Better missing credentials error when using AWS modules (#375)

* Better missing credentials error when using AWS modules

* embed error message and link to configuring explicit providers

Author: Zaid-Ajaj

pkg/modprovider/error_message.go

@@ -0,0 +1,20 @@
+// Copyright 2016-2025, Pulumi Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package modprovider
+
+import _ "embed"
+
+//go:embed error_messages/aws_missing_credentials_error.txt
+var awsMissingCredentialsErrorMessage string

pkg/modprovider/error_messages/aws_missing_credentials_error.txt

@@ -0,0 +1,6 @@
+no valid credentials source found to configure the AWS provider.
+Consider supplying the required AWS credentials to the provider either via environment variables,
+or by configuring the provider explicitly in the Pulumi program with an explicit provider resource.
+See https://github.com/pulumi/pulumi-terraform-module?tab=readme-ov-file#configuring-terraform-providers.
+Alternatively, you can use Pulumi ESC to set up dynamic credentials with AWS OIDC.
+Learn more: https://www.pulumi.com/registry/packages/aws/installation-configuration/#dynamically-generate-credentials-via-pulumi-esc

pkg/modprovider/logger.go

@@ -16,6 +16,7 @@ package modprovider
 
 import (
 	"context"
+	"strings"
 
 	"github.com/pulumi/pulumi/pkg/v3/resource/provider"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/diag"
@@ -101,6 +102,12 @@ func newResourceLogger(hc *provider.HostClient, urn resource.URN) tfsandbox.Logg
 	return &resourceLogger{hc: hc, urn: urn}
 }
 
+func isMissingCredentialsErrorFromAWS(message string) bool {
+	topLevelError := strings.Contains(message, "No valid credential sources found") ||
+		strings.Contains(message, "Invalid provider configuration")
+	return topLevelError && strings.Contains(message, "hashicorp/aws")
+}
+
 func (l *resourceLogger) Log(ctx context.Context, level tfsandbox.LogLevel, message string) {
 	if l.hc == nil {
 		return
@@ -121,6 +128,12 @@ func (l *resourceLogger) Log(ctx context.Context, level tfsandbox.LogLevel, mess
 		diagLevel = diag.Info
 	}
 
+	if diagLevel == diag.Error && isMissingCredentialsErrorFromAWS(message) {
+		// for AWS provider, we can detect missing credentials errors and provide a more helpful message
+		// that is specific to Pulumi users.
+		message = awsMissingCredentialsErrorMessage
+	}
+
 	err = l.hc.Log(ctx, diagLevel, l.urn, message)
 
 	contract.IgnoreError(err)

tests/acc_test.go

@@ -477,7 +477,6 @@ func TestTerraformAwsModulesVpcIntoTypeScript(t *testing.T) {
 
 func TestS3BucketModSecret(t *testing.T) {
 	// t.Parallel() - cannot use t.Parallel because the test uses SetEnv
-
 	localProviderBinPath := ensureCompiledProvider(t)
 	skipLocalRunsWithoutCreds(t)
 	testProgram := filepath.Join("testdata", "programs", "ts", "s3bucketmod")
@@ -517,6 +516,35 @@ func TestS3BucketModSecret(t *testing.T) {
 	}
 }
 
+func TestShowingModifiedAWSCredentialsError(t *testing.T) {
+	skipLocalRunsWithoutCreds(t)
+	localProviderBinPath := ensureCompiledProvider(t)
+
+	testProgram := filepath.Join("testdata", "programs", "ts", "s3bucketmod")
+	localPath := opttest.LocalProviderPath("terraform-module", filepath.Dir(localProviderBinPath))
+
+	// disable AWS credentials to test the error message shows up
+	integrationTest := newPulumiTest(t, testProgram, localPath,
+		opttest.Env("AWS_ACCESS_KEY_ID", ""),
+		opttest.Env("AWS_SECRET_ACCESS_KEY", ""),
+		opttest.Env("AWS_SESSION_TOKEN", ""),
+		opttest.Env("AWS_REGION", ""))
+
+	// Get a prefix for resource names
+	prefix := generateTestResourcePrefix()
+
+	// Set prefix via config
+	integrationTest.SetConfig(t, "prefix", prefix)
+
+	// Generate package
+	//nolint:all
+	pulumiPackageAdd(t, integrationTest, localProviderBinPath, "terraform-aws-modules/s3-bucket/aws", "4.5.0", "bucket")
+	_, err := integrationTest.CurrentStack().Up(context.Background())
+	assert.Error(t, err)
+	// assert that error contains part of the modified credentials error message which is Pulumi sepcific
+	assert.ErrorContains(t, err, "Alternatively, you can use Pulumi ESC to set up dynamic credentials with AWS OIDC")
+}
+
 // When writing out TF files, we need to replace data that is random with a static value
 // so that the TF files are deterministic.
 func cleanRandomDataFromTerraformArtifacts(t *testing.T, tfFilesDir string, replaces map[string]string) {