@salte-common/terraflow 0.1.0-alpha.1

package/dist/index.js

@@ -0,0 +1,184 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * Terraflow CLI - Main entry point
+ * An opinionated Terraform workflow CLI with multi-cloud support
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const commander_1 = require("commander");
+const fs_1 = require("fs");
+const path_1 = require("path");
+const config_1 = require("./core/config");
+const context_1 = require("./core/context");
+const terraform_1 = require("./core/terraform");
+const config_2 = require("./commands/config");
+const init_1 = require("./commands/init");
+const logger_1 = require("./utils/logger");
+const program = new commander_1.Command();
+/**
+ * Main CLI entry point
+ */
+async function main() {
+    // Load package.json for version
+    let version = '1.0.0';
+    try {
+        const packageJsonPath = (0, path_1.join)(__dirname, '..', 'package.json');
+        const packageJson = JSON.parse((0, fs_1.readFileSync)(packageJsonPath, 'utf8'));
+        version = packageJson.version || '1.0.0';
+    }
+    catch {
+        // Use default version if package.json can't be read
+    }
+    // Set up program
+    program
+        .name('terraflow')
+        .description('Opinionated Terraform workflow CLI with multi-cloud support')
+        .version(version, '-V, --version', 'Show version number')
+        .allowExcessArguments(true) // Allow terraform arguments to pass through
+        .passThroughOptions(); // Pass unknown options through to terraform
+    // Global options
+    program
+        .option('-c, --config <path>', 'Path to config file (default: <working-dir>/.tfwconfig.yml)')
+        .option('-w, --workspace <name>', 'Override workspace name')
+        .option('-b, --backend <type>', 'Backend type: local|s3|azurerm|gcs (default: local)')
+        .option('-s, --secrets <type>', 'Secrets provider: env|aws-secrets|azure-keyvault|gcp-secret-manager')
+        .option('--skip-commit-check', 'Skip git commit validation')
+        .option('-d, --working-dir <path>', 'Terraform working directory (default: ./terraform)')
+        .option('--assume-role <arn>', 'AWS role ARN to assume (AWS only)')
+        .option('-v, --verbose', 'Verbose logging')
+        .option('--debug', 'Debug logging (includes terraform debug output)')
+        .option('--dry-run', 'Show what would be executed without running')
+        .option('--no-color', 'Disable colored output');
+    // Special config command
+    const configCommand = program.command('config').description('Manage Terraflow configuration');
+    configCommand
+        .command('show')
+        .description('Show resolved configuration with source tracking and masked sensitive values')
+        .action(async () => {
+        try {
+            const opts = program.opts();
+            await config_2.ConfigCommand.show(opts);
+        }
+        catch (error) {
+            process.exit(1);
+        }
+    });
+    configCommand
+        .command('init')
+        .description('Generate skeleton config file with examples for all backend types, secrets providers, and auth configurations')
+        .option('-o, --output <file>', 'Output file path (default: .tfwconfig.yml in working directory)')
+        .action(async (options) => {
+        try {
+            await config_2.ConfigCommand.init(options.output);
+        }
+        catch (error) {
+            process.exit(1);
+        }
+    });
+    // Init command for project scaffolding
+    program
+        .command('init [project-name]')
+        .description('Scaffold a new infrastructure project with opinionated defaults')
+        .option('-p, --provider <name>', 'Cloud provider: aws, azure, or gcp (default: aws)', 'aws')
+        .option('-l, --language <name>', 'Application language: javascript, typescript, python, or go (default: javascript)', 'javascript')
+        .option('-d, --working-dir <path>', 'Directory where to create the project (default: current directory)', process.cwd())
+        .option('-f, --force', 'Overwrite existing files if present (default: false)', false)
+        .addHelpText('after', `
+Examples:
+  $ terraflow init my-project
+  $ terraflow init my-project --provider azure --language typescript
+  $ terraflow init --provider gcp --language python
+  $ terraflow init my-project --force
+`)
+        .action(async (projectName, options) => {
+        try {
+            await init_1.InitCommand.execute(projectName, {
+                provider: options.provider,
+                language: options.language,
+                workingDir: options.workingDir,
+                force: options.force,
+            });
+        }
+        catch (error) {
+            logger_1.Logger.error(`Failed to initialize project: ${error instanceof Error ? error.message : String(error)}`);
+            process.exit(1);
+        }
+    });
+    // Parse arguments
+    program.parse();
+    // Check if config or init command was executed (handle early to avoid loading config)
+    const command = program.args[0];
+    if (command === 'config' || command === 'init') {
+        // Config and init commands handle their own execution, so we're done here
+        return;
+    }
+    // Get parsed options
+    const opts = program.opts();
+    // Configure logger
+    if (opts.debug) {
+        logger_1.Logger.setLevel('debug');
+    }
+    else if (opts.verbose) {
+        logger_1.Logger.setLevel('info');
+    }
+    else {
+        logger_1.Logger.setLevel('info');
+    }
+    if (opts.noColor) {
+        logger_1.Logger.setColor(false);
+    }
+    // If no terraform command specified, show help
+    const terraformArgs = program.args;
+    if (terraformArgs.length === 0) {
+        program.help();
+        return;
+    }
+    // Load configuration
+    let config;
+    try {
+        config = await config_1.ConfigManager.load(opts);
+        logger_1.Logger.debug('Configuration loaded successfully');
+    }
+    catch (error) {
+        logger_1.Logger.error(`Failed to load configuration: ${error instanceof Error ? error.message : String(error)}`);
+        process.exit(1);
+    }
+    // Update logger level from config if set
+    if (config.logging?.level) {
+        logger_1.Logger.setLevel(config.logging.level);
+    }
+    // Build execution context
+    let context;
+    try {
+        context = await context_1.ContextBuilder.build(config);
+        logger_1.Logger.debug(`Execution context built for workspace: ${context.workspace}`);
+    }
+    catch (error) {
+        logger_1.Logger.error(`Failed to build execution context: ${error instanceof Error ? error.message : String(error)}`);
+        process.exit(1);
+    }
+    // Validations are now run inside TerraformExecutor.execute()
+    // along with environment setup and plugin execution
+    // Execute terraform command
+    try {
+        const terraformCommand = terraformArgs[0] || '';
+        const terraformCommandArgs = terraformArgs.slice(1);
+        await terraform_1.TerraformExecutor.execute(terraformCommand, terraformCommandArgs, config, context, {
+            skipCommitCheck: opts.skipCommitCheck || config['skip-commit-check'] || false,
+            dryRun: opts.dryRun || false,
+        });
+    }
+    catch (error) {
+        logger_1.Logger.error(`Execution failed: ${error instanceof Error ? error.message : String(error)}`);
+        process.exit(1);
+    }
+}
+// Run main
+main().catch((error) => {
+    logger_1.Logger.error(`Unhandled error: ${error instanceof Error ? error.message : String(error)}`);
+    if (error instanceof Error && error.stack) {
+        logger_1.Logger.debug(error.stack);
+    }
+    process.exit(1);
+});
+//# sourceMappingURL=index.js.map

package/dist/plugins/auth/aws-assume-role.d.ts

@@ -0,0 +1,10 @@
+/**
+ * AWS assume role auth plugin
+ * Assumes an AWS IAM role and returns temporary credentials
+ */
+import type { AuthPlugin } from '../../types';
+/**
+ * AWS assume role authentication plugin
+ */
+export declare const awsAssumeRole: AuthPlugin;
+//# sourceMappingURL=aws-assume-role.d.ts.map

package/dist/plugins/auth/aws-assume-role.js

@@ -0,0 +1,110 @@
+"use strict";
+/**
+ * AWS assume role auth plugin
+ * Assumes an AWS IAM role and returns temporary credentials
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.awsAssumeRole = void 0;
+const client_sts_1 = require("@aws-sdk/client-sts");
+const errors_1 = require("../../core/errors");
+const logger_1 = require("../../utils/logger");
+/**
+ * AWS IAM Role ARN format validation
+ * Format: arn:aws:iam::[0-9]{12}:role/[a-zA-Z0-9+=,.@_-]+
+ */
+const IAM_ROLE_ARN_REGEX = /^arn:aws:iam::\d{12}:role\/[a-zA-Z0-9+=,.@_-]+$/;
+/**
+ * AWS assume role authentication plugin
+ */
+exports.awsAssumeRole = {
+    name: 'aws-assume-role',
+    /**
+     * Validate AWS assume role configuration
+     * @param config - Auth configuration
+     * @throws {ConfigError} If configuration is invalid
+     */
+    validate: async (config) => {
+        if (!config.assume_role) {
+            throw new errors_1.ConfigError('AWS assume role configuration is required');
+        }
+        const assumeRoleConfig = config.assume_role;
+        // role_arn is required
+        if (!assumeRoleConfig.role_arn) {
+            throw new errors_1.ConfigError('AWS assume role requires "role_arn" configuration');
+        }
+        // Validate role_arn format
+        if (!IAM_ROLE_ARN_REGEX.test(assumeRoleConfig.role_arn)) {
+            throw new errors_1.ConfigError(`Invalid role_arn format: ${assumeRoleConfig.role_arn}. Expected format: arn:aws:iam::123456789012:role/RoleName`);
+        }
+        // Validate duration if provided (must be between 900 and 43200 seconds)
+        if (assumeRoleConfig.duration !== undefined) {
+            if (assumeRoleConfig.duration < 900 || assumeRoleConfig.duration > 43200) {
+                throw new errors_1.ConfigError(`Invalid duration: ${assumeRoleConfig.duration}. Duration must be between 900 and 43200 seconds (15 minutes to 12 hours)`);
+            }
+        }
+    },
+    /**
+     * Authenticate by assuming an AWS IAM role
+     * Returns temporary credentials as environment variables
+     * @param config - Auth configuration
+     * @param context - Execution context
+     * @returns Temporary credentials as environment variables
+     */
+    authenticate: async (config, context) => {
+        if (!config.assume_role) {
+            throw new errors_1.ConfigError('AWS assume role configuration is required');
+        }
+        const assumeRoleConfig = config.assume_role;
+        const roleArn = assumeRoleConfig.role_arn;
+        const sessionName = assumeRoleConfig.session_name || 'terraflow-session';
+        const durationSeconds = assumeRoleConfig.duration || 3600;
+        try {
+            logger_1.Logger.debug(`Assuming AWS IAM role: ${roleArn}`);
+            // Create STS client
+            const stsClient = new client_sts_1.STSClient({
+                region: context.cloud.awsRegion || process.env.AWS_REGION || 'us-east-1',
+            });
+            // Call AssumeRole
+            const command = new client_sts_1.AssumeRoleCommand({
+                RoleArn: roleArn,
+                RoleSessionName: sessionName,
+                DurationSeconds: durationSeconds,
+            });
+            const response = await stsClient.send(command);
+            if (!response.Credentials) {
+                throw new Error('AssumeRole response did not contain credentials');
+            }
+            const credentials = response.Credentials;
+            // Return credentials as environment variables
+            const envVars = {
+                AWS_ACCESS_KEY_ID: credentials.AccessKeyId || '',
+                AWS_SECRET_ACCESS_KEY: credentials.SecretAccessKey || '',
+                AWS_SESSION_TOKEN: credentials.SessionToken || '',
+            };
+            // Set expiration time if available (optional, for information)
+            if (credentials.Expiration) {
+                logger_1.Logger.debug(`Credentials expire at: ${credentials.Expiration.toISOString()}`);
+            }
+            logger_1.Logger.info(`✅ Successfully assumed role: ${roleArn}`);
+            return envVars;
+        }
+        catch (error) {
+            // Handle specific AWS errors
+            if (error instanceof Error) {
+                if (error.name === 'AccessDenied' || error.message.includes('AccessDenied')) {
+                    throw new errors_1.ConfigError(`Access denied when assuming role ${roleArn}. Ensure your AWS credentials have permission to assume this role.`);
+                }
+                if (error.message.includes('NoSuchEntity')) {
+                    throw new errors_1.ConfigError(`Role ${roleArn} does not exist.`);
+                }
+                if (error.message.includes('MalformedPolicyDocument')) {
+                    throw new errors_1.ConfigError(`Invalid role configuration for ${roleArn}. Check the role's trust policy.`);
+                }
+                // Generic error handling
+                throw new errors_1.ConfigError(`Failed to assume role ${roleArn}: ${error.message}. Ensure you have valid AWS credentials and permissions.`);
+            }
+            throw new errors_1.ConfigError(`Failed to assume role ${roleArn}: ${String(error)}`);
+        }
+    },
+};
+//# sourceMappingURL=aws-assume-role.js.map

package/dist/plugins/auth/azure-service-principal.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Azure service principal auth plugin
+ * Authenticates using Azure service principal and returns ARM_* environment variables
+ */
+import type { AuthPlugin } from '../../types';
+/**
+ * Azure service principal authentication plugin
+ */
+export declare const azureServicePrincipal: AuthPlugin;
+//# sourceMappingURL=azure-service-principal.d.ts.map

package/dist/plugins/auth/azure-service-principal.js

@@ -0,0 +1,99 @@
+"use strict";
+/**
+ * Azure service principal auth plugin
+ * Authenticates using Azure service principal and returns ARM_* environment variables
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.azureServicePrincipal = void 0;
+const errors_1 = require("../../core/errors");
+const logger_1 = require("../../utils/logger");
+/**
+ * Azure service principal authentication plugin
+ */
+exports.azureServicePrincipal = {
+    name: 'azure-service-principal',
+    /**
+     * Validate Azure service principal configuration
+     * @param config - Auth configuration
+     * @throws {ConfigError} If configuration is invalid
+     */
+    validate: async (config) => {
+        if (!config.service_principal) {
+            throw new errors_1.ConfigError('Azure service principal configuration is required');
+        }
+        const spConfig = config.service_principal;
+        // client_id is required
+        if (!spConfig.client_id) {
+            throw new errors_1.ConfigError('Azure service principal requires "client_id" configuration');
+        }
+        // tenant_id is required
+        if (!spConfig.tenant_id) {
+            throw new errors_1.ConfigError('Azure service principal requires "tenant_id" configuration');
+        }
+        // client_secret is optional if using managed identity or certificate
+        // But if provided, it should not be empty
+        if (spConfig.client_secret !== undefined && !spConfig.client_secret) {
+            throw new errors_1.ConfigError('Azure service principal "client_secret" cannot be empty if provided');
+        }
+    },
+    /**
+     * Authenticate using Azure service principal
+     * Returns ARM_* environment variables for Terraform Azure provider
+     * @param config - Auth configuration
+     * @param context - Execution context
+     * @returns Environment variables for Azure authentication
+     */
+    authenticate: async (config, context) => {
+        if (!config.service_principal) {
+            throw new errors_1.ConfigError('Azure service principal configuration is required');
+        }
+        const spConfig = config.service_principal;
+        const clientId = spConfig.client_id;
+        const tenantId = spConfig.tenant_id;
+        const clientSecret = spConfig.client_secret;
+        try {
+            // Validate credentials using Azure CLI (if client_secret is provided)
+            if (clientSecret) {
+                logger_1.Logger.debug(`Validating Azure service principal: ${clientId}`);
+                // Note: We can't easily validate credentials without making an actual API call
+                // The validation will happen when Terraform tries to use these credentials
+                // For now, we just validate that the values are provided
+                if (!clientId || !tenantId || !clientSecret) {
+                    throw new errors_1.ConfigError('Azure service principal requires client_id, tenant_id, and client_secret');
+                }
+            }
+            else {
+                // No client_secret provided - assume using managed identity or certificate
+                logger_1.Logger.debug(`Azure service principal configured without client_secret. Assuming managed identity or certificate authentication.`);
+            }
+            // Build environment variables for Terraform Azure provider
+            const envVars = {
+                ARM_CLIENT_ID: clientId,
+                ARM_TENANT_ID: tenantId,
+            };
+            // Add subscription ID if available from context
+            if (context.cloud.azureSubscriptionId) {
+                envVars.ARM_SUBSCRIPTION_ID = context.cloud.azureSubscriptionId;
+            }
+            else if (process.env.ARM_SUBSCRIPTION_ID) {
+                envVars.ARM_SUBSCRIPTION_ID = process.env.ARM_SUBSCRIPTION_ID;
+            }
+            // Add client_secret if provided
+            if (clientSecret) {
+                envVars.ARM_CLIENT_SECRET = clientSecret;
+            }
+            logger_1.Logger.info(`✅ Successfully authenticated Azure service principal: ${clientId}`);
+            return envVars;
+        }
+        catch (error) {
+            if (error instanceof errors_1.ConfigError) {
+                throw error;
+            }
+            if (error instanceof Error) {
+                throw new errors_1.ConfigError(`Failed to authenticate Azure service principal: ${error.message}. Ensure client_id, tenant_id, and client_secret (if required) are correct.`);
+            }
+            throw new errors_1.ConfigError(`Failed to authenticate Azure service principal: ${String(error)}`);
+        }
+    },
+};
+//# sourceMappingURL=azure-service-principal.js.map

package/dist/plugins/auth/gcp-service-account.d.ts

@@ -0,0 +1,10 @@
+/**
+ * GCP service account auth plugin
+ * Authenticates using GCP service account key file and returns GCP credentials environment variables
+ */
+import type { AuthPlugin } from '../../types';
+/**
+ * GCP service account authentication plugin
+ */
+export declare const gcpServiceAccount: AuthPlugin;
+//# sourceMappingURL=gcp-service-account.d.ts.map

package/dist/plugins/auth/gcp-service-account.js

@@ -0,0 +1,105 @@
+"use strict";
+/**
+ * GCP service account auth plugin
+ * Authenticates using GCP service account key file and returns GCP credentials environment variables
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.gcpServiceAccount = void 0;
+const fs_1 = require("fs");
+const errors_1 = require("../../core/errors");
+const logger_1 = require("../../utils/logger");
+/**
+ * GCP service account authentication plugin
+ */
+exports.gcpServiceAccount = {
+    name: 'gcp-service-account',
+    /**
+     * Validate GCP service account configuration
+     * @param config - Auth configuration
+     * @throws {ConfigError} If configuration is invalid
+     */
+    validate: async (config) => {
+        if (!config.service_account) {
+            throw new errors_1.ConfigError('GCP service account configuration is required');
+        }
+        const saConfig = config.service_account;
+        // key_file is required
+        if (!saConfig.key_file) {
+            throw new errors_1.ConfigError('GCP service account requires "key_file" configuration');
+        }
+        // Check if key file exists
+        if (!(0, fs_1.existsSync)(saConfig.key_file)) {
+            throw new errors_1.ConfigError(`GCP service account key file does not exist: ${saConfig.key_file}`);
+        }
+        // Try to read and parse the key file to validate it's valid JSON
+        try {
+            const keyFileContent = (0, fs_1.readFileSync)(saConfig.key_file, 'utf8');
+            const keyData = JSON.parse(keyFileContent);
+            // Validate it's a service account key file
+            if (!keyData.type || keyData.type !== 'service_account') {
+                throw new errors_1.ConfigError(`Invalid GCP service account key file: ${saConfig.key_file}. Expected type "service_account".`);
+            }
+            if (!keyData.project_id) {
+                logger_1.Logger.warn(`GCP service account key file "${saConfig.key_file}" does not contain project_id. Project ID will need to be set via GCLOUD_PROJECT environment variable.`);
+            }
+        }
+        catch (error) {
+            if (error instanceof errors_1.ConfigError) {
+                throw error;
+            }
+            if (error instanceof SyntaxError) {
+                throw new errors_1.ConfigError(`GCP service account key file "${saConfig.key_file}" is not valid JSON: ${error.message}`);
+            }
+            throw new errors_1.ConfigError(`Failed to read GCP service account key file "${saConfig.key_file}": ${error instanceof Error ? error.message : String(error)}`);
+        }
+    },
+    /**
+     * Authenticate using GCP service account key file
+     * Returns GCP credentials environment variables
+     * @param config - Auth configuration
+     * @param context - Execution context
+     * @returns Environment variables for GCP authentication
+     */
+    authenticate: async (config, context) => {
+        if (!config.service_account) {
+            throw new errors_1.ConfigError('GCP service account configuration is required');
+        }
+        const saConfig = config.service_account;
+        const keyFilePath = saConfig.key_file;
+        try {
+            // Read and parse key file
+            const keyFileContent = (0, fs_1.readFileSync)(keyFilePath, 'utf8');
+            const keyData = JSON.parse(keyFileContent);
+            // Build environment variables for GCP authentication
+            const envVars = {
+                GOOGLE_APPLICATION_CREDENTIALS: keyFilePath,
+            };
+            // Add project ID from key file, context, or leave undefined (GCP SDK will use default)
+            const projectId = keyData.project_id ||
+                context.cloud.gcpProjectId ||
+                process.env.GCLOUD_PROJECT ||
+                process.env.GCP_PROJECT ||
+                process.env.GOOGLE_CLOUD_PROJECT;
+            if (projectId) {
+                envVars.GCLOUD_PROJECT = projectId;
+                envVars.GCP_PROJECT = projectId;
+                envVars.GOOGLE_CLOUD_PROJECT = projectId;
+            }
+            logger_1.Logger.info(`✅ Successfully configured GCP service account from: ${keyFilePath}`);
+            return envVars;
+        }
+        catch (error) {
+            if (error instanceof errors_1.ConfigError) {
+                throw error;
+            }
+            if (error instanceof SyntaxError) {
+                throw new errors_1.ConfigError(`GCP service account key file "${keyFilePath}" is not valid JSON: ${error.message}`);
+            }
+            if (error instanceof Error) {
+                throw new errors_1.ConfigError(`Failed to read GCP service account key file "${keyFilePath}": ${error.message}`);
+            }
+            throw new errors_1.ConfigError(`Failed to read GCP service account key file "${keyFilePath}": ${String(error)}`);
+        }
+    },
+};
+//# sourceMappingURL=gcp-service-account.js.map

package/dist/plugins/backends/azurerm.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Azure RM backend plugin
+ * Handles Azure Resource Manager Terraform state backend
+ */
+import type { BackendPlugin } from '../../types';
+/**
+ * Azure RM backend plugin
+ */
+export declare const azurermBackend: BackendPlugin;
+//# sourceMappingURL=azurerm.d.ts.map

package/dist/plugins/backends/azurerm.js

@@ -0,0 +1,117 @@
+"use strict";
+/**
+ * Azure RM backend plugin
+ * Handles Azure Resource Manager Terraform state backend
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.azurermBackend = void 0;
+const errors_1 = require("../../core/errors");
+const logger_1 = require("../../utils/logger");
+const templates_1 = require("../../utils/templates");
+/**
+ * Azure RM backend plugin
+ */
+exports.azurermBackend = {
+    name: 'azurerm',
+    /**
+     * Validate Azure RM backend configuration
+     * @param config - Backend configuration
+     * @throws {ConfigError} If configuration is invalid
+     */
+    validate: async (config) => {
+        if (!config.config) {
+            throw new errors_1.ConfigError('Azure RM backend requires configuration');
+        }
+        const azureConfig = config.config;
+        // Required fields
+        if (!azureConfig.storage_account_name) {
+            throw new errors_1.ConfigError('Azure RM backend requires "storage_account_name" configuration');
+        }
+        if (!azureConfig.container_name) {
+            throw new errors_1.ConfigError('Azure RM backend requires "container_name" configuration');
+        }
+        if (!azureConfig.key) {
+            throw new errors_1.ConfigError('Azure RM backend requires "key" configuration');
+        }
+    },
+    /**
+     * Generate Terraform backend configuration arguments
+     * @param config - Backend configuration
+     * @param context - Execution context (for template variable resolution)
+     * @returns Array of -backend-config arguments for terraform init
+     */
+    getBackendConfig: async (config, context) => {
+        if (!config.config) {
+            throw new errors_1.ConfigError('Azure RM backend requires configuration');
+        }
+        // Build template context from execution context
+        const templateVars = {
+            ...context.templateVars,
+        };
+        // Add cloud-specific variables
+        if (context.cloud.azureSubscriptionId) {
+            templateVars.AZURE_SUBSCRIPTION_ID = context.cloud.azureSubscriptionId;
+        }
+        if (context.cloud.azureTenantId) {
+            templateVars.AZURE_TENANT_ID = context.cloud.azureTenantId;
+        }
+        // Resolve template variables in config
+        const resolvedConfig = templates_1.TemplateUtils.resolveObject(config.config, templateVars);
+        const azureConfig = resolvedConfig;
+        // Build backend-config arguments
+        const backendArgs = [];
+        // Required fields
+        backendArgs.push(`-backend-config=storage_account_name=${azureConfig.storage_account_name}`);
+        backendArgs.push(`-backend-config=container_name=${azureConfig.container_name}`);
+        backendArgs.push(`-backend-config=key=${azureConfig.key}`);
+        // Optional fields
+        if (azureConfig.resource_group_name) {
+            backendArgs.push(`-backend-config=resource_group_name=${azureConfig.resource_group_name}`);
+        }
+        if (azureConfig.subscription_id) {
+            backendArgs.push(`-backend-config=subscription_id=${azureConfig.subscription_id}`);
+        }
+        if (azureConfig.tenant_id) {
+            backendArgs.push(`-backend-config=tenant_id=${azureConfig.tenant_id}`);
+        }
+        if (azureConfig.client_id) {
+            backendArgs.push(`-backend-config=client_id=${azureConfig.client_id}`);
+        }
+        if (azureConfig.client_secret) {
+            backendArgs.push(`-backend-config=client_secret=${azureConfig.client_secret}`);
+        }
+        if (azureConfig.client_certificate_path) {
+            backendArgs.push(`-backend-config=client_certificate_path=${azureConfig.client_certificate_path}`);
+        }
+        if (azureConfig.client_certificate_password) {
+            backendArgs.push(`-backend-config=client_certificate_password=${azureConfig.client_certificate_password}`);
+        }
+        if (azureConfig.use_msi !== undefined) {
+            backendArgs.push(`-backend-config=use_msi=${azureConfig.use_msi}`);
+        }
+        if (azureConfig.msi_endpoint) {
+            backendArgs.push(`-backend-config=msi_endpoint=${azureConfig.msi_endpoint}`);
+        }
+        if (azureConfig.environment) {
+            backendArgs.push(`-backend-config=environment=${azureConfig.environment}`);
+        }
+        if (azureConfig.endpoint) {
+            backendArgs.push(`-backend-config=endpoint=${azureConfig.endpoint}`);
+        }
+        if (azureConfig.sas_token) {
+            backendArgs.push(`-backend-config=sas_token=${azureConfig.sas_token}`);
+        }
+        if (azureConfig.access_key) {
+            backendArgs.push(`-backend-config=access_key=${azureConfig.access_key}`);
+        }
+        if (azureConfig.snapshot !== undefined) {
+            backendArgs.push(`-backend-config=snapshot=${azureConfig.snapshot}`);
+        }
+        if (azureConfig.encryption !== undefined) {
+            backendArgs.push(`-backend-config=encryption=${azureConfig.encryption}`);
+        }
+        logger_1.Logger.debug(`Generated ${backendArgs.length} backend-config arguments for Azure RM backend`);
+        return backendArgs;
+    },
+};
+//# sourceMappingURL=azurerm.js.map

package/dist/plugins/backends/gcs.d.ts

@@ -0,0 +1,10 @@
+/**
+ * GCS backend plugin
+ * Handles Google Cloud Storage Terraform state backend
+ */
+import type { BackendPlugin } from '../../types';
+/**
+ * GCS backend plugin
+ */
+export declare const gcsBackend: BackendPlugin;
+//# sourceMappingURL=gcs.d.ts.map