TG_DEPENDENCY_FETCH_OUTPUT_FROM_STATE does not use backend role to fetch state #4979
Description
Describe the bug
When using TG_DEPENDENCY_FETCH_OUTPUT_FROM_STATE=true does not use backend role to fetch state.
Steps To Reproduce
ROLE_A -> IaC role used to plan, cannot fetch remote state
ROLE_B -> IaC role used to fetch remote state
ROLE_A has permissions to assume ROLE_B, ROLE_B has ROLE_A in TrustPo
9283
licy.
Run a plan with TG_DEPENDENCY_FETCH_OUTPUT_FROM_STATE set to true for a unit with dependencies.
remote_state {
backend = "s3"
config = {
encrypt = true
bucket_sse_algorithm = "AES256"
bucket = "${local.backend_state_bucket}"
key = "${path_relative_to_include()}/terraform.tfstate"
region = "${local.backend_aws_region}"
# Assume special role which can deal with remote state and lock table entries
assume_role = {
role_arn = "${local.role_b_arn}"
}
dynamodb_table = "${local.backend_lock_table}"
}
generate = {
path = "backend.tf"
if_exists = "overwrite_terragrunt"
}
}
...
provider "aws" {
region = "${local.aws_region}"
# Assume ROLE_A
assume_role {
role_arn = "${local.role_a_arn}"
}
}
Expected behavior
ROLE_B should be assumed to read remote state, as is when TG_DEPENDENCY_FETCH_OUTPUT_FROM_STATE is not set.
In earlier terragrunt versions ROLE_B was successfully assumed.
Nice to haves
- Without
TG_DEPENDENCY_FETCH_OUTPUT_FROM_STATEset
➜ tg plan
14:20:51.857 INFO Downloading Terraform configurations from git::https://some_module into ./.terragrunt-cache/...
14:20:53.987 INFO tofu: Initializing the backend...
14:20:55.794 INFO tofu:
14:20:55.794 INFO tofu: Successfully configured the backend "s3"! OpenTofu will automatically
14:20:55.794 INFO tofu: use this backend unless the backend configuration changes.- With
TG_DEPENDENCY_FETCH_OUTPUT_FROM_STATEset
➜ TG_DEPENDENCY_FETCH_OUTPUT_FROM_STATE=true tg plan
14:22:43.491 ERROR Error: Unknown variable
14:22:43.492 ERROR on ../../../../../_base/sales/order-domain-service/aurora-postgres.hcl line 39:
14:22:43.492 ERROR 39: subnets = dependency.vpc.outputs.private_subnets_ids
14:22:43.493 ERROR There is no variable named "dependency".
14:22:43.493 ERROR Error: Unknown variable
14:22:43.493 ERROR on ../../../../../_base/sales/order-domain-service/aurora-postgres.hcl line 100:
14:22:43.493 ERROR 100: vpc_id = dependency.vpc.outputs.vpc_id
14:22:43.493 ERROR There is no variable named "dependency".
14:22:43.498 ERROR 3 errors occurred:
* operation error S3: GetObject, https response error StatusCode: 403, RequestID: XXX, HostID: XXX, api error AccessDenied: User: arn:aws:sts::XXX:assumed-role/ROLE_A/XXXX@email.com is not authorized to perform: s3:GetObject on resource: "arn:aws:s3:::XXX/development/us-east-1/platform-infra/cloud-infra/networking/terraform.tfstate" because no resource-based policy allows the s3:GetObject action
* operation error S3: GetObject, https response error StatusCode: 403, RequestID: XXX, HostID: XXX, api error AccessDenied: User: arn:aws:sts::XXX:assumed-role/ROLE_A/XXX@email.com is not authorized to perform: s3:GetObject on resource: "arn:aws:s3:::XXX/development/us-east-1/platform-infra/cloud-infra/networking/terraform.tfstate" because no resource-based policy allows the s3:GetObject actionVersions
- Terragrunt version: 0.88.1
- OpenTofu/Terraform version: 1.9.0
- Environment details (OS: macOS 15.7.1 24G231 arm64):
Additional context
Role is assumed with earlier terragrunt versions
Tested with latest version at the time of writing, 0.91.1, issue persists.