Merge pull request hashicorp#34723 from hashicorp/s3/use_legacy_workf…

…low-removal

backend/s3: remove use_legacy_workflow argument

CHANGELOG.md

@@ -5,6 +5,8 @@ UPGRADE NOTES:
 If you are upgrading from Terraform v1.7 or earlier, please refer to
 [the Terraform v1.8 Upgrade Guide](https://developer.hashicorp.com/terraform/language/v1.8.x/upgrade-guides).
 
+* backend/s3: The `use_legacy_workflow` argument has been removed to encourage consistency with the AWS SDKs. The backend will now search for credentials in the same order as the default provider chain in the AWS SDKs and AWS CLI.
+
 NEW FEATURES:
 
 * Providers can now implement functions which can be used from within the Terraform configuration language. The syntax for calling a provider supplied function is `provider::provider_name::function_name()`. ([#34394](https://github.com/hashicorp/terraform/issues/34394))

internal/backend/remote-state/s3/backend.go

@@ -296,13 +296,6 @@ func (b *Backend) ConfigSchema() *configschema.Block {
 
 			"assume_role_with_web_identity": assumeRoleWithWebIdentitySchema.SchemaAttribute(),
 
-			"use_legacy_workflow": {
-				Type:        cty.Bool,
-				Optional:    true,
-				Description: "Use the legacy authentication workflow, preferring environment variables over backend configuration.",
-				Deprecated:  true,
-			},
-
 			"custom_ca_bundle": {
 				Type:        cty.String,
 				Optional:    true,
@@ -858,15 +851,6 @@ func (b *Backend) PrepareConfig(obj cty.Value) (cty.Value, tfdiags.Diagnostics)
 		cty.GetAttrPath("forbidden_account_ids"),
 	)(obj, cty.Path{}, &diags)
 
-	attrPath = cty.GetAttrPath("use_legacy_workflow")
-	if val := obj.GetAttr("use_legacy_workflow"); !val.IsNull() {
-		diags = diags.Append(attributeWarningDiag(
-			"Deprecated Parameter",
-			fmt.Sprintf(`The parameter "%s" is deprecated. The ability to override the default credential chain ordering will be removed in a future minor version.`, pathString(attrPath)),
-			attrPath,
-		))
-	}
-
 	return obj, diags
 }
 
@@ -1026,14 +1010,6 @@ func (b *Backend) Configure(obj cty.Value) tfdiags.Diagnostics {
 		Token:                   stringAttr(obj, "token"),
 	}
 
-	// The "legacy" authentication workflow used in aws-sdk-go-base V1 will be
-	// gradually phased out over several Terraform minor versions:
-	//
-	// 1.6 - Default to `true` (prefer existing behavior, "opt-out" for new behavior)
-	// 1.7 - Default to `false` (prefer new behavior, "opt-in" for legacy behavior)
-	// 1.8 - Remove argument, legacy workflow no longer supported
-	cfg.UseLegacyWorkflow = boolAttr(obj, "use_legacy_workflow")
-
 	if val, ok := boolAttrOk(obj, "skip_metadata_api_check"); ok {
 		if val {
 			cfg.EC2MetadataServiceEnableState = imds.ClientDisabled

internal/backend/remote-state/s3/backend_complete_test.go

@@ -232,35 +232,6 @@ aws_secret_access_key = ProfileSharedCredentialsSecretKey
 			ValidateDiags: ExpectNoDiags,
 		},
 
-		"environment AWS_ACCESS_KEY_ID overrides config Profile in legacy workflow": { // Legacy behavior
-			config: map[string]any{
-				"profile":             "SharedCredentialsProfile",
-				"use_legacy_workflow": true,
-			},
-			EnvironmentVariables: map[string]string{
-				"AWS_ACCESS_KEY_ID":     servicemocks.MockEnvAccessKey,
-				"AWS_SECRET_ACCESS_KEY": servicemocks.MockEnvSecretKey,
-			},
-			ExpectedCredentialsValue: mockdata.MockEnvCredentials,
-			MockStsEndpoints: []*servicemocks.MockEndpoint{
-				servicemocks.MockStsGetCallerIdentityValidEndpoint,
-			},
-			SharedCredentialsFile: `
-[default]
-aws_access_key_id = DefaultSharedCredentialsAccessKey
-aws_secret_access_key = DefaultSharedCredentialsSecretKey
-
-[SharedCredentialsProfile]
-aws_access_key_id = ProfileSharedCredentialsAccessKey
-aws_secret_access_key = ProfileSharedCredentialsSecretKey
-`,
-			ValidateDiags: ExpectDiagMatching(
-				tfdiags.Warning,
-				equalsMatcher("Deprecated Parameter"),
-				ignoreMatcher{},
-			),
-		},
-
 		"environment AWS_ACCESS_KEY_ID": {
 			config: map[string]any{},
 			EnvironmentVariables: map[string]string{

website/docs/language/settings/backends/s3.mdx

@@ -212,7 +212,6 @@ The following configuration is optional:
 * `token` - (Optional) Multi-Factor Authentication (MFA) token. This can also be sourced from the `AWS_SESSION_TOKEN` environment variable.
 * `use_dualstack_endpoint` - (Optional) Force the backend to resolve endpoints with DualStack capability. Can also be set with the `AWS_USE_DUALSTACK_ENDPOINT` environment variable or in a shared config file (`use_dualstack_endpoint`).
 * `use_fips_endpoint` - (Optional) Force the backend to resolve endpoints with FIPS capability. Can also be set with the `AWS_USE_FIPS_ENDPOINT` environment variable or in a shared config file (`use_fips_endpoint`).
-* `use_legacy_workflow` - (Optional, **Deprecated**) Use the legacy authentication workflow, preferring environment variables over backend configuration. Defaults to `false`. To encourage consistency with the default credential chain ordering of the AWS SDKs, this argument will be removed in a future minor version.
 
 #### Overriding AWS API endpoints