S3 buckets parsing

Author: denis256

internal/remotestate/backend/gcs/config.go

@@ -7,7 +7,6 @@ import (
 	"github.com/gruntwork-io/terragrunt/internal/errors"
 	"github.com/gruntwork-io/terragrunt/internal/remotestate/backend"
 	"github.com/gruntwork-io/terragrunt/pkg/log"
-	"github.com/mitchellh/mapstructure"
 	"golang.org/x/exp/slices"
 
 	"maps"
@@ -56,11 +55,11 @@ func (cfg Config) ParseExtendedGCSConfig() (*ExtendedRemoteStateConfigGCS, error
 		extendedConfig ExtendedRemoteStateConfigGCS
 	)
 
-	if err := mapstructure.WeakDecode(cfg, &gcsConfig); err != nil {
+	if err := util.DecodeWithStringBoolHook(cfg, &gcsConfig); err != nil {
 		return nil, errors.New(err)
 	}
 
-	if err := mapstructure.WeakDecode(cfg, &extendedConfig); err != nil {
+	if err := util.DecodeWithStringBoolHook(cfg, &extendedConfig); err != nil {
 		return nil, errors.New(err)
 	}
 

internal/remotestate/backend/gcs/config_test.go

@@ -183,3 +183,17 @@ func TestParseExtendedGCSConfig_StringBoolCoercion(t *testing.T) {
 		})
 	}
 }
+
+// TestParseExtendedGCSConfig_InvalidStringBool verifies invalid string values
+// for bool fields are rejected (e.g. "maybe" is not a valid bool).
+func TestParseExtendedGCSConfig_InvalidStringBool(t *testing.T) {
+	t.Parallel()
+
+	cfg := gcsbackend.Config{
+		"bucket":                 "my-bucket",
+		"skip_bucket_versioning": "maybe",
+	}
+
+	_, err := cfg.ParseExtendedGCSConfig()
+	require.Error(t, err)
+}

internal/remotestate/backend/s3/config.go

@@ -7,7 +7,6 @@ import (
 	"github.com/gruntwork-io/terragrunt/internal/errors"
 	"github.com/gruntwork-io/terragrunt/internal/hclhelper"
 	"github.com/gruntwork-io/terragrunt/pkg/log"
-	"github.com/mitchellh/mapstructure"
 
 	"maps"
 
@@ -103,11 +102,11 @@ func (cfg Config) ParseExtendedS3Config() (*ExtendedRemoteStateConfigS3, error)
 		extendedConfig ExtendedRemoteStateConfigS3
 	)
 
-	if err := mapstructure.WeakDecode(cfg, &s3Config); err != nil {
+	if err := util.DecodeWithStringBoolHook(cfg, &s3Config); err != nil {
 		return nil, errors.New(err)
 	}
 
-	if err := mapstructure.WeakDecode(cfg, &extendedConfig); err != nil {
+	if err := util.DecodeWithStringBoolHook(cfg, &extendedConfig); err != nil {
 		return nil, errors.New(err)
 	}
 

internal/util/mapstructure.go

@@ -0,0 +1,38 @@
+package util
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+
+	"github.com/mitchellh/mapstructure"
+)
+
+// DecodeWithStringBoolHook decodes input into output using mapstructure,
+// allowing only string -> bool coercion for "true"/"false" values.
+func DecodeWithStringBoolHook(input, output any) error {
+	decoder, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
+		Result: output,
+		DecodeHook: mapstructure.DecodeHookFuncType(func(from reflect.Type, to reflect.Type, data any) (any, error) {
+			if from.Kind() != reflect.String || to.Kind() != reflect.Bool {
+				return data, nil
+			}
+
+			strValue := strings.TrimSpace(fmt.Sprintf("%v", data))
+
+			switch {
+			case strings.EqualFold(strValue, "true"):
+				return true, nil
+			case strings.EqualFold(strValue, "false"):
+				return false, nil
+			default:
+				return nil, fmt.Errorf("invalid boolean string %q, expected \"true\" or \"false\"", strValue)
+			}
+		}),
+	})
+	if err != nil {
+		return err
+	}
+
+	return decoder.Decode(input)
+}

internal/util/mapstructure_test.go

@@ -0,0 +1,89 @@
+package util_test
+
+import (
+	"testing"
+
+	"github.com/gruntwork-io/terragrunt/internal/util"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+type decodeStringBoolConfig struct {
+	PointerValue *bool  `mapstructure:"pointer_value"`
+	StringValue  string `mapstructure:"string_value"`
+	BoolValue    bool   `mapstructure:"bool_value"`
+}
+
+func TestDecodeWithStringBoolHook(t *testing.T) {
+	t.Parallel()
+
+	input := map[string]any{
+		"bool_value":    "true",
+		"pointer_value": "false",
+		"string_value":  "plain-string",
+	}
+
+	var output decodeStringBoolConfig
+
+	err := util.DecodeWithStringBoolHook(input, &output)
+	require.NoError(t, err)
+
+	assert.True(t, output.BoolValue)
+	require.NotNil(t, output.PointerValue)
+	assert.False(t, *output.PointerValue)
+	assert.Equal(t, "plain-string", output.StringValue)
+}
+
+func TestDecodeWithStringBoolHook_InvalidBoolStringsRejected(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		input any
+		name  string
+	}{
+		{
+			name: "one-string",
+			input: map[string]any{
+				"bool_value": "1",
+			},
+		},
+		{
+			name: "empty-string",
+			input: map[string]any{
+				"bool_value": "",
+			},
+		},
+		{
+			name: "arbitrary-string",
+			input: map[string]any{
+				"bool_value": "maybe",
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			var output decodeStringBoolConfig
+
+			err := util.DecodeWithStringBoolHook(tc.input, &output)
+			require.Error(t, err)
+			assert.Contains(t, err.Error(), "invalid boolean string")
+		})
+	}
+}
+
+func TestDecodeWithStringBoolHook_NonStringBoolsRejected(t *testing.T) {
+	t.Parallel()
+
+	input := map[string]any{
+		"bool_value": 1,
+	}
+
+	var output decodeStringBoolConfig
+
+	err := util.DecodeWithStringBoolHook(input, &output)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "unconvertible type 'int'")
+}

pkg/config/config.go

@@ -26,8 +26,6 @@ import (
 	"github.com/gruntwork-io/terragrunt/internal/remotestate"
 	"github.com/gruntwork-io/terragrunt/internal/strict/controls"
 
-	"github.com/mitchellh/mapstructure"
-
 	"github.com/hashicorp/go-getter"
 	"github.com/hashicorp/hcl/v2"
 	"github.com/hashicorp/hcl/v2/hclsyntax"
@@ -1681,8 +1679,8 @@ func convertToTerragruntConfig(ctx context.Context, pctx *ParsingContext, config
 		}
 
 		var config *remotestate.Config
-		// WeakDecode: HCL ternary type unification sends string "true" for bool fields. See #5475.
-		if err := mapstructure.WeakDecode(remoteStateMap, &config); err != nil {
+		// Decode with strict string->bool coercion for HCL ternary type unification. See #5475.
+		if err := util.DecodeWithStringBoolHook(remoteStateMap, &config); err != nil {
 			return nil, err
 		}
 
@@ -1793,8 +1791,8 @@ func convertToTerragruntConfig(ctx context.Context, pctx *ParsingContext, config
 
 		for name, block := range generateMap {
 			var generateBlock terragruntGenerateBlock
-			// WeakDecode: HCL ternary type unification sends string "true" for bool fields. See #5475.
-			if err := mapstructure.WeakDecode(block, &generateBlock); err != nil {
+			// Decode with strict string->bool coercion for HCL ternary type unification. See #5475.
+			if err := util.DecodeWithStringBoolHook(block, &generateBlock); err != nil {
 				return nil, err
 			}
 

pkg/config/config_helpers.go

@@ -1369,7 +1369,7 @@ func sopsDecryptFileImpl(ctx context.Context, pctx *ParsingContext, l log.Logger
 	// credentials with empty auth-provider values.
 	env := pctx.TerragruntOptions.Env
 
-	var setKeys []string
+	setKeys := make([]string, 0, len(env))
 
 	for k, v := range env {
 		if _, exists := os.LookupEnv(k); exists {

pkg/config/config_test.go

@@ -84,6 +84,110 @@ remote_state = {
 	}
 }
 
+func TestParseTerragruntConfigRemoteStateAttrStringBoolCoercion(t *testing.T) {
+	t.Parallel()
+
+	cfg := `
+locals {
+  enable_flags = true
+}
+
+remote_state = {
+  backend = "s3"
+  disable_init = local.enable_flags ? "true" : "false"
+  disable_dependency_optimization = local.enable_flags ? "false" : "true"
+  config = {
+    bucket = "my-bucket"
+    key = "terraform.tfstate"
+    region = "us-east-1"
+  }
+}
+`
+
+	l := createLogger()
+
+	ctx, pctx := config.NewParsingContext(t.Context(), l, mockOptionsForTest(t))
+	terragruntConfig, err := config.ParseConfigString(ctx, pctx, l, config.DefaultTerragruntConfigPath, cfg, nil)
+	require.NoError(t, err)
+
+	if assert.NotNil(t, terragruntConfig.RemoteState) {
+		assert.True(t, terragruntConfig.RemoteState.DisableInit)
+		assert.False(t, terragruntConfig.RemoteState.DisableDependencyOptimization)
+	}
+}
+
+func TestParseTerragruntConfigRemoteStateAttrInvalidStringBool(t *testing.T) {
+	t.Parallel()
+
+	cfg := `
+remote_state = {
+  backend = "s3"
+  disable_init = "maybe"
+  config = {}
+}
+`
+
+	l := createLogger()
+
+	ctx, pctx := config.NewParsingContext(t.Context(), l, mockOptionsForTest(t))
+	_, err := config.ParseConfigString(ctx, pctx, l, config.DefaultTerragruntConfigPath, cfg, nil)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "invalid boolean string")
+}
+
+func TestParseTerragruntConfigGenerateAttrStringBoolCoercion(t *testing.T) {
+	t.Parallel()
+
+	cfg := `
+locals {
+  enable_flags = true
+}
+
+generate = {
+  provider = {
+    path = "provider.tf"
+    if_exists = "overwrite"
+    contents = "provider \"aws\" {}"
+    disable_signature = local.enable_flags ? "true" : "false"
+    disable = local.enable_flags ? "false" : "true"
+  }
+}
+`
+
+	l := createLogger()
+
+	ctx, pctx := config.NewParsingContext(t.Context(), l, mockOptionsForTest(t))
+	terragruntConfig, err := config.ParseConfigString(ctx, pctx, l, config.DefaultTerragruntConfigPath, cfg, nil)
+	require.NoError(t, err)
+
+	providerGenerateConfig, ok := terragruntConfig.GenerateConfigs["provider"]
+	require.True(t, ok)
+	assert.True(t, providerGenerateConfig.DisableSignature)
+	assert.False(t, providerGenerateConfig.Disable)
+}
+
+func TestParseTerragruntConfigGenerateAttrInvalidStringBool(t *testing.T) {
+	t.Parallel()
+
+	cfg := `
+generate = {
+  provider = {
+    path = "provider.tf"
+    if_exists = "overwrite"
+    contents = "provider \"aws\" {}"
+    disable_signature = "maybe"
+  }
+}
+`
+
+	l := createLogger()
+
+	ctx, pctx := config.NewParsingContext(t.Context(), l, mockOptionsForTest(t))
+	_, err := config.ParseConfigString(ctx, pctx, l, config.DefaultTerragruntConfigPath, cfg, nil)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "invalid boolean string")
+}
+
 func TestParseTerragruntJsonConfigRemoteStateMinimalConfig(t *testing.T) {
 	t.Parallel()