAssumeRoleSourceIdentity,
-		// 	},
-		// 	ExpectedCredentialsValue: mockdata.MockStsAssumeRoleCredentials,
-		// 	MockStsEndpoints: []*servicemocks.MockEndpoint{
-		// 		servicemocks.MockStsAssumeRoleValidEndpointWithOptions(map[string]string{"SourceIdentity": servicemocks.MockStsAssumeRoleSourceIdentity}),
-		// 		servicemocks.MockStsGetCallerIdentityValidEndpoint,
-		// 	},
-		// },
-
 		// WAS: "assume role error"
 		"error": {
 			config: map[string]any{
@@ -1524,24 +1507,23 @@ aws_secret_access_key = DefaultSharedCredentialsSecretKey
 			},
 		},
 
-		// NOT SUPPORTED: AssumeRoleSourceIdentity
 		// WAS: "config AssumeRoleSourceIdentity"
-		// "with source identity": {
-		// 	config: map[string]any{
-		// 		"access_key": servicemocks.MockStaticAccessKey,
-		// 		"secret_key": servicemocks.MockStaticSecretKey,
-		// 		"assume_role": map[string]any{
-		// 			"role_arn":        servicemocks.MockStsAssumeRoleArn,
-		// 			"session_name":    servicemocks.MockStsAssumeRoleSessionName,
-		// 			"source_identity": servicemocks.MockStsAssumeRoleSourceIdentity,
-		// 		},
-		// 	},
-		// 	ExpectedCredentialsValue: mockdata.MockStsAssumeRoleCredentials,
-		// 	MockStsEndpoints: []*servicemocks.MockEndpoint{
-		// 		servicemocks.MockStsAssumeRoleValidEndpointWithOptions(map[string]string{"SourceIdentity": servicemocks.MockStsAssumeRoleSourceIdentity}),
-		// 		servicemocks.MockStsGetCallerIdentityValidEndpoint,
-		// 	},
-		// },
+		"with source identity": {
+			config: map[string]any{
+				"access_key": servicemocks.MockStaticAccessKey,
+				"secret_key": servicemocks.MockStaticSecretKey,
+				"assume_role": map[string]any{
+					"role_arn":        servicemocks.MockStsAssumeRoleArn,
+					"session_name":    servicemocks.MockStsAssumeRoleSessionName,
+					"source_identity": servicemocks.MockStsAssumeRoleSourceIdentity,
+				},
+			},
+			ExpectedCredentialsValue: mockdata.MockStsAssumeRoleCredentials,
+			MockStsEndpoints: []*servicemocks.MockEndpoint{
+				servicemocks.MockStsAssumeRoleValidEndpointWithOptions(map[string]string{"SourceIdentity": servicemocks.MockStsAssumeRoleSourceIdentity}),
+				servicemocks.MockStsGetCallerIdentityValidEndpoint,
+			},
+		},
 
 		// WAS: "assume role error"
 		"error": {
diff --git a/internal/backend/remote-state/s3/backend_test.go b/internal/backend/remote-state/s3/backend_test.go
index 31536bbce5..1f0df00f82 100644
--- a/internal/backend/remote-state/s3/backend_test.go
+++ b/internal/backend/remote-state/s3/backend_test.go
@@ -2001,8 +2001,12 @@ func TestAssumeRole_PrepareConfigValidation(t *testing.T) {
 			},
 		},
 
-		// NOT SUPPORTED by `aws-sdk-go-base/v1`
-		// "source_identity"
+		"source_identity": {
+			config: map[string]cty.Value{
+				"role_arn":        cty.StringVal("arn:aws:iam::123456789012:role/testrole"),
+				"source_identity": cty.StringVal("source-identity"),
+			},
+		},
 
 		"with tags": {
 			config: map[string]cty.Value{

From 8e7e5f420d9165107bdc3afc1065012d084e3bc0 Mon Sep 17 00:00:00 2001
From: Graham Davison <gdavison@hashicorp.com>
Date: Thu, 14 Sep 2023 12:15:35 -0700
Subject: [PATCH 2/3] Documents parameter

---
 website/docs/language/settings/backends/s3.mdx | 1 +
 1 file changed, 1 insertion(+)

diff --git a/website/docs/language/settings/backends/s3.mdx b/website/docs/language/settings/backends/s3.mdx
index e56f4cd1ab..2761bb3304 100644
--- a/website/docs/language/settings/backends/s3.mdx
+++ b/website/docs/language/settings/backends/s3.mdx
@@ -213,6 +213,7 @@ The argument `assume_role` contains the following arguments:
 * `policy` - (Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.
 * `policy_arns` - (Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.
 * `session_name` - (Optional) Session name to use when assuming the role.
+* `source_identity` - (Optional) Source identity specified by the principal assuming the role.
 * `tags` - (Optional) Map of assume role session tags.
 * `transitive_tag_keys` - (Optional) Set of assume role session tag keys to pass to any subsequent sessions.
 

From 5396646ad82dcc4b73313851ba04728498f3c6ad Mon Sep 17 00:00:00 2001
From: Graham Davison <gdavison@hashicorp.com>
Date: Thu, 14 Sep 2023 12:21:32 -0700
Subject: [PATCH 3/3] Consolidates validators for assume role names

---
 internal/backend/remote-state/s3/backend.go  | 24 +++-----------------
 internal/backend/remote-state/s3/validate.go |  8 +++++++
 2 files changed, 11 insertions(+), 21 deletions(-)

diff --git a/internal/backend/remote-state/s3/backend.go b/internal/backend/remote-state/s3/backend.go
index d826dbaf1b..f3eccaf100 100644
--- a/internal/backend/remote-state/s3/backend.go
+++ b/internal/backend/remote-state/s3/backend.go
@@ -407,13 +407,7 @@ var assumeRoleSchema = singleNestedAttribute{
 				Description: "The session name to use when assuming the role.",
 			},
 			validateString{
-				Validators: []stringValidator{
-					validateStringLenBetween(2, 64),
-					validateStringMatches(
-						regexp.MustCompile(`^[\w+=,.@\-]*$`),
-						`Value can only contain letters, numbers, or the following characters: =,.@-`,
-					),
-				},
+				Validators: assumeRoleNameValidator,
 			},
 		},
 
@@ -424,13 +418,7 @@ var assumeRoleSchema = singleNestedAttribute{
 				Description: "Source identity specified by the principal assuming the role.",
 			},
 			validateString{
-				Validators: []stringValidator{
-					validateStringLenBetween(2, 64),
-					validateStringMatches(
-						regexp.MustCompile(`^[\w+=,.@\-]*$`),
-						`Value can only contain letters, numbers, or the following characters: =,.@-`,
-					),
-				},
+				Validators: assumeRoleNameValidator,
 			},
 		},
 
@@ -524,13 +512,7 @@ var assumeRoleWithWebIdentitySchema = singleNestedAttribute{
 				Description: "The session name to use when assuming the role.",
 			},
 			validateString{
-				Validators: []stringValidator{
-					validateStringLenBetween(2, 64),
-					validateStringMatches(
-						regexp.MustCompile(`^[\w+=,.@\-]*$`),
-						`Value can only contain letters, numbers, or the following characters: =,.@-`,
-					),
-				},
+				Validators: assumeRoleNameValidator,
 			},
 		},
 
diff --git a/internal/backend/remote-state/s3/validate.go b/internal/backend/remote-state/s3/validate.go
index c094f1fc7c..4fdda0ce51 100644
--- a/internal/backend/remote-state/s3/validate.go
+++ b/internal/backend/remote-state/s3/validate.go
@@ -476,3 +476,11 @@ func wholeBodyErrDiag(summary, detail string) tfdiags.Diagnostic {
 func wholeBodyWarningDiag(summary, detail string) tfdiags.Diagnostic {
 	return tfdiags.WholeContainingBody(tfdiags.Warning, summary, detail)
 }
+
+var assumeRoleNameValidator = []stringValidator{
+	validateStringLenBetween(2, 64),
+	validateStringMatches(
+		regexp.MustCompile(`^[\w+=,.@\-]*$`),
+		`Value can only contain letters, numbers, or the following characters: =,.@-`,
+	),
+}