Fix Terraform remote backend detection to support all backend types

[Copilot]

Plan to Fix Terraform Remote Backend Detection

• Understand the current implementation of isRemoteBackendConfig()
• Update isRemoteBackendConfig() to recognize all remote backend types
• Create or update unit tests for the new backend detection logic
• Run tests to verify the changes work correctly
• Verify that the fix prevents the deprecated -state flag warning
• Run linters and format the code
• Request code review
• Address code review feedback
• Run security checks with CodeQL
• Optimize performance with early keyword check

Changes from Review Feedback

Initial Review (Addressed):

1. Improved cloud { detection (Comment 2752395659)
2. Added comprehensive test coverage (Comment 2752395655)
3. Updated backend list (Comment 2752395669)
4. Added documentation (Comment 2752395651)

Latest Optimization (Comment 2765449116):

• Added early check for backend keyword before scanning specific backend types
• This optimization improves performance by avoiding detailed pattern matching on files without any backend configuration
• The check still handles the Terraform Cloud cloud {} syntax separately since it doesn't use the backend keyword
• All 10 test cases continue to pass

Security Summary

No security vulnerabilities introduced. CodeQL analysis: 0 alerts.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Terraform provider: Deprecated -state flag warning when using Terraform Cloud (backend "remote" or "cloud")</issue_title>
<issue_description>- [x] Make sure you've installed the latest version using instructions

Output from azd version

azd version 1.23.3 (commit c53baf4180b8636f4366cd9d9f621755db75f370)

Describe the bug
When using azd provision with a Terraform project that uses Terraform Cloud as backend (backend "remote" or the newer cloud block), the following warning is displayed:

│ Warning: Deprecated flag: -state
│ 
│ Use the "path" attribute within the "local" backend to specify a file for
│ state storage

This happens because the isRemoteBackendConfig() function in terraform_provider.go only checks for backend "azurerm":

azure-dev/cli/azd/pkg/infra/provisioning/terraform/terraform_provider.go

Lines 588 to 601 in c53baf4

	// Gets the path to the project parameters file path
	func (t *TerraformProvider) parametersTemplateFilePath() string {
	infraPath := t.options.Path
	if strings.TrimSpace(infraPath) == "" {
	infraPath = "infra"
	}
	parametersFilename := fmt.Sprintf("%s.tfvars.json", t.options.Module)
	return filepath.Join(t.projectPath, infraPath, parametersFilename)
	}
	// Gets the path to the project backend config file path
	func (t *TerraformProvider) backendConfigTemplateFilePath() string {

for index := range files {
    if !files[index].IsDir() && filepath.Ext(files[index].Name()) == ".tf" {
        fileContent, err := os.ReadFile(filepath.Join(modulePath, files[index].Name()))
        if err != nil {
            return false, fmt.Errorf("error reading .tf files: %w", err)
        }
        if found := strings.Contains(string(fileContent), `backend "azurerm"`); found {
            return true, nil
        }
    }
}
return false, nil

When isRemoteBackendConfig() returns false, the -state flag is added to terraform commands (plan, apply, destroy, output, show), which causes the deprecation warning.

To Reproduce

1. Create an azd project with Terraform provider
2. Configure Terraform to use Terraform Cloud backend:

   terraform {
     cloud {
       hostname     = "app.terraform.io"
       organization = "your-org"
       workspaces {
         name = "your-workspace"
       }
     }
   }

   Or the older syntax:

   terraform {
     backend "remote" {
       hostname     = "app.terraform.io"
       organization = "your-org"
       workspaces {
         name = "your-workspace"
       }
     }
   }

3. Run azd provision
4. Observe the deprecation warning about -state flag

Expected behavior
The isRemoteBackendConfig() function should recognize all remote backend types:

• backend "azurerm"
• backend "remote"
• backend "s3"
• backend "gcs"
• cloud { block (Terraform Cloud/Enterprise)
• etc.

Or alternatively, check for the absence of backend "local" instead of checking for specific remote backends.

Environment

• Terraform version: 1.14.4
• OS: macOS (also reproducible in devcontainer with Ubuntu 24.04)
• IDE: VS Code with devcontainer

Additional context
The warning does not affect functionality since Terraform Cloud manages state remotely and ignores the -state flag. However, it creates confusion and noise in the output.

Suggested fix
Update isRemoteBackendConfig() to detect additional remote backend types:

func (t *TerraformProvider) isRemoteBackendConfig() (bool, error) {
    modulePath := t.modulePath()
    infraDir, _ := os.Open(modulePath)
    files, err := infraDir.ReadDir(0)

    if err != nil {
        return false, fmt.Errorf("reading .tf files contents: %w", err)
    }

    remoteBackends := []string{
        `backend "azurerm"`,
        `backend "remote"`,
        `backend "s3"`,
        `backend "gcs"`,
        `backend "consul"`,
        `backend "cos"`,
        `backend "http"`,
        `backend "kubernetes"`,
        `backend "oss"`,
        `backend "pg"`,
        `cloud {`,
    }

    for index := range files {
        if !files[index].IsDir() && filepath.Ext(files[index].Name()) == ".tf" {
            fileContent, err := os.ReadFile(filepath.Join(modulePath, files[index].Name()))
            if err != nil {
                return false, fmt.Errorf("error reading .tf files: %w", err)
            }
            for _, backend := range remoteBackends {
                if strings.Contains(string(fileContent), backend) {
                    return true, nil
                }
            }
        }
    }
    return false, nil
}

</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Terraform provider: Deprecated -state flag warning when using Terraform Cloud (backend "remote" or "cloud") #6676

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Copilot]

Pull request overview

This PR fixes a bug where the Terraform provider incorrectly applied the deprecated -state flag when using remote backends other than Azure RM. The issue occurred because the isRemoteBackendConfig() function only checked for backend "azurerm", causing warnings when using Terraform Cloud, AWS S3, Google Cloud Storage, or other remote backends.

Changes:

• Extended remote backend detection to recognize 10 additional backend types including Terraform Cloud (cloud {} and backend "remote"), AWS S3, GCS, and other cloud providers
• Added comprehensive test coverage for backend detection with 7 test cases covering common scenarios (azurerm, remote, cloud, s3, gcs, local, and no backend)
• Created test fixture files for each backend type to verify correct detection behavior

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.

File	Description
cli/azd/pkg/infra/provisioning/terraform/terraform_provider.go	Extended isRemoteBackendConfig() to check for multiple remote backend types instead of only azurerm
cli/azd/pkg/infra/provisioning/terraform/terraform_provider_test.go	Added TestIsRemoteBackendConfig with table-driven tests for various backend configurations
cli/azd/pkg/infra/provisioning/terraform/testdata/backend_tests/*.tf	Created test fixtures for azurerm, remote, cloud, s3, gcs, local, and no-backend scenarios

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[vhvb1989]

@copilot apply changes based on the comments in this thread

[vhvb1989]

/azp run azure-dev - cli

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[weikanglim]

Can we scan for backend before grepping the identifiery keyword?

[hemarina]

@copilot Apply above comment.

[Copilot]

Addressed in commit 6199ac8. Added early check for backend keyword before scanning specific backend types. This improves performance by skipping detailed pattern matching on files without backend configuration. The check still handles Terraform Cloud cloud {} syntax separately.