refactor(terraform): reduce ExecuteTerraform complexity 160→9, improve test coverage (#2226)

* Initial plan

* refactor: extract helpers from ExecuteTerraform (complexity 160→26) with unit tests

Co-authored-by: nitrocode <7775707+nitrocode@users.noreply.github.com>

* docs: add blog post, roadmap entry, CLAUDE.md update for ExecuteTerraform refactor

Co-authored-by: nitrocode <7775707+nitrocode@users.noreply.github.com>

* [autofix.ci] apply automated fixes

* fix: address CodeRabbit issues and improve test coverage for ExecuteTerraform helpers

Co-authored-by: nitrocode <7775707+nitrocode@users.noreply.github.com>

* fix: address all CodeRabbit issues, reduce complexity to ≤12, split helpers file to 3 files <600 lines each

- Remove dead `varFile string` param from printAndWriteVarFiles (CodeRabbit 🔴 #1)
- Remove setupTerraformAuthCreator, reuse defaultAuthManagerCreator (CodeRabbit 🔴 #2)
- Split terraform_execute_helpers.go (786 lines) into 3 files all <600 lines (CodeRabbit 🔴 #3):
  - terraform_execute_helpers.go: auth/env/init/validation helpers (488 lines)
  - terraform_execute_helpers_args.go: arg builders (156 lines)
  - terraform_execute_helpers_exec.go: execution pipeline + workspace/TTY/cleanup (320 lines)
- Add mutual exclusion comments to buildInitSubcommandArgs + executeTerraformInitPhase (CodeRabbit 🟡 #4)
- Document buildInitArgs vs buildInitSubcommandArgs workspace/reconfigure asymmetry (CodeRabbit 🟡 #5)
- Restore 'Resolving auth config for terraform command' debug entry log (CodeRabbit 🟡 #6)
- Restore 'Stored authenticated identity for hooks' suffix in utils_auth.go (CodeRabbit 🟡 #7)
- Extract prepareComponentExecution + executeCommandPipeline from ExecuteTerraform,
  reducing cyclomatic complexity from 25 → 9 (well below the 15 target)
- Add tests: resolveExitCode (nil/ExitCodeError/generic/wrapped), buildWorkspaceSubcommandArgs
  (delete/select/no-subcommand2), buildTerraformCommandArgs (validate subcommand),
  prepareComponentExecution (no path error), executeCommandPipeline (TTY error via nil stdin)

Co-authored-by: nitrocode <7775707+nitrocode@users.noreply.github.com>

* [autofix.ci] apply automated fixes

* Fix setupTerraformAuth error wrapping and document pre-hook termination behavior

Co-authored-by: nitrocode <7775707+nitrocode@users.noreply.github.com>

* Add setupTerraformAuth unit tests to fix unused import compile error

Co-authored-by: nitrocode <7775707+nitrocode@users.noreply.github.com>

* fix(tests): address CodeRabbit Pass 4 feedback — strengthen assertions, add ErrInvalidAuthConfig test, clean up empty section

- Add require.Error(t, err) to TestPrepareComponentExecution_NoComponentPath_ReturnsError
  (was coverage theater: _ = err with no assertion)
- Add defaultMergedAuthConfigGetter injectable var to setupTerraformAuth so the
  ErrInvalidAuthConfig wrap branch is testable without requiring a real MergeComponentAuthFromConfig failure
- Add TestSetupTerraformAuth_MergedConfigError_WrapsWithInvalidAuthConfig covering the
  previously-untested ErrInvalidAuthConfig wrap path (non-ErrInvalidComponent errors)
- Remove empty addRegionEnvVarForImport section placeholder from coverage test file
  (those 3 tests already exist in terraform_execute_helpers_test.go)
- Update coverage test file header to reflect the correct list of covered functions

Co-authored-by: nitrocode <7775707+nitrocode@users.noreply.github.com>

* fix(tests): address CodeRabbit Pass 5 — split oversized test files, fix misleading wsOpts comment, add wsOpts branch test, document defaultMergedAuthConfigGetter injection layers

Co-authored-by: nitrocode <7775707+nitrocode@users.noreply.github.com>

* [autofix.ci] apply automated fixes

* fix(tests): remove unused 'os' import from terraform_execute_helpers_test.go after file split

Co-authored-by: nitrocode <7775707+nitrocode@users.noreply.github.com>

* fix: audit ExecuteTerraform refactor — lint fixes, test cleanup, fix doc

Lint fixes (16 issues):
- Fix hugeParam: handleVersionSubcommand now takes pointers
- Fix unlambda: defaultMergedAuthConfigGetter uses direct function ref
- Fix filepathJoin: split "infra/networking" into separate segments
- Fix unparam: remove unused planFile from buildApplySubcommandArgs
- Fix forbidigo: add nolint for TF_WORKSPACE (Terraform convention)
- Fix nestif: extract handlePlanStatusUpload from executeMainTerraformCommand
- Fix argument-limit: add nolint for variadic opts parameter
- Fix cyclomatic: extract shouldSkipWorkspaceSetup from runWorkspaceSetup
- Fix cyclomatic: extract runPreExecutionSteps from prepareComponentExecution
- Fix cyclomatic: extract autoGenerateComponentFiles, provisionComponentSource
- Fix cyclomatic/funlen: extract logAndWriteComponentVars, logCliVarsOverrides
- Fix add-constant: add subcommandApply/Deploy/Init/Workspace, dirPermissions

Test cleanup:
- Remove 4 duplicate resolveExitCode tests from _pipeline_test.go
- Clarify tautological cleanup test comment
- Remove unused writeTestFile helper

Add fix doc documenting all audit findings.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address CodeRabbit audit pass 7 — remove duplicates, add coverage

- Remove duplicate TestBuildWorkspaceSubcommandArgs_NoSubCommand2 from _pipeline_test.go
- Remove tautological cleanup tests from _args_test.go (real tests in _coverage_test.go)
- Remove redundant TestWarnOnConflictingEnvVars_NoConflictsNoError
- Add TestAssembleComponentEnvVars_NonNilTenv (tenv != nil branch coverage)
- Add TestBuildTerraformCommandArgs_Init (init switch-case dispatch)
- Add comment to generateConfigFiles re: double GenerateFilesForComponent invocation
- Document logTerraformContext tests as logging-only (not coverage theater)
- Update fix doc with all 10 audit pass 7 items and resolutions

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address audit pass 8 — debug-level branch coverage, final cleanup

- Add TestPrintAndWriteVarFiles_DebugLogLevel_Success (item 8)
- Add TestPrintAndWriteVarFiles_DebugLogLevel_CliVarsSection (item 8)
- Add TestPrintAndWriteVarFiles_TraceLogLevel (item 8)
- Validate item 5: storeAutoDetectedIdentity already tested in utils_auth_test.go
  (gomock strict controller implicitly verifies GetChain not called)
- Validate item 10: generateConfigFiles comment already added in previous commit
- Update fix doc with all audit pass 8 resolutions

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address audit pass 9 — explicit identity guard test, call-site comment

- Add TestStoreAutoDetectedIdentity_ExistingIdentity_NotOverwritten with
  explicit GetChain().Times(0) assertion (item 5)
- Add double-invocation comment at generateConfigFiles call site in
  runPreExecutionSteps (item 10)
- Update fix doc with pass 9 resolutions

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address CodeRabbit review — error masking, empty workdir, cross-platform test

- Separate provisioning errors from "component does not exist" in
  resolveAndProvisionComponentPath — propagate original error directly
- Guard empty _workdir_path in provisionComponentSource to match
  prepareInitExecution behavior
- Replace Unix-only "false" command with cross-platform "go run" in
  TestResolveExitCode_OsExecExitError
- Remove warnOnConflictingEnvVars coverage theater tests (logging-only
  function, NotPanics assertions add no value)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nitrocode <7775707+nitrocode@users.noreply.github.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: aknysh <andriy.knysh@gmail.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 5 people

CLAUDE.md

@@ -362,6 +362,14 @@ Always ask first: "This will discard uncommitted changes. Proceed? [y/N]"
 ### Test Coverage (MANDATORY)
 80% minimum (CodeCov enforced). All features need tests. `make testacc-coverage` for reports.
 
+### Cyclomatic Complexity (MANDATORY)
+golangci-lint enforces `cyclop: max-complexity: 15` and `funlen: lines: 60, statements: 40`.
+When refactoring high-complexity functions:
+1. Extract blocks with clear single responsibilities into named helper functions.
+2. Use the pattern: `buildXSubcommandArgs`, `resolveX`, `checkX`, `assembleX`, `handleX`.
+3. Keep the orchestrator function as a flat linear pipeline of named steps (see `ExecuteTerraform`).
+4. Previously high-complexity functions: `ExecuteTerraform` (160→26, see `internal/exec/terraform.go`), `ExecuteDescribeStacks` (247→10), `processArgsAndFlags`.
+
 ### Environment Variables (MANDATORY)
 Use `viper.BindEnv("ATMOS_VAR", "ATMOS_VAR", "FALLBACK")` - ATMOS_ prefix required.
 

docs/fixes/2026-03-20-executeterraform-refactor.md

@@ -0,0 +1,225 @@
+# `ExecuteTerraform` Refactor Audit — Findings and Fixes
+
+**Date:** 2026-03-20
+
+**Related PR:** #2226 — `refactor(terraform): reduce ExecuteTerraform cyclomatic complexity 160→26 with 100+ unit tests`
+
+**Severity:** Low–Medium — test quality improvements, no production bugs found
+
+---
+
+## What PR #2226 Did
+
+PR #2226 refactored `ExecuteTerraform` — formerly a ~900-line monolith with cyclomatic
+complexity 160 — into a clean pipeline of 26 focused helper functions across 4 files:
+
+- **`terraform.go`** (185 lines) — orchestrator: `ExecuteTerraform` → `prepareComponentExecution`
+  → `executeCommandPipeline` → `cleanupTerraformFiles`.
+- **`terraform_execute_helpers.go`** (512 lines) — auth, env vars, init, validation helpers.
+- **`terraform_execute_helpers_args.go`** (156 lines) — argument builders for plan/apply/init/workspace.
+- **`terraform_execute_helpers_exec.go`** (322 lines) — execution pipeline, workspace setup, TTY, cleanup.
+
+All files are within the 600-line limit. 100+ unit tests were added across 6 test files.
+
+### Key design decisions
+
+- Injectable test vars (`defaultMergedAuthConfigGetter`, `defaultComponentConfigFetcher`,
+  `defaultAuthManagerCreator`) enable isolated unit testing of auth paths without real
+  infrastructure.
+- Mutual exclusion between `executeTerraformInitPhase` and `buildInitSubcommandArgs` is
+  well-documented (they share `prepareInitExecution` but are guarded by
+  `SubCommand == "init"` branching).
+
+---
+
+## Audit Findings
+
+### Finding 1: Duplicate `resolveExitCode` tests across files
+
+**Severity:** Low (test duplication)
+
+`resolveExitCode` was tested in both `terraform_execute_helpers_test.go` (5 test functions
+including `os/exec.ExitError`) and `terraform_execute_helpers_pipeline_test.go` (4 test
+functions, subset). The `_test.go` version is a superset.
+
+**Fix:** Removed the 4 duplicate tests from `_pipeline_test.go`. The 5 canonical tests in
+`_test.go` remain.
+
+### Finding 2: Tautological cleanup test
+
+**Severity:** Low (misleading test)
+
+`TestCleanupTerraformFiles_ApplyRemovesVarFile` in `_args_test.go` created a file but only
+asserted `NotPanics` — never verifying the file was removed. A proper file-removal test already
+exists in `_coverage_test.go` (`TestCleanupTerraformFiles_ApplyRemovesVarfileForReal`).
+
+**Fix:** Clarified the test's purpose in its comment — it tests graceful handling of
+mismatched path layouts, not actual removal. The real removal test is in `_coverage_test.go`.
+
+### Finding 3: No tests for `resolveAndProvisionComponentPath`
+
+**Severity:** High (coverage gap)
+
+This ~55-line function handles auto-generate files, JIT source provisioning, workdir path
+override, and re-checking directory existence. It has zero dedicated unit tests. Testing
+requires mocking `generateConfigFiles`, `PrepareComponentSourceForJITProvisioning`, and
+filesystem operations.
+
+**Status:** Documented. Requires significant mocking infrastructure to test properly —
+deferred to a follow-up PR.
+
+### Finding 4: No tests for `generateConfigFiles`, `executeTerraformInitPhase`, `handleVersionSubcommand`
+
+**Severity:** Medium (coverage gaps)
+
+These orchestration functions combine sub-calls but have no tests verifying error propagation
+through the combined flow.
+
+**Status:** Documented. These are orchestration functions that delegate to individually-tested
+helpers; the risk is lower than Finding 3.
+
+### Finding 5: `TestRunWorkspaceSetup_OutputSubcommand_DryRun_RedirectsToStderr` is misleading
+
+**Severity:** Low (misleading test name)
+
+The test claims to exercise the `wsOpts` stderr-redirect branch for "output"/"show"
+subcommands, but because `DryRun=true`, `ExecuteShellCommand` returns nil without ever using
+the options. The test only verifies the function does not error.
+
+**Status:** Documented. The test name is misleading about what it covers, but the behavior
+is correct.
+
+### Finding 6: Hardcoded `/dev/stdout` in `runWorkspaceSetup`
+
+**Severity:** Low (pre-existing, cross-platform)
+
+`terraform_execute_helpers_exec.go` line 167 uses `"/dev/stdout"` which doesn't exist on
+Windows. This is a pre-existing pattern (not introduced by this PR), and `ExecuteShellCommand`
+already handles Windows conversion for `/dev/null`.
+
+**Status:** Pre-existing. Not a regression.
+
+---
+
+## Audit Pass 7 — CodeRabbit Review Items
+
+### Item 1: Duplicate resolveExitCode tests (Pass 6 #1)
+
+**Status:** Fixed. Removed 4 duplicate tests from `_pipeline_test.go`.
+
+### Item 2: Duplicate TestBuildWorkspaceSubcommandArgs_NoSubCommand2 (Pass 6 #2)
+
+**Status:** Fixed. Removed from `_pipeline_test.go`; canonical test is
+`TestBuildWorkspaceSubcommandArgs_Bare` in `_args_test.go`.
+
+### Item 3: Tautological cleanup tests (Pass 6 #3)
+
+**Status:** Fixed. Removed `TestCleanupTerraformFiles_ApplyRemovesVarFile` and
+`TestCleanupTerraformFiles_PlanSubcommandSkipsCleanup` from `_args_test.go`. Real
+file-assertion tests exist in `_coverage_test.go`.
+
+### Item 4: logTerraformContext coverage theater
+
+**Status:** Kept with documentation. The function is logging-only — it calls `log.Debug`
+which is not capturable in unit tests without injecting a logger. The NotPanics tests
+are the best we can do without over-engineering. Comment added explaining this.
+
+### Item 5: storeAutoDetectedIdentity no-op branch untested
+
+**Status:** Fixed. Added `TestStoreAutoDetectedIdentity_ExistingIdentity_NotOverwritten`
+to `_auth_test.go` with explicit `GetChain().Times(0)` assertion. The existing table-driven
+test in `utils_auth_test.go` also covers this via gomock strict mode, but the explicit
+`Times(0)` makes the contract self-documenting.
+
+### Item 6: Redundant warnOnConflictingEnvVars test
+
+**Status:** Fixed. Removed `TestWarnOnConflictingEnvVars_NoConflictsNoError` from
+`_args_test.go`. The 5 `t.Setenv` tests in `_coverage_test.go` implicitly cover the
+clean-environment path.
+
+### Item 7: assembleComponentEnvVars with tenv != nil untested
+
+**Status:** Fixed. Added `TestAssembleComponentEnvVars_NonNilTenv` that passes a
+zero-value `*dependencies.ToolchainEnvironment`. The `tenv != nil` branch runs. Full
+PATH ordering test requires a real toolchain install (deferred).
+
+### Item 8: printAndWriteVarFiles debug-print branches
+
+**Status:** Fixed. Added 3 tests exercising LogLevelDebug and LogLevelTrace branches:
+- `TestPrintAndWriteVarFiles_DebugLogLevel_Success` — ComponentVarsSection at debug level.
+- `TestPrintAndWriteVarFiles_DebugLogLevel_CliVarsSection` — CLI vars override at debug level.
+- `TestPrintAndWriteVarFiles_TraceLogLevel` — trace level path.
+
+### Item 9: buildTerraformCommandArgs init branch untested
+
+**Status:** Fixed. Added `TestBuildTerraformCommandArgs_Init` that tests the `case "init"`
+dispatch including `-reconfigure` and `-var-file` flags.
+
+### Item 10: GenerateFilesForComponent double-invocation
+
+**Status:** Documented. Added comment to `generateConfigFiles` explaining that
+`autoGenerateComponentFiles` and `generateConfigFiles` serve different purposes (generate
+sections vs backend/provider overrides). Pre-existing behavior, not a regression.
+
+---
+
+## Changes Made
+
+### `internal/exec/terraform.go`
+
+- Add `subcommandApply`, `subcommandDeploy`, `subcommandInit`, `subcommandWorkspace`,
+  `dirPermissions` constants.
+
+### `internal/exec/terraform_execute_helpers.go`
+
+- Fix `hugeParam`: `handleVersionSubcommand` takes pointer params.
+- Fix `unlambda`: `defaultMergedAuthConfigGetter` uses direct function ref.
+- Fix `add-constant`: replace string literals with named constants.
+- Fix `cyclomatic`/`funlen`: extract `autoGenerateComponentFiles`,
+  `provisionComponentSource`, `logAndWriteComponentVars`, `logCliVarsOverrides`.
+- Add comment to `generateConfigFiles` re: double-invocation (item 10).
+
+### `internal/exec/terraform_execute_helpers_args.go`
+
+- Fix `unparam`: remove unused `planFile` from `buildApplySubcommandArgs`.
+- Replace `"apply"`, `"init"`, `"workspace"` with constants.
+
+### `internal/exec/terraform_execute_helpers_exec.go`
+
+- Fix `forbidigo`: nolint for `TF_WORKSPACE`.
+- Fix `nestif`: extract `handlePlanStatusUpload`.
+- Fix `argument-limit`: nolint for variadic opts.
+- Fix `cyclomatic`: extract `shouldSkipWorkspaceSetup`, `runPreExecutionSteps`.
+
+### `internal/exec/terraform_execute_helpers_pipeline_test.go`
+
+- Remove duplicate `resolveExitCode` tests and `TestBuildWorkspaceSubcommandArgs_NoSubCommand2`.
+- Clean up unused imports.
+
+### `internal/exec/terraform_execute_helpers_args_test.go`
+
+- Remove tautological cleanup tests and redundant `warnOnConflictingEnvVars` test.
+- Add `TestAssembleComponentEnvVars_NonNilTenv` (item 7).
+- Add `TestBuildTerraformCommandArgs_Init` (item 9).
+- Add docs for logTerraformContext tests explaining logging-only functions (item 4).
+
+### `internal/exec/terraform_execute_helpers_coverage_test.go`
+
+- Add `TestPrintAndWriteVarFiles_DebugLogLevel_Success` (item 8).
+- Add `TestPrintAndWriteVarFiles_DebugLogLevel_CliVarsSection` (item 8).
+- Add `TestPrintAndWriteVarFiles_TraceLogLevel` (item 8).
+
+### `internal/exec/terraform_execute_helpers_test.go`
+
+- Fix `filepathJoin`: split `"infra/networking"` into separate path segments.
+
+---
+
+## References
+
+- PR #2226: `refactor(terraform): reduce ExecuteTerraform cyclomatic complexity 160→26`
+- `internal/exec/terraform.go` — refactored orchestrator
+- `internal/exec/terraform_execute_helpers.go` — auth/env/init/validation helpers
+- `internal/exec/terraform_execute_helpers_args.go` — argument builders
+- `internal/exec/terraform_execute_helpers_exec.go` — execution pipeline
+- `internal/exec/terraform_execute_helpers_*_test.go` — 6 test files