fix: incorrect S3 backend checksum error message logic in resolutionMsg()

[caldempsey]

Description

Fixed a logic error in the badChecksumError.resolutionMsg() method in the S3 backend that was checking and displaying the wrong checksum value. I noticed this when my checksum values got messed up in DynamoDB and I had to go in manually to fix them. Fortunately the output provided the correct checksum value, just not in the right place.

Changes Made

File: internal/backend/remote-state/s3/client.go

In the resolutionMsg() method (lines ~715-729), corrected two issues:

1. Condition check: Changed if len(err.digest) > 0 to if len(err.expected) > 0
2. Display value: Changed %x, err.digest to %x, err.expected

Rationale

The error resolution message should guide users based on whether DynamoDB has a stored expected checksum, not based on whether S3 calculated an actual digest. The logic determines:

• If err.expected has a value: DynamoDB has a stored checksum that likely needs updating → tell user what the correct value should be
• If err.expected is empty: DynamoDB has no/empty checksum → tell user to remove or verify the digest entry

The previous implementation incorrectly used err.digest (the calculated checksum from S3 state data) instead of err.expected (the stored checksum from DynamoDB), which could provide incorrect guidance to users troubleshooting checksum mismatch errors.

Example Scenario

Consider a case where:

• S3 state file calculates to digest: abc123 (err.digest)
• DynamoDB has no stored checksum: [] (err.expected)

Before (incorrect):

• Checks len(err.digest) > 0 → true
• Tells user to update DynamoDB to abc123
• Wrong guidance: the issue is DynamoDB is empty, not that it needs this specific value

After (correct):

• Checks len(err.expected) > 0 → false
• Tells user to verify/remove the digest entry
• Correct guidance for the actual problem

Fixes #

Target Release

1.15.x

Rollback Plan

• If a change needs to be reverted, we will roll out an update to the code within 7 days.

Changes to Security Controls

No changes to security controls. This is a bug fix to error message logic only. The fix ensures users receive correct troubleshooting guidance but does not affect access controls, encryption, or logging functionality.

CHANGELOG entry

• This change is user-facing and I added a changelog entry.
• This change is not user-facing.

Changelog summary:

backend/s3: Fixed error message logic in checksum mismatch errors to provide correct troubleshooting guidance

[hashicorp-cla-app]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[github-actions]

Changelog Warning

Currently this PR would target a v1.15 release. Please add a changelog entry for in the .changes/v1.15 folder, or discuss which release you'd like to target with your reviewer. If you believe this change does not need a changelog entry, please add the 'no-changelog-needed' label.